Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe

Overview

General Information

Sample name:30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
Analysis ID:1365837
MD5:6ddda01b781e92010749cae1248b6d51
SHA1:f33280d5dee0bcd5b5f07c8d38e50b3833288192
SHA256:30eafdb7c2c580890c4fb2a7101db1d22c88bd723603ff37ac4f13928dd84b73
Tags:exeQuasarRATRAT
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Quasar RAT
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeWindows_Trojan_Quasarrat_e52df647unknownunknown
      • 0x32b20:$a1: GetKeyloggerLogsResponse
      • 0x38e96:$a2: DoDownloadAndExecute
      • 0x3e650:$a3: http://api.ipify.org/
      • 0x3d1b7:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
      30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x33375:$s1: DoUploadAndExecute
      • 0x38e96:$s2: DoDownloadAndExecute
      • 0x33143:$s3: DoShellExecute
      • 0x3356d:$s4: set_Processname
      • 0xf65c:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0xf580:$op2: 00 17 03 1F 20 17 19 15 28
      • 0xffed:$op3: 00 04 03 69 91 1B 40
      • 0x1084c:$op3: 00 04 03 69 91 1B 40
      30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeQuasar_RAT_2Detects Quasar RATFlorian Roth
      • 0x32b20:$x1: GetKeyloggerLogsResponse
      • 0x32db1:$s1: DoShellExecuteResponse
      • 0x2cafa:$s2: GetPasswordsResponse
      • 0x32c84:$s3: GetStartupItemsResponse
      • 0x28eae:$s4: <GetGenReader>b__7
      • 0x33389:$s5: RunHidden
      • 0x333a7:$s5: RunHidden
      • 0x333b5:$s5: RunHidden
      • 0x333c9:$s5: RunHidden
      Click to see the 6 entries

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Windows\SysWOW64\SubDir\syscall.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
        C:\Windows\SysWOW64\SubDir\syscall.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Windows\SysWOW64\SubDir\syscall.exeWindows_Trojan_Quasarrat_e52df647unknownunknown
          • 0x32b20:$a1: GetKeyloggerLogsResponse
          • 0x38e96:$a2: DoDownloadAndExecute
          • 0x3e650:$a3: http://api.ipify.org/
          • 0x3d1b7:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
          C:\Windows\SysWOW64\SubDir\syscall.exeQuasar_RAT_1Detects Quasar RATFlorian Roth
          • 0x33375:$s1: DoUploadAndExecute
          • 0x38e96:$s2: DoDownloadAndExecute
          • 0x33143:$s3: DoShellExecute
          • 0x3356d:$s4: set_Processname
          • 0xf65c:$op1: 04 1E FE 02 04 16 FE 01 60
          • 0xf580:$op2: 00 17 03 1F 20 17 19 15 28
          • 0xffed:$op3: 00 04 03 69 91 1B 40
          • 0x1084c:$op3: 00 04 03 69 91 1B 40
          C:\Windows\SysWOW64\SubDir\syscall.exeQuasar_RAT_2Detects Quasar RATFlorian Roth
          • 0x32b20:$x1: GetKeyloggerLogsResponse
          • 0x32db1:$s1: DoShellExecuteResponse
          • 0x2cafa:$s2: GetPasswordsResponse
          • 0x32c84:$s3: GetStartupItemsResponse
          • 0x28eae:$s4: <GetGenReader>b__7
          • 0x33389:$s5: RunHidden
          • 0x333a7:$s5: RunHidden
          • 0x333b5:$s5: RunHidden
          • 0x333c9:$s5: RunHidden
          Click to see the 6 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.1653919173.0000000003321000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Quasarrat_e52df647unknownunknown
              • 0x32920:$a1: GetKeyloggerLogsResponse
              • 0x38c96:$a2: DoDownloadAndExecute
              • 0x3e450:$a3: http://api.ipify.org/
              • 0x3cfb7:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
              00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
              • 0x33175:$s1: DoUploadAndExecute
              • 0x38c96:$s2: DoDownloadAndExecute
              • 0x32f43:$s3: DoShellExecute
              • 0x3336d:$s4: set_Processname
              • 0xf45c:$op1: 04 1E FE 02 04 16 FE 01 60
              • 0xf380:$op2: 00 17 03 1F 20 17 19 15 28
              • 0xfded:$op3: 00 04 03 69 91 1B 40
              • 0x1064c:$op3: 00 04 03 69 91 1B 40
              00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmpQuasardetect Remcos in memoryJPCERT/CC Incident Response Group
              • 0x3c327:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"]
              • 0x3cf72:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2}
              • 0x31066:$class: Core.MouseKeyHook.WinApi
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpackWindows_Trojan_Quasarrat_e52df647unknownunknown
                  • 0x32b20:$a1: GetKeyloggerLogsResponse
                  • 0x38e96:$a2: DoDownloadAndExecute
                  • 0x3e650:$a3: http://api.ipify.org/
                  • 0x3d1b7:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
                  0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
                  • 0x33375:$s1: DoUploadAndExecute
                  • 0x38e96:$s2: DoDownloadAndExecute
                  • 0x33143:$s3: DoShellExecute
                  • 0x3356d:$s4: set_Processname
                  • 0xf65c:$op1: 04 1E FE 02 04 16 FE 01 60
                  • 0xf580:$op2: 00 17 03 1F 20 17 19 15 28
                  • 0xffed:$op3: 00 04 03 69 91 1B 40
                  • 0x1084c:$op3: 00 04 03 69 91 1B 40
                  0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
                  • 0x32b20:$x1: GetKeyloggerLogsResponse
                  • 0x32db1:$s1: DoShellExecuteResponse
                  • 0x2cafa:$s2: GetPasswordsResponse
                  • 0x32c84:$s3: GetStartupItemsResponse
                  • 0x28eae:$s4: <GetGenReader>b__7
                  • 0x33389:$s5: RunHidden
                  • 0x333a7:$s5: RunHidden
                  • 0x333b5:$s5: RunHidden
                  • 0x333c9:$s5: RunHidden
                  Click to see the 6 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.488.198.193.21349734802814031 12/21/23-21:31:53.772646
                  SID:2814031
                  Source Port:49734
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4104.26.15.7349737802814030 12/21/23-21:31:56.157554
                  SID:2814030
                  Source Port:49737
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.488.198.193.21349729802814031 12/21/23-21:31:49.636142
                  SID:2814031
                  Source Port:49729
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4104.26.15.7349732802814030 12/21/23-21:31:52.464064
                  SID:2814030
                  Source Port:49732
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeAvira: detection malicious, Label: HEUR/AGEN.1305744
                  Multi AV Scanner detection for dropped file
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeReversingLabs: Detection: 83%
                  Multi AV Scanner detection for submitted file
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeReversingLabs: Detection: 83%
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1653919173.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe PID: 5628, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPED
                  Machine Learning detection for dropped file
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeJoe Sandbox ML: detected
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.4:49730 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.4:49735 version: TLS 1.0
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2814031 ETPRO TROJAN W32/Quasar RAT Connectivity Check 192.168.2.4:49729 -> 88.198.193.213:80
                  Source: TrafficSnort IDS: 2814030 ETPRO TROJAN W32/Quasar RAT Connectivity Check 2 192.168.2.4:49732 -> 104.26.15.73:80
                  Source: TrafficSnort IDS: 2814031 ETPRO TROJAN W32/Quasar RAT Connectivity Check 192.168.2.4:49734 -> 88.198.193.213:80
                  Source: TrafficSnort IDS: 2814030 ETPRO TROJAN W32/Quasar RAT Connectivity Check 2 192.168.2.4:49737 -> 104.26.15.73:80
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPED
                  Source: global trafficTCP traffic: 192.168.2.4:49739 -> 91.92.248.33:4782
                  Source: Joe Sandbox ViewIP Address: 88.198.193.213 88.198.193.213
                  Source: Joe Sandbox ViewIP Address: 104.26.15.73 104.26.15.73
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: freegeoip.net
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.com
                  Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
                  Source: global trafficHTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.org
                  Source: unknownHTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.4:49730 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.4:49735 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.92.248.33
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.com
                  Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
                  Source: global trafficHTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.org
                  Source: unknownDNS traffic detected: queries for: telize.com
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.000000000342B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.000000000342B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, syscall.exe.0.drString found in binary or memory: http://api.ipify.org/3
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.000000000342B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api4.ipify.org
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.000000000342B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.net
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.000000000342B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.net/shutdown
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, syscall.exe.0.drString found in binary or memory: http://freegeoip.net/xml/
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.000000000342B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.net0
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.0000000003332000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.0000000003332000.00000004.00000800.00020000.00000000.sdmp, 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.00000000033AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://telize.com
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, syscall.exe.0.drString found in binary or memory: http://telize.com/geoip
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.00000000033C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.telize.com
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.00000000033AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.telize.com
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.00000000033AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.telize.com/geoip
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

                  E-Banking Fraud

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1653919173.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe PID: 5628, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPED

