Source: Quotation.exe.5852.3.memstr |
Malware Configuration Extractor: Agenttesla {"Username: ": "rOPNbWS", "URL: ": "https://OKmk0UVQzAElqL6wiCX.net", "To: ": "mauro.aguiari@tthyssenkrupp.com", "ByHost: ": "smtp.tthyssenkrupp.com:587", "Password: ": "4nH0rm", "From: ": "mauro.aguiari@tthyssenkrupp.com"} |
Source: 3.2.Quotation.exe.2ae0000.5.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: 3.2.Quotation.exe.400000.0.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: Quotation.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: Quotation.exe |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: wntdll.pdbUGP source: Quotation.exe, 00000000.00000003.224530072.000000001ACF0000.00000004.00000001.sdmp, Quotation.exe, 00000002.00000003.229337012.000000001A430000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb source: Quotation.exe, 00000000.00000003.224530072.000000001ACF0000.00000004.00000001.sdmp, Quotation.exe, 00000002.00000003.229337012.000000001A430000.00000004.00000001.sdmp |
Source: Traffic |
Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49745 -> 208.91.199.223:587 |
Source: Malware configuration extractor |
URLs: https://OKmk0UVQzAElqL6wiCX.net |
Source: global traffic |
TCP traffic: 192.168.2.3:49745 -> 208.91.199.223:587 |
Source: Joe Sandbox View |
IP Address: 208.91.199.223 208.91.199.223 |
Source: global traffic |
TCP traffic: 192.168.2.3:49745 -> 208.91.199.223:587 |
Source: unknown |
DNS traffic detected: queries for: smtp.tthyssenkrupp.com |
Source: Quotation.exe, 00000003.00000002.589457084.0000000002B61000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: Quotation.exe, 00000003.00000002.589457084.0000000002B61000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: Quotation.exe, 00000003.00000002.589457084.0000000002B61000.00000004.00000001.sdmp |
String found in binary or memory: http://ShQsty.com |
Source: Quotation.exe, 00000003.00000002.591947363.0000000002E76000.00000004.00000001.sdmp |
String found in binary or memory: http://smtp.tthyssenkrupp.com |
Source: Quotation.exe, 00000003.00000002.591947363.0000000002E76000.00000004.00000001.sdmp |
String found in binary or memory: http://us2.smtp.mailhostbox.com |
Source: Quotation.exe, 00000003.00000002.589457084.0000000002B61000.00000004.00000001.sdmp, Quotation.exe, 00000003.00000002.591997459.0000000002E86000.00000004.00000001.sdmp |
String found in binary or memory: https://OKmk0UVQzAElqL6wiCX.net |
Source: Quotation.exe, 00000003.00000002.589457084.0000000002B61000.00000004.00000001.sdmp |
String found in binary or memory: https://api.ipify.org%$ |
Source: Quotation.exe, 00000003.00000002.589457084.0000000002B61000.00000004.00000001.sdmp |
String found in binary or memory: https://api.ipify.org%GETMozilla/5.0 |
Source: Quotation.exe |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: Quotation.exe, 00000003.00000002.589457084.0000000002B61000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: Quotation.exe, 00000000.00000002.226057088.00000000011FA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: 3.2.Quotation.exe.2ae0000.5.unpack, u003cPrivateImplementationDetailsu003eu007bCA5ED4A4u002d7A41u002d40CAu002d9BB4u002dFA1A7DF33EE0u007d/u0032041D7CDu002d063Cu002d4ABFu002d9CEBu002dB28F8E9C6A58.cs |
Large array initialization: .cctor: array initializer size 11966 |
Source: initial sample |
Static PE information: Filename: Quotation.exe |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BF60C0 |
0_2_00BF60C0 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BF683C |
0_2_00BF683C |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BF0432 |
0_2_00BF0432 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BF51BC |
0_2_00BF51BC |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BF7991 |
0_2_00BF7991 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BF55E0 |
0_2_00BF55E0 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BED929 |
0_2_00BED929 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BEA951 |
0_2_00BEA951 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BF5B50 |
0_2_00BF5B50 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BF60C0 |
1_2_00BF60C0 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BF683C |
1_2_00BF683C |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BF0432 |
1_2_00BF0432 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BF51BC |
1_2_00BF51BC |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BF7991 |
1_2_00BF7991 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BF55E0 |
1_2_00BF55E0 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BED929 |
1_2_00BED929 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BEA951 |
1_2_00BEA951 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BF5B50 |
1_2_00BF5B50 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_0040A2A5 |
3_2_0040A2A5 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_029546A0 |
3_2_029546A0 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_02954690 |
3_2_02954690 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_02954672 |
3_2_02954672 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: String function: 00BE715C appears 370 times |
|
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: String function: 00BE6F06 appears 36 times |
|
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: String function: 00BE7021 appears 40 times |
|
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: String function: 00BE9160 appears 64 times |
|
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: String function: 00BE6EF1 appears 84 times |
|
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: String function: 00BEBFC3 appears 38 times |
|
Source: Quotation.exe, 00000000.00000002.225849639.0000000000DF0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs Quotation.exe |
Source: Quotation.exe, 00000000.00000003.224665367.000000001AE06000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe |