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Detects Patchwork malware Author: Florian Roth
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: QuasarRAT payload Author: ditekSHen
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                  Source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
                  Source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Detects Vermin Keylogger Author: Florian Roth
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Detects Patchwork malware Author: Florian Roth
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: QuasarRAT payload Author: ditekSHen
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeFile created: C:\Windows\SysWOW64\SubDirJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeCode function: 0_2_0152A2880_2_0152A288
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeCode function: 0_2_015299B80_2_015299B8
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeCode function: 0_2_015296700_2_01529670
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe4 vs 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeBinary or memory string: OriginalFilenameClient.exe4 vs 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                  Source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
                  Source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, -------.csBase64 encoded string: 'HyVsKPjmnpLETvfBOEUhRA6NrMvx9IDqZa/7RYWBxhj+dlDof5qz4Xvq0Y6Td1kh'
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@3/2@4/4
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.logJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeMutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_3ZXlEl51XWdb1Toq7s
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeReversingLabs: Detection: 83%
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeFile read: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess created: C:\Windows\SysWOW64\SubDir\syscall.exe C:\Windows\SysWOW64\SubDir\syscall.exe
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess created: C:\Windows\SysWOW64\SubDir\syscall.exe C:\Windows\SysWOW64\SubDir\syscall.exeJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeCode function: 0_2_01527068 pushad ; ret 0_2_01527069

                  Persistence and Installation Behavior

                  barindex
                  Drops executables to the windows directory (C:\Windows) and starts them
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeExecutable created and started: C:\Windows\SysWOW64\SubDir\syscall.exeJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeFile created: C:\Windows\SysWOW64\SubDir\syscall.exeJump to dropped file
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeFile created: C:\Windows\SysWOW64\SubDir\syscall.exeJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeFile opened: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeFile opened: C:\Windows\SysWOW64\SubDir\syscall.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeFile opened: C:\Windows\SysWOW64\SubDir\syscall.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeWindow / User API: threadDelayed 354Jump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeWindow / User API: threadDelayed 522Jump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeWindow / User API: threadDelayed 8874Jump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe TID: 6700Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe TID: 6664Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe TID: 6444Thread sleep count: 354 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe TID: 6444Thread sleep count: 522 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe TID: 1880Thread sleep count: 166 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe TID: 1880Thread sleep time: -415000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe TID: 1880Thread sleep count: 8874 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exe TID: 1880Thread sleep time: -22185000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653375046.000000000164C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeProcess created: C:\Windows\SysWOW64\SubDir\syscall.exe C:\Windows\SysWOW64\SubDir\syscall.exeJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeQueries volume information: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeQueries volume information: C:\Windows\SysWOW64\SubDir\syscall.exe VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\SubDir\syscall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1653919173.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe PID: 5628, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.e40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1653919173.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe PID: 5628, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Windows\SysWOW64\SubDir\syscall.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
                  Valid Accounts21
                  Windows Management Instrumentation                  		Path Interception11
                  Process Injection                  		121
                  Masquerading                  		OS Credential Dumping111
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		Exfiltration Over Other Network Medium11
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory31
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                  Non-Standard Port                  		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
                  Domain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Application Window Discovery                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                  Ingress Tool Transfer                  		Data Encrypted for ImpactDNS ServerEmail Addresses
                  Local AccountsCronLogin HookLogin Hook11
                  Process Injection                  		NTDS1
                  System Network Configuration Discovery                  		Distributed Component Object ModelInput CaptureTraffic Duplication2
                  Non-Application Layer Protocol                  		Data DestructionVirtual Private ServerEmployee Names
                  Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Hidden Files and Directories                  		LSA Secrets23
                  System Information Discovery                  		SSHKeyloggingScheduled Transfer13
                  Application Layer Protocol                  		Data Encrypted for ImpactServerGather Victim Network Information
                  Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Obfuscated Files or Information                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe84%ReversingLabsByteCode-MSIL.Trojan.Tinclex
                  30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe100%AviraHEUR/AGEN.1305744
                  30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Windows\SysWOW64\SubDir\syscall.exe100%AviraHEUR/AGEN.1305744
                  C:\Windows\SysWOW64\SubDir\syscall.exe100%Joe Sandbox ML
                  C:\Windows\SysWOW64\SubDir\syscall.exe84%ReversingLabsByteCode-MSIL.Trojan.Tinclex

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://telize.com0%Avira URL Cloudsafe
                  https://www.telize.com/geoip0%Avira URL Cloudsafe
                  https://www.telize.com0%Avira URL Cloudsafe
                  http://telize.com/geoip0%Avira URL Cloudsafe
                  http://www.telize.com0%Avira URL Cloudsafe
                  http://freegeoip.net00%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  telize.com
                  		88.198.193.213
                  		truetrue
                    		unknown
                    www.telize.com
                    		88.198.193.213
                    		truetrue
                      		unknown
                      api4.ipify.org
                      		64.185.227.156
                      		truefalse
                        		high
                        freegeoip.net
                        		104.26.15.73
                        		truefalse
                          		high
                          api.ipify.org
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://freegeoip.net/xml/false
                              		high
                              http://telize.com/geoiptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.telize.com/geoiptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://api.ipify.org/false
                                		high
                                http://freegeoip.net/shutdownfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://freegeoip.net030EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.000000000342B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://api4.ipify.org30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.000000000342B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.telize.com30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.00000000033C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://freegeoip.net30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.000000000342B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.0000000003332000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.telize.com30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.00000000033AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://api.ipify.org/330EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, syscall.exe.0.drfalse
                                          		high
                                          http://api.ipify.org30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.000000000342B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://telize.com30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.0000000003332000.00000004.00000800.00020000.00000000.sdmp, 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe, 00000000.00000002.1653919173.00000000033AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            91.92.248.33
                                            		unknownBulgaria
                                            		34368THEZONEBGfalse
                                            88.198.193.213
                                            		telize.comGermany
                                            		24940HETZNER-ASDEtrue
                                            104.26.15.73
                                            		freegeoip.netUnited States
                                            		13335CLOUDFLARENETUSfalse
                                            64.185.227.156
                                            		api4.ipify.orgUnited States
                                            		18450WEBNXUSfalse

                                            General Information

                                            Joe Sandbox version:38.0.0 Ammolite
                                            Analysis ID:1365837
                                            Start date and time:2023-12-21 21:31:03 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 7m 22s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:6
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@3/2@4/4
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 11
                                            • Number of non-executed functions: 1
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                            • VT rate limit hit for: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            21:31:52API Interceptor1x Sleep call for process: 30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe modified
                                            21:32:32API Interceptor4000790x Sleep call for process: syscall.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            88.198.193.213XIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                                            • www.telize.com/geoip
                                            svchost.exeGet hashmaliciousQuasarBrowse
                                            • www.telize.com/geoip
                                            conn.exeGet hashmaliciousQuasarBrowse
                                            • www.telize.com/geoip
                                            JwzZ6mkzIG.exeGet hashmaliciousQuasarBrowse
                                            • www.telize.com/geoip
                                            DRAFT-COPY-0409484-BILLLADING.exeGet hashmaliciousQuasarBrowse
                                            • www.telize.com/geoip
                                            SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exeGet hashmaliciousQuasarBrowse
                                            • www.telize.com/geoip
                                            104.26.15.73XIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                                            • freegeoip.net/shutdown
                                            FAXED NBD PAYMENT SLIP FOR PENDING ORDERS.PDF-.exeGet hashmaliciousAgentTesla Blackshades MailPassViewBrowse
                                            • freegeoip.net/shutdown
                                            85GIjfkXum.exeGet hashmaliciousQuasarBrowse
                                            • freegeoip.net/shutdown
                                            svchost.exeGet hashmaliciousQuasarBrowse
                                            • freegeoip.net/shutdown
                                            conn.exeGet hashmaliciousQuasarBrowse
                                            • freegeoip.net/shutdown
                                            JwzZ6mkzIG.exeGet hashmaliciousQuasarBrowse
                                            • freegeoip.net/shutdown
                                            Partner Letter- DStv and GOtv Price Adjustment October 2020.pdf.exeGet hashmaliciousUnknownBrowse
                                            • freegeoip.net/shutdown
                                            DRAFT-COPY-0409484-BILLLADING.exeGet hashmaliciousQuasarBrowse
                                            • freegeoip.net/shutdown
                                            pKzpc3T89w.exeGet hashmaliciousUnknownBrowse
                                            • freegeoip.net/shutdown
                                            5DSTV&GOTV new price list.pdf.exeGet hashmaliciousBrowse
                                            • freegeoip.net/shutdown
                                            54Terms and Conditions for the ongoing Extra cash on PAGA.pdf.exeGet hashmaliciousBrowse
                                            • freegeoip.net/shutdown
                                            7New Pricing Structure -1st May 2019 Roll out.pdf.exeGet hashmaliciousBrowse
                                            • freegeoip.net/shutdown
                                            3Agent Registration Update on PAGA.xlsx.exeGet hashmaliciousBrowse
                                            • freegeoip.net/shutdown
                                            13New Price list Update On DSTV&GOTV For Easter Bonus.pdf.exeGet hashmaliciousBrowse
                                            • freegeoip.net/shutdown
                                            20New Price list Update On DSTV&GOTV For Easter Bonus.xlsx.exeGet hashmaliciousBrowse
                                            • freegeoip.net/shutdown
                                            45Incentives Business Rules.pdf.exeGet hashmaliciousBrowse
                                            • freegeoip.net/shutdown
                                            35PAGA Agent Ranking For February 2019 till date.xlsx.exeGet hashmaliciousBrowse
                                            • freegeoip.net/shutdown
                                            46Recently Updated On Our Pricing And Commissions On Paga.xlsx.exeGet hashmaliciousBrowse
                                            • freegeoip.net/shutdown
                                            49QT Paypoint Monthly commission Statement And Bonus For The Month Of March 2019.pdf.exeGet hashmaliciousBrowse
                                            • freegeoip.net/shutdown
                                            31ACTIVATION TEMPLATE.xlsx.exeGet hashmaliciousBrowse
                                            • freegeoip.net/shutdown

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            telize.comXIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            svchost.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            conn.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            JwzZ6mkzIG.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            DRAFT-COPY-0409484-BILLLADING.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            pKzpc3T89w.exeGet hashmaliciousUnknownBrowse
                                            • 159.203.157.217
                                            api4.ipify.orgU1MiP25NrU.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, VidarBrowse
                                            • 64.185.227.156
                                            Thermosystems-30 November, 2023.htmGet hashmaliciousUnknownBrowse
                                            • 173.231.16.77
                                            SHPPING_DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                            • 64.185.227.156
                                            SecuriteInfo.com.Trojan.PackedNET.2511.21116.16165.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.212
                                            order B206394, 1x 62003023_pdf .exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 64.185.227.156
                                            RFQ20231220_Lista_projekt#U00f3w_komercyjnych_2024.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 64.185.227.156
                                            Payment.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.212
                                            SHIPMENT_DOCUMENTS.exeGet hashmaliciousAgentTesla, NSISDropperBrowse
                                            • 173.231.16.77
                                            AimmyWPF.exeGet hashmaliciousUnknownBrowse
                                            • 64.185.227.156
                                            SecuriteInfo.com.Win32.MalwareX-gen.7467.17078.exeGet hashmaliciousAgentTeslaBrowse
                                            • 64.185.227.156
                                            https://pixel.ad.lifesight.io/pixel/event/0OSNKL?event=CLICK&ios_idfa=%5Bios_idfa%5D&android_gaid=%5Bandroid_gaid%5D&cid=%5Bcampaign_id%5D&app=%5Bapp_name%5D&channel=customdsp&cv=Adbro_330e_320x472&dnt=%5Bdo_not_track%5D&cb=timestamp&ts=%5BcurrentTime%5D&redirect=https://itkrish.com/-./Get hashmaliciousUnknownBrowse
                                            • 104.237.62.212
                                            SecuriteInfo.com.Win32.PWSX-gen.7388.31207.exeGet hashmaliciousAgentTeslaBrowse
                                            • 64.185.227.156
                                            swift_copy.docGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.212
                                            https://user-app.sentieo.com/alert/alert_click/?tp=eyJlbWFpbCI6ICJoYXJ2ZXlAY3Jhd2ZvcmRsYWtlY2FwaXRhbC5jb20iLCAidGlja2VyIjogInNlIiwgIm1ldGFfdHlwZSI6ICJkb2N1bWVudCIsICJhbGVydF90eXBlIjogImRzX2FsZXJ0X3NtYXJ0X3N1bW1hcnkiLCAibGlua190eXBlIjogImFsZXJ0X3R5cGVfdW5zdWIifQ==&url=//sashaaesthetics.com/.turao/YW5keS5jaWFyYW1lbGxhQG1hZ2FpcnBvcnRzLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                            • 64.185.227.156
                                            #U039b#U03b5#U03af#U03c0#U03b5#U03b9_#U03c4#U03bf_PI.docGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.212
                                            7C3J00l6fa.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, StealcBrowse
                                            • 173.231.16.77
                                            New_Text_Document_mod.exse.exeGet hashmaliciousAgentTesla, Amadey, Creal Stealer, Djvu, FormBook, Glupteba, GuLoaderBrowse
                                            • 64.185.227.156
                                            SecuriteInfo.com.Win32.PWSX-gen.1291.19904.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.231.16.77
                                            8RYB9RzQA5.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, StealcBrowse
                                            • 173.231.16.77
                                            SecuriteInfo.com.Win32.TrojanX-gen.31688.18440.exeGet hashmaliciousAgentTeslaBrowse
                                            • 64.185.227.156
                                            www.telize.comXIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            svchost.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            conn.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            JwzZ6mkzIG.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            DRAFT-COPY-0409484-BILLLADING.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exeGet hashmaliciousQuasarBrowse
                                            • 88.198.193.213
                                            pKzpc3T89w.exeGet hashmaliciousUnknownBrowse
                                            • 159.203.157.217

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            THEZONEBGU1MiP25NrU.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, VidarBrowse
                                            • 91.92.254.7
                                            ED1UPpAvQI.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            HoJLqGsLtf.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            ZPevTawGNN.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            OTP_Bank_-_fizet#U00e9si_bizonylat_20231221.pdf(61KB).com.exeGet hashmaliciousRemcosBrowse
                                            • 91.92.252.201
                                            u6r5Pt2gSm.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            36GHgWCXHF.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            file.exeGet hashmaliciousRisePro Stealer, VidarBrowse
                                            • 91.92.249.253
                                            v0Rjs5ouAE.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            ILODz4tXhm.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            36KV_XLPE_Cable,_300mm#U00b2.xlsxGet hashmaliciousAgentTeslaBrowse
                                            • 91.92.253.245
                                            YfygD41CEE.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            Z8g13DVLej.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            VDIbCKYOlG.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            Oden_PO2339.exeGet hashmaliciousAveMaria, UACMeBrowse
                                            • 91.92.252.239
                                            YX1CxTwW9j.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            XAxaAbjIBy.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            b823dec3eeae35906a95d69d3c39ce07fe3155f2c8d4c.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            417OeBepSx.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            j3sCauen5m.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                            • 91.92.249.253
                                            HETZNER-ASDEfile.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            • 95.216.227.177
                                            file.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            • 95.216.227.177
                                            SecuriteInfo.com.Other.Malware-gen.15.32366.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            • 95.216.227.177
                                            jcY9CjvBDG.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoaderBrowse
                                            • 95.216.107.103
                                            http://bid.com.al/8yc/8876649/8766389/example@example.comGet hashmaliciousUnknownBrowse
                                            • 136.243.187.29
                                            8fEEeAU91Y.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            • 95.216.227.177
                                            file.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            • 95.216.227.177
                                            sCzFNAYGKI.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoaderBrowse
                                            • 5.161.180.74
                                            rdIhz2L11B.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            • 95.216.227.177
                                            TIcVHqPSRJ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            • 95.216.227.177
                                            file.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            • 95.216.227.177
                                            file.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            • 95.216.227.177
                                            file.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            • 95.216.227.177
                                            file.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            • 95.216.227.177
                                            https://finance369.com/fztbnt/?66730191Get hashmaliciousUnknownBrowse
                                            • 159.69.51.30
                                            27i42a6Qag.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoaderBrowse
                                            • 95.216.199.143
                                            http://Dbree.orgGet hashmaliciousUnknownBrowse
                                            • 136.243.4.18
                                            http://Dbree.orgGet hashmaliciousUnknownBrowse
                                            • 136.243.61.83
                                            IJwJao4zCX.exeGet hashmaliciousRedLine, SectopRATBrowse
                                            • 94.130.51.115
                                            PARASWIFT.exeGet hashmaliciousFormBookBrowse
                                            • 5.9.29.172

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            54328bd36c14bd82ddaa0c04b25ed9adrNEWORDER28938928384893029.exeGet hashmaliciousAveMaria, PrivateLoaderBrowse
                                            • 88.198.193.213
                                            New_shipment_details.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            MT_Marine_Tiger_Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            New_shipment_detail.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            MT_Marine_Tiger_Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            NMM_Community_Edition-4-0-71-3-1587501167.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                            • 88.198.193.213
                                            https://docs.google.com/presentation/d/e/2PACX-1vQ8qBYUrnf3vGsqOxAG-KhbYTH5MD252iBH_Wgmvhg3Bo27mfpRjB864as9e5PqWgYF9wmUIeJBlyuI/pub?start=false&loop=false&delayms=3000Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                            • 88.198.193.213
                                            AnyDesk.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                            • 88.198.193.213
                                            Hareketleri-Bilgilendirmesi_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                            • 88.198.193.213
                                            General_Attachment.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            specifications.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            Cargo_details.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            Panama_Canal_Authority_Forms_TG.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            Voyage_Orders.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            AO_XIANG_FZCO_Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            passport.vbsGet hashmaliciousAgniane StealerBrowse
                                            • 88.198.193.213
                                            NbN47VasP7.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            KSA-PDA_17122023.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 88.198.193.213
                                            rpmOhktwoL.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, StealcBrowse
                                            • 88.198.193.213
                                            sWKQ4er8xH.exeGet hashmaliciousRisePro Stealer, VidarBrowse
                                            • 88.198.193.213