Source: Quotation.exe, 00000000.00000002.226102208.0000000002D90000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameDPUbepHNnATxXoHoUzhqZlOwJIdHMAIuMyV.exe4 vs Quotation.exe |
Source: Quotation.exe, 00000002.00000003.233132793.000000001A59F000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe |
Source: Quotation.exe, 00000002.00000002.233917057.0000000000B80000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameDPUbepHNnATxXoHoUzhqZlOwJIdHMAIuMyV.exe4 vs Quotation.exe |
Source: Quotation.exe |
Binary or memory string: OriginalFilename vs Quotation.exe |
Source: Quotation.exe, 00000003.00000002.588164369.0000000000F39000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenameDPUbepHNnATxXoHoUzhqZlOwJIdHMAIuMyV.exe4 vs Quotation.exe |
Source: Quotation.exe, 00000003.00000002.585774836.0000000000B68000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quotation.exe |
Source: Quotation.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: 3.2.Quotation.exe.2ae0000.5.unpack, A/b2.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 3.2.Quotation.exe.2ae0000.5.unpack, A/b2.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@7/0@2/1 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, |
3_2_00401489 |
Source: C:\Users\user\Desktop\Quotation.exe |
Command line argument: Kernel32.dll |
0_2_00BE1040 |
Source: C:\Users\user\Desktop\Quotation.exe |
Command line argument: User32.dll |
0_2_00BE1040 |
Source: C:\Users\user\Desktop\Quotation.exe |
Command line argument: User32.dll |
0_2_00BE1040 |
Source: C:\Users\user\Desktop\Quotation.exe |
Command line argument: IEUCIZEO |
0_2_00BE1040 |
Source: C:\Users\user\Desktop\Quotation.exe |
Command line argument: Kernel32.dll |
1_2_00BE1040 |
Source: C:\Users\user\Desktop\Quotation.exe |
Command line argument: User32.dll |
1_2_00BE1040 |
Source: C:\Users\user\Desktop\Quotation.exe |
Command line argument: User32.dll |
1_2_00BE1040 |
Source: C:\Users\user\Desktop\Quotation.exe |
Command line argument: IEUCIZEO |
1_2_00BE1040 |
Source: Quotation.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Quotation.exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\Quotation.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\Quotation.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: Quotation.exe |
Virustotal: Detection: 36% |
Source: Quotation.exe |
ReversingLabs: Detection: 43% |
Source: unknown |
Process created: C:\Users\user\Desktop\Quotation.exe 'C:\Users\user\Desktop\Quotation.exe' |
|
Source: unknown |
Process created: C:\Users\user\Desktop\Quotation.exe 'C:\Users\user\Desktop\Quotation.exe' |
|
Source: unknown |
Process created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe |
|
Source: unknown |
Process created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe |
|
Source: C:\Users\user\Desktop\Quotation.exe |
Process created: C:\Users\user\Desktop\Quotation.exe 'C:\Users\user\Desktop\Quotation.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
Jump to behavior |
Source: Quotation.exe |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: wntdll.pdbUGP source: Quotation.exe, 00000000.00000003.224530072.000000001ACF0000.00000004.00000001.sdmp, Quotation.exe, 00000002.00000003.229337012.000000001A430000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb source: Quotation.exe, 00000000.00000003.224530072.000000001ACF0000.00000004.00000001.sdmp, Quotation.exe, 00000002.00000003.229337012.000000001A430000.00000004.00000001.sdmp |
Source: Quotation.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: Quotation.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: Quotation.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: Quotation.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: Quotation.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BF1B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
0_2_00BF1B13 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BE91A5 push ecx; ret |
0_2_00BE91B8 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BE91A5 push ecx; ret |
1_2_00BE91B8 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_00401F16 push ecx; ret |
3_2_00401F29 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_00ECD85C push eax; retf |
3_2_00ECD85D |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\Quotation.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration |
Source: C:\Users\user\Desktop\Quotation.exe |
Window / User API: threadDelayed 7113 |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Window / User API: threadDelayed 2684 |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe TID: 5776 |
Thread sleep time: -22136092888451448s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe TID: 5808 |
Thread sleep count: 7113 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe TID: 5808 |
Thread sleep count: 2684 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe TID: 5776 |
Thread sleep count: 46 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\Quotation.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: Quotation.exe, 00000003.00000002.595238686.0000000006137000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BE8A1C _memset,IsDebuggerPresent, |
0_2_00BE8A1C |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BF1B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
0_2_00BF1B13 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BF1B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
0_2_00BF1B13 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BE6A00 mov eax, dword ptr fs:[00000030h] |
0_2_00BE6A00 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00D4F471 mov eax, dword ptr fs:[00000030h] |
0_2_00D4F471 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00D4F40E mov eax, dword ptr fs:[00000030h] |
0_2_00D4F40E |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00D4F5B9 mov eax, dword ptr fs:[00000030h] |
0_2_00D4F5B9 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00D4F3D1 mov eax, dword ptr fs:[00000030h] |