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1578
                                            Entropy (8bit):5.3557361963257835
                                            Encrypted:false
                                            SSDEEP:48:MIHK5HKH1qHiYHKh3okHZHKJHKntHo6hAHKzeR:Pq5qHwCYqh3ok5qJqntI6eqzm
                                            MD5:396FD2F3BDCFA72D0EB7DBDC83FCFF74
                                            SHA1:13BB9A42DAF2DD87D53E861AD0D7304328E565CA
                                            SHA-256:7FAEAC19A652D39C2537D2C414E258681ED3D66F15C7B28B6D22E52C1A3F510F
                                            SHA-512:6CBBEC1ED42BEE61B550FD69FB0A893573612F4C301130BD7C64340AAF738F5CB55735F7C5DFA5E09F408034CF965AC25B28DFE1A413ABE5837E74E07545934D
                                            Malicious:false
                                            Reputation:low
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127

                                            C:\Windows\SysWOW64\SubDir\syscall.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):273920
                                            Entropy (8bit):6.389557780583135
                                            Encrypted:false
                                            SSDEEP:6144:RaaXMzUmOZoqSYjO8KHGwgImxbEWMgdD:4achqSYFKHGw1m3Mw
                                            MD5:6DDDA01B781E92010749CAE1248B6D51
                                            SHA1:F33280D5DEE0BCD5B5F07C8D38E50B3833288192
                                            SHA-256:30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603FF37AC4F13928DD84B73
                                            SHA-512:C4D901E6A3846DD4995943AD38DBF8EA38669ED6936CA1D31354D9F330EB4F9B502E1C49B9B424184BDF8899A2EE4EFE257DBC4BF0FF489C2BE228F8A45301E2
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Joe Security
                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Joe Security
                                            • Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: unknown
                                            • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Florian Roth
                                            • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Florian Roth
                                            • Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Florian Roth
                                            • Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Florian Roth
                                            • Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Florian Roth
                                            • Rule: Quasar, Description: detect Remcos in memory, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: JPCERT/CC Incident Response Group
                                            • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: ditekSHen
                                            • Rule: MALWARE_Win_QuasarRAT, Description: QuasarRAT payload, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: ditekSHen
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 84%
                                            Reputation:low
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!.Ue................. ...........?... ........@.. ....................................@.................................H?..S....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......,..............@..B.................?......H........Z..\............U..H............................................~....*........*.~....*........*.~....*........*.(....(....*..{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....(....*

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):6.389557780583135
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                                            File size:273'920 bytes
                                            MD5:6ddda01b781e92010749cae1248b6d51
                                            SHA1:f33280d5dee0bcd5b5f07c8d38e50b3833288192
                                            SHA256:30eafdb7c2c580890c4fb2a7101db1d22c88bd723603ff37ac4f13928dd84b73
                                            SHA512:c4d901e6a3846dd4995943ad38dbf8ea38669ed6936ca1d31354d9f330eb4f9b502e1c49b9b424184bdf8899a2ee4efe257dbc4bf0ff489c2be228f8a45301e2
                                            SSDEEP:6144:RaaXMzUmOZoqSYjO8KHGwgImxbEWMgdD:4achqSYFKHGw1m3Mw
                                            TLSH:78448D6667DC871BE3AE07BEF06041015BB9DD27F50AE7874D8885B82C533A1CE426E7
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!.Ue................. ...........?... ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:90cececece8e8eb0

                                            Static PE Info

                                            General

                                            Entrypoint:0x443f9e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x6555F521 [Thu Nov 16 10:55:29 2023 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add al, byte ptr [eax]
                                            adc byte ptr [eax], al
                                            add byte ptr [eax], al
                                            and byte ptr [eax], al
                                            add byte ptr [eax+00000018h], al
                                            cmp byte ptr [eax], al
                                            add byte ptr [eax+00000000h], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add dword ptr [eax], eax
                                            add dword ptr [eax], eax
                                            add byte ptr [eax], al
                                            push eax
                                            add byte ptr [eax], al
                                            add byte ptr [eax], 00000000h
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add dword ptr [eax], eax
                                            add dword ptr [eax], eax
                                            add byte ptr [eax], al
                                            push 00800000h
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [ecx], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax+00000000h], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x43f480x53.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x440000xa00.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x460000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x41fa40x42000False0.5190873579545454data6.408203067377705IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x440000xa000xa00False0.358984375data4.494437383231915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x460000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0x440a00x244data0.47413793103448276
                                            RT_MANIFEST0x442e80x562XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43178519593613934

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            192.168.2.488.198.193.21349734802814031 12/21/23-21:31:53.772646TCP2814031ETPRO TROJAN W32/Quasar RAT Connectivity Check4973480192.168.2.488.198.193.213
                                            192.168.2.4104.26.15.7349737802814030 12/21/23-21:31:56.157554TCP2814030ETPRO TROJAN W32/Quasar RAT Connectivity Check 24973780192.168.2.4104.26.15.73
                                            192.168.2.488.198.193.21349729802814031 12/21/23-21:31:49.636142TCP2814031ETPRO TROJAN W32/Quasar RAT Connectivity Check4972980192.168.2.488.198.193.213
                                            192.168.2.4104.26.15.7349732802814030 12/21/23-21:31:52.464064TCP2814030ETPRO TROJAN W32/Quasar RAT Connectivity Check 24973280192.168.2.4104.26.15.73

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Dec 21, 2023 21:31:49.389581919 CET4972980192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:49.635679007 CET804972988.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:49.635783911 CET4972980192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:49.636142015 CET4972980192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:49.882888079 CET804972988.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:49.882961035 CET804972988.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:49.935340881 CET4972980192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:50.143281937 CET49730443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:50.143321037 CET4434973088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:50.143385887 CET49730443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:50.162745953 CET49730443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:50.162761927 CET4434973088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:50.674129963 CET4434973088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:50.674247980 CET49730443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:50.678483963 CET49730443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:50.678493023 CET4434973088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:50.678787947 CET4434973088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:50.732243061 CET49730443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:50.762335062 CET49730443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:50.804738998 CET4434973088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:51.161001921 CET4434973088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:51.161144972 CET4434973088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:51.161205053 CET49730443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:51.172629118 CET49730443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:51.172641039 CET4434973088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:51.173157930 CET49731443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:51.173192978 CET4434973188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:51.173278093 CET49731443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:51.173649073 CET49731443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:51.173664093 CET4434973188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:51.714670897 CET4434973188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:51.716598988 CET49731443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:51.716634989 CET4434973188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:52.207650900 CET4434973188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:52.207791090 CET4434973188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:52.207844019 CET49731443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:52.208096981 CET49731443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:52.208110094 CET4434973188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:52.338395119 CET4973280192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:52.463819027 CET8049732104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:52.463900089 CET4973280192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:52.464063883 CET4973280192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:52.588548899 CET8049732104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:52.598694086 CET8049732104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:52.599468946 CET4973280192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:52.733278036 CET8049732104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:52.733320951 CET8049732104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:52.733330965 CET8049732104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:52.733489990 CET4973280192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:52.869411945 CET4973380192.168.2.464.185.227.156
                                            Dec 21, 2023 21:31:53.029047966 CET804973364.185.227.156192.168.2.4
                                            Dec 21, 2023 21:31:53.029252052 CET4973380192.168.2.464.185.227.156
                                            Dec 21, 2023 21:31:53.029310942 CET4973380192.168.2.464.185.227.156
                                            Dec 21, 2023 21:31:53.189026117 CET804973364.185.227.156192.168.2.4
                                            Dec 21, 2023 21:31:53.189039946 CET804973364.185.227.156192.168.2.4
                                            Dec 21, 2023 21:31:53.232101917 CET4973380192.168.2.464.185.227.156
                                            Dec 21, 2023 21:31:53.252178907 CET4973280192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:53.252239943 CET4972980192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:53.252320051 CET4973380192.168.2.464.185.227.156
                                            Dec 21, 2023 21:31:53.521946907 CET4973480192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:53.772243977 CET804973488.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:53.772484064 CET4973480192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:53.772645950 CET4973480192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:54.019153118 CET804973488.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:54.019176006 CET804973488.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:54.020627975 CET49735443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:54.020663023 CET4434973588.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:54.020742893 CET49735443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:54.026921988 CET49735443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:54.026936054 CET4434973588.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:54.060427904 CET4973480192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:54.532258987 CET4434973588.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:54.532360077 CET49735443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:54.538007975 CET49735443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:54.538018942 CET4434973588.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:54.538825035 CET4434973588.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:54.591481924 CET49735443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:54.602343082 CET49735443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:54.648742914 CET4434973588.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:55.023587942 CET4434973588.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:55.023633003 CET4434973588.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:55.023796082 CET49735443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:55.028139114 CET49735443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:55.028152943 CET4434973588.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:55.028671026 CET49736443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:55.028698921 CET4434973688.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:55.028765917 CET49736443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:55.029120922 CET49736443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:55.029135942 CET4434973688.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:55.536015034 CET4434973688.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:55.537759066 CET49736443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:55.537776947 CET4434973688.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:56.030122042 CET4434973688.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:56.030173063 CET4434973688.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:56.030222893 CET49736443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:56.030543089 CET49736443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:56.030559063 CET4434973688.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:56.033368111 CET4973780192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:56.157313108 CET8049737104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:56.157511950 CET4973780192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:56.157553911 CET4973780192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:56.281390905 CET8049737104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:56.294445038 CET8049737104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:56.295181990 CET4973780192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:56.427026033 CET8049737104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:56.427071095 CET8049737104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:56.427087069 CET8049737104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:56.427140951 CET4973780192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:56.431358099 CET4973880192.168.2.464.185.227.156
                                            Dec 21, 2023 21:31:56.590445995 CET804973864.185.227.156192.168.2.4
                                            Dec 21, 2023 21:31:56.590539932 CET4973880192.168.2.464.185.227.156
                                            Dec 21, 2023 21:31:56.590687990 CET4973880192.168.2.464.185.227.156
                                            Dec 21, 2023 21:31:56.751074076 CET804973864.185.227.156192.168.2.4
                                            Dec 21, 2023 21:31:56.751127005 CET804973864.185.227.156192.168.2.4
                                            Dec 21, 2023 21:31:56.794620037 CET4973880192.168.2.464.185.227.156
                                            Dec 21, 2023 21:31:56.943674088 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:31:57.183509111 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:31:57.183676004 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:31:57.429667950 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:31:57.439465046 CET4973480192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:57.482191086 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:31:57.692784071 CET804973488.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:57.693553925 CET49740443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:57.693594933 CET4434974088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:57.693681002 CET49740443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:57.694207907 CET49740443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:57.694221973 CET4434974088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:57.747756958 CET4973480192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:58.195483923 CET4434974088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:58.197062016 CET49740443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:58.197088957 CET4434974088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:58.689052105 CET4434974088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:58.689088106 CET4434974088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:58.689244032 CET49740443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:58.689483881 CET49740443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:58.689497948 CET4434974088.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:58.689963102 CET49741443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:58.689997911 CET4434974188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:58.690067053 CET49741443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:58.690385103 CET49741443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:58.690397978 CET4434974188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:59.196038961 CET4434974188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:59.197594881 CET49741443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:59.197628975 CET4434974188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:59.688431978 CET4434974188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:59.688570023 CET4434974188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:59.688627005 CET49741443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:59.688905954 CET49741443192.168.2.488.198.193.213
                                            Dec 21, 2023 21:31:59.688920975 CET4434974188.198.193.213192.168.2.4
                                            Dec 21, 2023 21:31:59.689173937 CET4973780192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:59.817796946 CET8049737104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:59.818027020 CET4973780192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:59.949728966 CET8049737104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:59.949742079 CET8049737104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:59.949749947 CET8049737104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:31:59.949984074 CET4973780192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:31:59.950306892 CET4973880192.168.2.464.185.227.156
                                            Dec 21, 2023 21:32:00.109397888 CET804973864.185.227.156192.168.2.4
                                            Dec 21, 2023 21:32:00.134412050 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:32:00.153983116 CET4973880192.168.2.464.185.227.156
                                            Dec 21, 2023 21:32:00.382481098 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:32:00.435308933 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:32:25.388389111 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:32:25.628012896 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:32:25.689619064 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:32:25.689671040 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:32:50.638423920 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:32:50.877578020 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:32:50.923404932 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:32:50.923477888 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:33:05.109268904 CET804973864.185.227.156192.168.2.4
                                            Dec 21, 2023 21:33:05.109328032 CET4973880192.168.2.464.185.227.156
                                            Dec 21, 2023 21:33:12.686845064 CET804973488.198.193.213192.168.2.4
                                            Dec 21, 2023 21:33:12.686954975 CET4973480192.168.2.488.198.193.213
                                            Dec 21, 2023 21:33:15.935312986 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:33:16.173784971 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:33:16.173877001 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:33:16.174565077 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:33:37.701267004 CET4973480192.168.2.488.198.193.213
                                            Dec 21, 2023 21:33:37.701411963 CET4973780192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:33:37.701478958 CET4973880192.168.2.464.185.227.156
                                            Dec 21, 2023 21:33:37.825902939 CET8049737104.26.15.73192.168.2.4
                                            Dec 21, 2023 21:33:37.826045036 CET4973780192.168.2.4104.26.15.73
                                            Dec 21, 2023 21:33:37.860697031 CET804973864.185.227.156192.168.2.4
                                            Dec 21, 2023 21:33:37.947777033 CET804973488.198.193.213192.168.2.4
                                            Dec 21, 2023 21:33:41.185441971 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:33:41.423954964 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:33:41.424150944 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:33:41.426906109 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:34:06.435513973 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:34:06.673636913 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:34:06.673716068 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:34:06.674841881 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:34:31.685411930 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:34:31.923911095 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:34:31.924212933 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:34:31.924609900 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:34:56.950999975 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:34:57.175846100 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:34:57.175915003 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:34:57.191621065 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:35:22.201117992 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:35:22.423890114 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:35:22.423979998 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:35:22.444375992 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:35:47.451086998 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:35:47.673949957 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:35:47.674032927 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:35:47.692913055 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:36:12.701149940 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:36:12.924037933 CET47824973991.92.248.33192.168.2.4
                                            Dec 21, 2023 21:36:12.924124002 CET497394782192.168.2.491.92.248.33
                                            Dec 21, 2023 21:36:12.940912962 CET47824973991.92.248.33192.168.2.4

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Dec 21, 2023 21:31:49.127305031 CET6428853192.168.2.41.1.1.1
                                            Dec 21, 2023 21:31:49.383277893 CET53642881.1.1.1192.168.2.4
                                            Dec 21, 2023 21:31:49.884321928 CET5329953192.168.2.41.1.1.1
                                            Dec 21, 2023 21:31:50.137042046 CET53532991.1.1.1192.168.2.4
                                            Dec 21, 2023 21:31:52.211429119 CET5301753192.168.2.41.1.1.1
                                            Dec 21, 2023 21:31:52.337388992 CET53530171.1.1.1192.168.2.4
                                            Dec 21, 2023 21:31:52.742269039 CET5455153192.168.2.41.1.1.1
                                            Dec 21, 2023 21:31:52.867408037 CET53545511.1.1.1192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Dec 21, 2023 21:31:49.127305031 CET192.168.2.41.1.1.10xfe14Standard query (0)telize.comA (IP address)IN (0x0001)false
                                            Dec 21, 2023 21:31:49.884321928 CET192.168.2.41.1.1.10x987fStandard query (0)www.telize.comA (IP address)IN (0x0001)false
                                            Dec 21, 2023 21:31:52.211429119 CET192.168.2.41.1.1.10xc5d9Standard query (0)freegeoip.netA (IP address)IN (0x0001)false
                                            Dec 21, 2023 21:31:52.742269039 CET192.168.2.41.1.1.10x1accStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Dec 21, 2023 21:31:49.383277893 CET1.1.1.1192.168.2.40xfe14No error (0)telize.com88.198.193.213A (IP address)IN (0x0001)false
                                            Dec 21, 2023 21:31:50.137042046 CET1.1.1.1192.168.2.40x987fNo error (0)www.telize.com88.198.193.213A (IP address)IN (0x0001)false
                                            Dec 21, 2023 21:31:52.337388992 CET1.1.1.1192.168.2.40xc5d9No error (0)freegeoip.net104.26.15.73A (IP address)IN (0x0001)false
                                            Dec 21, 2023 21:31:52.337388992 CET1.1.1.1192.168.2.40xc5d9No error (0)freegeoip.net172.67.75.176A (IP address)IN (0x0001)false
                                            Dec 21, 2023 21:31:52.337388992 CET1.1.1.1192.168.2.40xc5d9No error (0)freegeoip.net104.26.14.73A (IP address)IN (0x0001)false
                                            Dec 21, 2023 21:31:52.867408037 CET1.1.1.1192.168.2.40x1accNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                            Dec 21, 2023 21:31:52.867408037 CET1.1.1.1192.168.2.40x1accNo error (0)api4.ipify.org64.185.227.156A (IP address)IN (0x0001)false
                                            Dec 21, 2023 21:31:52.867408037 CET1.1.1.1192.168.2.40x1accNo error (0)api4.ipify.org104.237.62.212A (IP address)IN (0x0001)false
                                            Dec 21, 2023 21:31:52.867408037 CET1.1.1.1192.168.2.40x1accNo error (0)api4.ipify.org173.231.16.77A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • www.telize.com
                                            • telize.com
                                            • freegeoip.net
                                            • api.ipify.org

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.44972988.198.193.213805628C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                                            TimestampBytes transferredDirectionData
                                            Dec 21, 2023 21:31:49.636142015 CET144OUTGET /geoip HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: telize.com
                                            Connection: Keep-Alive
                                            Dec 21, 2023 21:31:49.882961035 CET403INHTTP/1.1 301 Moved Permanently
                                            Server: nginx
                                            Date: Thu, 21 Dec 2023 20:31:49 GMT
                                            Content-Type: text/html
                                            Content-Length: 162
                                            Connection: keep-alive
                                            Location: https://www.telize.com/geoip
                                            Strict-Transport-Security: max-age=63072000
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.449732104.26.15.73805628C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                                            TimestampBytes transferredDirectionData
                                            Dec 21, 2023 21:31:52.464063883 CET146OUTGET /xml/ HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: freegeoip.net
                                            Connection: Keep-Alive
                                            Dec 21, 2023 21:31:52.598694086 CET613INHTTP/1.1 301 Moved Permanently
                                            Date: Thu, 21 Dec 2023 20:31:52 GMT
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Cache-Control: max-age=3600
                                            Expires: Thu, 21 Dec 2023 21:31:52 GMT
                                            Location: http://freegeoip.net/shutdown
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yeRGhGrwFwjHuxJvUtg1cBjeV58%2FXLKtjMnW68qOAefIv%2BkiQungQxYizEirKR2r8pqyjBh7w2nhW6RfvY6W6MKO%2BXtjjPpLAUk8H0%2FGep2U2nh%2BF4fpThAQ6CZu7wg%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8392e4213f4fdae1-MIA
                                            Data Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0
                                            Dec 21, 2023 21:31:52.599468946 CET126OUTGET /shutdown HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: freegeoip.net
                                            Dec 21, 2023 21:31:52.733278036 CET1286INHTTP/1.1 200 OK
                                            Date: Thu, 21 Dec 2023 20:31:52 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            vary: Accept-Encoding
                                            x-powered-by: PHP/8.1.17
                                            expires: Sat, 26 Jul 1997 05:00:00 GMT
                                            cache-control: max-age=31536000, must-revalidate, post-check=0, pre-check=0
                                            pragma: no-cache
                                            last-modified: Fri, 08 Dec 2023 07:46:11 GMT
                                            x-cache-miss-from: parking-698fb476bf-xqxcz
                                            CF-Cache-Status: HIT
                                            Age: 1169141
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=13Bx9ohkMpkKG%2FdG6JcS6xx5HHKiwi71tYfWAPIls%2BfUTxkJLgZhIT0qUsZJoKXzqmjYTz2Lytl3XGNTRS%2BU%2F%2Bv%2FenzGPc4il3Y3lV06LvH%2FzXGXs4A1xrMUtQRFAfg%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8392e42218a5dae1-MIA
                                            Data Raw: 34 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 66 72 65 65 67 65 6f 69 70 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 0a 20 20 20 20 20 20 20 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 20 20
                                            Data Ascii: 400<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>freegeoip.net</title> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> <meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" name="viewport"> <style> html, body, #partner, iframe { height:
                                            Dec 21, 2023 21:31:52.733320951 CET583INData Raw: 20 20 20 20 20 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 20 20 20 20 20 20 20 20 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 20 20 20 20 20 20 20 20 30 3b 0a 20 20 20 20 20
                                            Data Ascii: 100%; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline;
                                            Dec 21, 2023 21:31:52.733330965 CET5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.44973364.185.227.156805628C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                                            TimestampBytes transferredDirectionData
                                            Dec 21, 2023 21:31:53.029310942 CET142OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: api.ipify.org
                                            Connection: Keep-Alive
                                            Dec 21, 2023 21:31:53.189039946 CET177INHTTP/1.1 200 OK
                                            Server: nginx/1.25.1
                                            Date: Thu, 21 Dec 2023 20:31:53 GMT
                                            Content-Type: text/plain
                                            Content-Length: 15
                                            Connection: keep-alive
                                            Vary: Origin
                                            Data Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 31 32
                                            Data Ascii: 102.129.152.212


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.44973488.198.193.213801596C:\Windows\SysWOW64\SubDir\syscall.exe
                                            TimestampBytes transferredDirectionData
                                            Dec 21, 2023 21:31:53.772645950 CET144OUTGET /geoip HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: telize.com
                                            Connection: Keep-Alive
                                            Dec 21, 2023 21:31:54.019176006 CET403INHTTP/1.1 301 Moved Permanently
                                            Server: nginx
                                            Date: Thu, 21 Dec 2023 20:31:53 GMT
                                            Content-Type: text/html
                                            Content-Length: 162
                                            Connection: keep-alive
                                            Location: https://www.telize.com/geoip
                                            Strict-Transport-Security: max-age=63072000
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
                                            Dec 21, 2023 21:31:57.439465046 CET120OUTGET /geoip HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: telize.com
                                            Dec 21, 2023 21:31:57.692784071 CET403INHTTP/1.1 301 Moved Permanently
                                            Server: nginx
                                            Date: Thu, 21 Dec 2023 20:31:57 GMT
                                            Content-Type: text/html
                                            Content-Length: 162
                                            Connection: keep-alive
                                            Location: https://www.telize.com/geoip
                                            Strict-Transport-Security: max-age=63072000
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.449737104.26.15.73801596C:\Windows\SysWOW64\SubDir\syscall.exe
                                            TimestampBytes transferredDirectionData
                                            Dec 21, 2023 21:31:56.157553911 CET146OUTGET /xml/ HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: freegeoip.net
                                            Connection: Keep-Alive
                                            Dec 21, 2023 21:31:56.294445038 CET607INHTTP/1.1 301 Moved Permanently
                                            Date: Thu, 21 Dec 2023 20:31:56 GMT
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Cache-Control: max-age=3600
                                            Expires: Thu, 21 Dec 2023 21:31:56 GMT
                                            Location: http://freegeoip.net/shutdown
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jd%2B6zHUXV32EEKfi7wnyZpncm17XtYaZdnffaTReHVuB3I0p60hMXuRhD8DCIQer940f4KGfnkdgHISxJGkq7nJFeriHp0QRJBFZZajrC4cxGe8ciEjoAMofEk8zJ%2Fg%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8392e4385d3123b5-MIA
                                            Data Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0
                                            Dec 21, 2023 21:31:56.295181990 CET126OUTGET /shutdown HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: freegeoip.net
                                            Dec 21, 2023 21:31:56.427026033 CET1286INHTTP/1.1 200 OK
                                            Date: Thu, 21 Dec 2023 20:31:56 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            vary: Accept-Encoding
                                            x-powered-by: PHP/8.1.17
                                            expires: Sat, 26 Jul 1997 05:00:00 GMT
                                            cache-control: max-age=31536000, must-revalidate, post-check=0, pre-check=0
                                            pragma: no-cache
                                            last-modified: Thu, 30 Nov 2023 08:10:36 GMT
                                            x-cache-miss-from: parking-698fb476bf-krcf5
                                            CF-Cache-Status: HIT
                                            Age: 1858880
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=H4d5XLSRvRyS1rSJcEzyWrgV%2FSZSu5FGqmBGTUF0HS9Smgo2uV2l77HvOk4AvbYZTHrKXwhUYrKe2mzFKW7lLlrI2PTAJpCdg8cHsi3%2ByvKjGHrm1me8YIGjm6WO2ts%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8392e4392e3b23b5-MIA
                                            Data Raw: 34 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 66 72 65 65 67 65 6f 69 70 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 0a 20 20 20 20 20 20 20 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 20 20 20 20 20 20 20 20 31 30 30 25
                                            Data Ascii: 400<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>freegeoip.net</title> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> <meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" name="viewport"> <style> html, body, #partner, iframe { height: 100%
                                            Dec 21, 2023 21:31:56.427071095 CET573INData Raw: 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 20 20 20 20 20 20 20 20 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 20 20 20 20 20 20 20 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64
                                            Data Ascii: ; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline;
                                            Dec 21, 2023 21:31:56.427087069 CET5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0
                                            Dec 21, 2023 21:31:59.689173937 CET122OUTGET /xml/ HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: freegeoip.net
                                            Dec 21, 2023 21:31:59.817796946 CET609INHTTP/1.1 301 Moved Permanently
                                            Date: Thu, 21 Dec 2023 20:31:59 GMT
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Cache-Control: max-age=3600
                                            Expires: Thu, 21 Dec 2023 21:31:59 GMT
                                            Location: http://freegeoip.net/shutdown
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qDe6CqKmj7y3zpnjXpaDcZO2m4851%2BQtiX%2BYg5ol%2BDJHUrXLryAkthrERBz84uWxuW2UWi3Qr79iHNqKmy8xU2LHCHLoBtnYF7nEv41CG88dmFNk14QHdFwGwOzyemI%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8392e44e6d5823b5-MIA
                                            Data Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0
                                            Dec 21, 2023 21:31:59.818027020 CET126OUTGET /shutdown HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: freegeoip.net
                                            Dec 21, 2023 21:31:59.949728966 CET1286INHTTP/1.1 200 OK
                                            Date: Thu, 21 Dec 2023 20:31:59 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            vary: Accept-Encoding
                                            x-powered-by: PHP/8.1.17
                                            expires: Sat, 26 Jul 1997 05:00:00 GMT
                                            cache-control: max-age=31536000, must-revalidate, post-check=0, pre-check=0
                                            pragma: no-cache
                                            last-modified: Thu, 30 Nov 2023 08:10:36 GMT
                                            x-cache-miss-from: parking-698fb476bf-krcf5
                                            CF-Cache-Status: HIT
                                            Age: 1858883
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rBzVSfQzij8NnLc2u5C0dM5HfToGTuw1VV3SGqDiF1J65givwIYwl2038HCwVxJ0MzX9cr3fp4HiogCIx01GgWAbdVUNHiG%2BeS6bxpV6j%2FtCrvOMAY12JP5bhzp6GcI%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8392e44f3e8d23b5-MIA
                                            Data Raw: 34 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 66 72 65 65 67 65 6f 69 70 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 0a 20 20 20 20 20 20 20 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 20 20 20 20 20 20 20 20 31 30 30 25
                                            Data Ascii: 400<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>freegeoip.net</title> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> <meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" name="viewport"> <style> html, body, #partner, iframe { height: 100%
                                            Dec 21, 2023 21:31:59.949742079 CET573INData Raw: 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 20 20 20 20 20 20 20 20 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 20 20 20 20 20 20 20 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64
                                            Data Ascii: ; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline;
                                            Dec 21, 2023 21:31:59.949749947 CET5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.44973864.185.227.156801596C:\Windows\SysWOW64\SubDir\syscall.exe
                                            TimestampBytes transferredDirectionData
                                            Dec 21, 2023 21:31:56.590687990 CET142OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: api.ipify.org
                                            Connection: Keep-Alive
                                            Dec 21, 2023 21:31:56.751127005 CET177INHTTP/1.1 200 OK
                                            Server: nginx/1.25.1
                                            Date: Thu, 21 Dec 2023 20:31:56 GMT
                                            Content-Type: text/plain
                                            Content-Length: 15
                                            Connection: keep-alive
                                            Vary: Origin
                                            Data Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 31 32
                                            Data Ascii: 102.129.152.212
                                            Dec 21, 2023 21:31:59.950306892 CET118OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: api.ipify.org
                                            Dec 21, 2023 21:32:00.109397888 CET177INHTTP/1.1 200 OK
                                            Server: nginx/1.25.1
                                            Date: Thu, 21 Dec 2023 20:32:00 GMT
                                            Content-Type: text/plain
                                            Content-Length: 15
                                            Connection: keep-alive
                                            Vary: Origin
                                            Data Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 31 32
                                            Data Ascii: 102.129.152.212


                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.44973088.198.193.2134435628C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                                            TimestampBytes transferredDirectionData
                                            2023-12-21 20:31:50 UTC148OUTGET /geoip HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: www.telize.com
                                            Connection: Keep-Alive


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.44973188.198.193.2134435628C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                                            TimestampBytes transferredDirectionData
                                            2023-12-21 20:31:51 UTC148OUTGET /geoip HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: www.telize.com
                                            Connection: Keep-Alive


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.44973588.198.193.2134431596C:\Windows\SysWOW64\SubDir\syscall.exe
                                            TimestampBytes transferredDirectionData
                                            2023-12-21 20:31:54 UTC148OUTGET /geoip HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: www.telize.com
                                            Connection: Keep-Alive


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.44973688.198.193.2134431596C:\Windows\SysWOW64\SubDir\syscall.exe
                                            TimestampBytes transferredDirectionData
                                            2023-12-21 20:31:55 UTC148OUTGET /geoip HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: www.telize.com
                                            Connection: Keep-Alive


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.44974088.198.193.2134431596C:\Windows\SysWOW64\SubDir\syscall.exe
                                            TimestampBytes transferredDirectionData
                                            2023-12-21 20:31:58 UTC148OUTGET /geoip HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: www.telize.com
                                            Connection: Keep-Alive


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.44974188.198.193.2134431596C:\Windows\SysWOW64\SubDir\syscall.exe
                                            TimestampBytes transferredDirectionData
                                            2023-12-21 20:31:59 UTC148OUTGET /geoip HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                            Host: www.telize.com
                                            Connection: Keep-Alive


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:21:31:48
                                            Start date:21/12/2023
                                            Path:C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe
                                            Imagebase:0xe40000
                                            File size:273'920 bytes
                                            MD5 hash:6DDDA01B781E92010749CAE1248B6D51
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1653919173.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                            • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                            • Rule: Quasar, Description: detect Remcos in memory, Source: 00000000.00000000.1607883808.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:21:31:52
                                            Start date:21/12/2023
                                            Path:C:\Windows\SysWOW64\SubDir\syscall.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\SubDir\syscall.exe
                                            Imagebase:0xf20000
                                            File size:273'920 bytes
                                            MD5 hash:6DDDA01B781E92010749CAE1248B6D51
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Joe Security
                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Joe Security
                                            • Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: unknown
                                            • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Florian Roth
                                            • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Florian Roth
                                            • Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Florian Roth
                                            • Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Florian Roth
                                            • Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: Florian Roth
                                            • Rule: Quasar, Description: detect Remcos in memory, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: JPCERT/CC Incident Response Group
                                            • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: ditekSHen
                                            • Rule: MALWARE_Win_QuasarRAT, Description: QuasarRAT payload, Source: C:\Windows\SysWOW64\SubDir\syscall.exe, Author: ditekSHen
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 84%, ReversingLabs
                                            Reputation:low
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:10.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:57
                                              Total number of Limit Nodes:5
                                              execution_graph 13182 152fbe0 DuplicateHandle 13183 152fc76 13182->13183 13172 152f998 13173 152f9de GetCurrentProcess 13172->13173 13175 152fa30 GetCurrentThread 13173->13175 13177 152fa29 13173->13177 13176 152fa6d GetCurrentProcess 13175->13176 13178 152fa66 13175->13178 13181 152faa3 13176->13181 13177->13175 13178->13176 13179 152facb GetCurrentThreadId 13180 152fafc 13179->13180 13181->13179 13184 1520848 13185 1520852 13184->13185 13189 15221a0 13184->13189 13186 152089e 13185->13186 13194 152ac28 13185->13194 13190 15221c5 13189->13190 13206 15222b0 13190->13206 13210 15222a1 13190->13210 13196 152ac57 13194->13196 13195 152acd3 13195->13186 13196->13195 13218 152e697 13196->13218 13222 152e6a8 13196->13222 13197 152ad58 13199 152ad80 13197->13199 13226 152e7c8 13197->13226 13230 152e85f 13197->13230 13234 152e94f 13197->13234 13238 152e7d8 13197->13238 13198 152ae7c 13198->13186 13199->13186 13208 15222d7 13206->13208 13207 15223b4 13207->13207 13208->13207 13214 1521978 13208->13214 13212 15222af 13210->13212 13211 15223b4 13211->13211 13212->13211 13213 1521978 CreateActCtxA 13212->13213 13213->13211 13215 1523340 CreateActCtxA 13214->13215 13217 1523403 13215->13217 13219 152e6b6 13218->13219 13242 152dd58 13219->13242 13223 152e6b6 13222->13223 13224 152dd58 DeleteFileW 13223->13224 13225 152e6bd 13224->13225 13225->13197 13228 152e803 13226->13228 13227 152e6a8 DeleteFileW 13229 152e95f 13227->13229 13228->13227 13229->13198 13232 152e86d 13230->13232 13231 152e6a8 DeleteFileW 13233 152e95f 13231->13233 13232->13231 13233->13198 13235 152e954 13234->13235 13236 152e6a8 DeleteFileW 13235->13236 13237 152e95f 13236->13237 13237->13198 13240 152e803 13238->13240 13239 152e6a8 DeleteFileW 13241 152e95f 13239->13241 13240->13239 13241->13198 13243 152e6d0 DeleteFileW 13242->13243 13245 152e6bd 13243->13245 13245->13197

                                              Executed Functions

                                              Function 015299B8 Relevance: .3, Instructions: 281COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653311123.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1520000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b754b8ab67d69e7fc34f0be6ba286f3ad95f573ae6ec0418dcb1adc02723d671
                                              • Instruction ID: c78ea266b9c240f7fcabdaa454bb5be31f9421c14815a9122cbc3dd179b0417d
                                              • Opcode Fuzzy Hash: b754b8ab67d69e7fc34f0be6ba286f3ad95f573ae6ec0418dcb1adc02723d671
                                              • Instruction Fuzzy Hash: 44B16E72E002298FDF14CFA9C8857DDBBF2BF89318F148529D815AB394EB749845CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0152A288 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653311123.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1520000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f6370085c6a6f3abe5e34e0b01e41181ee42685c85d9d5820c92b96d1482aca4
                                              • Instruction ID: 24b3b6595f99cdafecac753f0569c503c7615c86eea970e7282477df69fd2eeb
                                              • Opcode Fuzzy Hash: f6370085c6a6f3abe5e34e0b01e41181ee42685c85d9d5820c92b96d1482aca4
                                              • Instruction Fuzzy Hash: 40B1AD72E002298FDF14CFA9D88579EBBF2BF89314F148529D805EB694EB74D845CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0152F998 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 413 152f998-152fa27 GetCurrentProcess 417 152fa30-152fa64 GetCurrentThread 413->417 418 152fa29-152fa2f 413->418 419 152fa66-152fa6c 417->419 420 152fa6d-152faa1 GetCurrentProcess 417->420 418->417 419->420 421 152faa3-152faa9 420->421 422 152faaa-152fac2 420->422 421->422 434 152fac5 call 152ff66 422->434 435 152fac5 call 152fb67 422->435 426 152facb-152fafa GetCurrentThreadId 427 152fb03-152fb65 426->427 428 152fafc-152fb02 426->428 428->427 434->426 435->426
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0152FA16
                                              • GetCurrentThread.KERNEL32 ref: 0152FA53
                                              • GetCurrentProcess.KERNEL32 ref: 0152FA90
                                              • GetCurrentThreadId.KERNEL32 ref: 0152FAE9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653311123.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1520000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: dfef764104d2387b3de95f0d936829c24c909c50d558e88549571d1b0b0236a6
                                              • Instruction ID: 83939d935613f47fd92d7c1614a69efddc7efb7c74b7969f8975357c4127c160
                                              • Opcode Fuzzy Hash: dfef764104d2387b3de95f0d936829c24c909c50d558e88549571d1b0b0236a6
                                              • Instruction Fuzzy Hash: 7D5178B19003098FDB58DFA9D548B9EBBF1FF48314F20845AE419AB390D7746988CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01523334 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1503 1523334-1523339 1504 1523391-1523401 CreateActCtxA 1503->1504 1505 152333b-152338a 1503->1505 1507 1523403-1523409 1504->1507 1508 152340a-1523464 1504->1508 1505->1504 1507->1508 1515 1523473-1523477 1508->1515 1516 1523466-1523469 1508->1516 1517 1523488 1515->1517 1518 1523479-1523485 1515->1518 1516->1515 1520 1523489 1517->1520 1518->1517 1520->1520
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 015233F1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653311123.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1520000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: e710f63e79548a4145f65d7f2002c5c330d72500c39ca5c7eef6d3dcede60a0c
                                              • Instruction ID: ccbd64d0c1d53e7cff56d5450e908354c91bccf36e62cdea117bdd051d605e7b
                                              • Opcode Fuzzy Hash: e710f63e79548a4145f65d7f2002c5c330d72500c39ca5c7eef6d3dcede60a0c
                                              • Instruction Fuzzy Hash: CF41D1B5C00719CBDB64CFA9C848B9EBBF5BF49304F20846AD409AB251DB75694ACF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01521978 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1521 1521978-1523401 CreateActCtxA 1525 1523403-1523409 1521->1525 1526 152340a-1523464 1521->1526 1525->1526 1533 1523473-1523477 1526->1533 1534 1523466-1523469 1526->1534 1535 1523488 1533->1535 1536 1523479-1523485 1533->1536 1534->1533 1538 1523489 1535->1538 1536->1535 1538->1538
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 015233F1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653311123.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1520000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: cbc4bd981242ef4ec8fd5e59a0996a8a7387845d00aa9ff5965c8c607439bc90
                                              • Instruction ID: 00dd6a483be68fadfc8cdb7534c8257b69a1807a7cf8a4a081dba18fe6386f9f
                                              • Opcode Fuzzy Hash: cbc4bd981242ef4ec8fd5e59a0996a8a7387845d00aa9ff5965c8c607439bc90
                                              • Instruction Fuzzy Hash: 5241F3B1C0071DCBDB64DFA9C844B9DBBF5BF49304F20846AD409AB251DBB56949CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0152FBD9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1539 152fbd9-152fc74 DuplicateHandle 1540 152fc76-152fc7c 1539->1540 1541 152fc7d-152fc9a 1539->1541 1540->1541
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0152FC67
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653311123.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1520000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 29cf1a1b37237b58ae9fdfaf2d7afab73efa7b72e23caffd2bf9a871d139eb96
                                              • Instruction ID: 738c5156dbd080ddbb1552fa41635e771143c3c4bcaa580cf35fb666e115106f
                                              • Opcode Fuzzy Hash: 29cf1a1b37237b58ae9fdfaf2d7afab73efa7b72e23caffd2bf9a871d139eb96
                                              • Instruction Fuzzy Hash: 4821E3B5900208DFDB10CFAAD984ADEBBF5FB48320F14845AE958B7350D379A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0152FBE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1544 152fbe0-152fc74 DuplicateHandle 1545 152fc76-152fc7c 1544->1545 1546 152fc7d-152fc9a 1544->1546 1545->1546
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0152FC67
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653311123.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1520000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 69c97f0a8ec2074ec49148bcba67a07eb22429affeb3c4b7abf1057eff4bb115
                                              • Instruction ID: f62b8d96d281a71d8826d6381650d2bff3479c0ec6fc12c9d01446da36d30daa
                                              • Opcode Fuzzy Hash: 69c97f0a8ec2074ec49148bcba67a07eb22429affeb3c4b7abf1057eff4bb115
                                              • Instruction Fuzzy Hash: 5121E4B59002089FDB10CFAAD984ADEBFF8FB48320F14841AE918B7350C379A944CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0152DD58 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1549 152dd58-152e71a 1552 152e722-152e74d DeleteFileW 1549->1552 1553 152e71c-152e71f 1549->1553 1554 152e756-152e77e 1552->1554 1555 152e74f-152e755 1552->1555 1553->1552 1555->1554
                                              APIs
                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0152E6BD), ref: 0152E740
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653311123.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1520000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: ba8ab7ca00b9198733e4e105c7828837016367f8c2919f5ec8793c038d53379c
                                              • Instruction ID: 52e15d65c717f1a0de6862dda6ba1be1f1407f5e67517a1e0e99775fed2fc736
                                              • Opcode Fuzzy Hash: ba8ab7ca00b9198733e4e105c7828837016367f8c2919f5ec8793c038d53379c
                                              • Instruction Fuzzy Hash: D02158B2C006699BDB14DF9AD44579EFBF4FB49320F148529D918B7280D338A944CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0152E6C8 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0152E6BD), ref: 0152E740
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653311123.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1520000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 700f7eb1d2f5a0f4912e3d373dabcafd5123bc0736f8584a7b044ad9ae2e56a2
                                              • Instruction ID: 5bb674afc3e8cca64bd9fd2c7ee5a81475c52c1ce518231e03d5fce576c7f9f2
                                              • Opcode Fuzzy Hash: 700f7eb1d2f5a0f4912e3d373dabcafd5123bc0736f8584a7b044ad9ae2e56a2
                                              • Instruction Fuzzy Hash: D52158B1C006998BDB14CFAAD44579EFBF0FF49320F15812AD918B7280D738A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0136D514 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653144465.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_136d000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 10b755c4313f990eee407120b92e6dffecabbd85e856ce8442572aa48c2016ad
                                              • Instruction ID: 480c3565a37524f1fca123666893c60c1fba701315a3d2087c95b4ec85343840
                                              • Opcode Fuzzy Hash: 10b755c4313f990eee407120b92e6dffecabbd85e856ce8442572aa48c2016ad
                                              • Instruction Fuzzy Hash: D42136B1604344DFCB01DF58C8C0B26BF69FB8831CF24C569EA4A0BA5AC336D416CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0136D50F Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653144465.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_136d000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                              • Instruction ID: 60dc347a8aa46f05bb99f23a659961dd3f49dfdfa18a5264eafca96fb19e142d
                                              • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                              • Instruction Fuzzy Hash: A8110376604280CFCB12CF44D5C4B16BF72FB84328F24C1A9D9494B65BC336D45ACBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 01529670 Relevance: .2, Instructions: 238COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653311123.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1520000_30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 80c40c86cc0d25b57e40225bafca8d93572d4a82cf4a6df0e627d6b108144cf9
                                              • Instruction ID: ade40a1209989a3447dddaa8b5b4c41cc8745389c9ef7deaa940e95759426c41
                                              • Opcode Fuzzy Hash: 80c40c86cc0d25b57e40225bafca8d93572d4a82cf4a6df0e627d6b108144cf9
                                              • Instruction Fuzzy Hash: DD917071E00229CFDF14CFA9D98179DBBF2BF89318F188529E405AB394EB749845CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%