0_2_00D4F3D1 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00D4EB62 mov eax, dword ptr fs:[00000030h] |
0_2_00D4EB62 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BE6A00 mov eax, dword ptr fs:[00000030h] |
1_2_00BE6A00 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 2_2_003DF735 mov eax, dword ptr fs:[00000030h] |
2_2_003DF735 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 2_2_003DF58A mov eax, dword ptr fs:[00000030h] |
2_2_003DF58A |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 2_2_003DF5ED mov eax, dword ptr fs:[00000030h] |
2_2_003DF5ED |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 2_2_003DECDE mov eax, dword ptr fs:[00000030h] |
2_2_003DECDE |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 2_2_003DF54D mov eax, dword ptr fs:[00000030h] |
2_2_003DF54D |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_004035F1 mov eax, dword ptr fs:[00000030h] |
3_2_004035F1 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BE6B80 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc, |
0_2_00BE6B80 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BEC0A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00BEC0A3 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 0_2_00BEC080 SetUnhandledExceptionFilter, |
0_2_00BEC080 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BEC0A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_00BEC0A3 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 1_2_00BEC080 SetUnhandledExceptionFilter, |
1_2_00BEC080 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_00401E1D SetUnhandledExceptionFilter, |
3_2_00401E1D |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_0040446F |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_00401C88 |
Source: C:\Users\user\Desktop\Quotation.exe |
Code function: 3_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_00401F30 |
Source: C:\Users\user\Desktop\Quotation.exe |
Section loaded: unknown target: C:\Users\user\Desktop\Quotation.exe protection: execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process created: C:\Users\user\Desktop\Quotation.exe 'C:\Users\user\Desktop\Quotation.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Process created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe |
Jump to behavior |
Source: Quotation.exe, 00000003.00000002.588794570.0000000001490000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: Quotation.exe, 00000003.00000002.588794570.0000000001490000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Quotation.exe, 00000003.00000002.588794570.0000000001490000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Quotation.exe, 00000003.00000002.588794570.0000000001490000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\Quotation.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000003.00000002.588164369.0000000000F39000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.233917057.0000000000B80000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.589076176.0000000002AE2000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.585204726.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.589457084.0000000002B61000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.226102208.0000000002D90000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.592948035.0000000003B61000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.588949913.0000000002970000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Quotation.exe PID: 6084, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Quotation.exe PID: 5824, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Quotation.exe PID: 5852, type: MEMORY |
Source: Yara match |
File source: 3.2.Quotation.exe.2970000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.Quotation.exe.2970000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Quotation.exe.b80000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Quotation.exe.b80000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Quotation.exe.2d90000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.Quotation.exe.2ae0000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Quotation.exe.2d90000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\Quotation.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities |
Jump to behavior |
Source: C:\Users\user\Desktop\Quotation.exe |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
Jump to behavior |
Source: Yara match |
File source: 00000003.00000002.589457084.0000000002B61000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Quotation.exe PID: 5852, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.588164369.0000000000F39000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.233917057.0000000000B80000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.589076176.0000000002AE2000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.585204726.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.589457084.0000000002B61000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.226102208.0000000002D90000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.592948035.0000000003B61000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.588949913.0000000002970000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Quotation.exe PID: 6084, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Quotation.exe PID: 5824, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Quotation.exe PID: 5852, type: MEMORY |
Source: Yara match |
File source: 3.2.Quotation.exe.2970000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.Quotation.exe.2970000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Quotation.exe.b80000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Quotation.exe.b80000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Quotation.exe.2d90000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.Quotation.exe.2ae0000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Quotation.exe.2d90000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE |