Edit tour

Windows Analysis Report
QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_JULQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original sample name:	QUOTATION_JULQTRA071244PDF.scr.exe
Analysis ID:	1465905
MD5:	2756768c9b94948e6ac6877fd26178e3
SHA1:	30f772fdfdb5a1567d37c9a998f82939d60b6667
SHA256:	b75793ac0d57482cfb4abf41303bc240bb13a089b4b048c0d5ff36f3a19cdc7a
Tags:	exeFormbookscr
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION_JULQTRA071244#U00faPDF.scr.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe" MD5: 2756768C9B94948E6AC6877FD26178E3)

aspnet_compiler.exe (PID: 8012 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "gator3220.hostgator.com", "Username": "zam8@qlststv.com", "Password": "2htWJg8Ru9SP..!TZmaka!@"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1747718768.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000A.00000002.2503660186.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1747373203.00000000027E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1765846421.0000000007510000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1751396085.00000000046F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1763963999.00000000065E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 8012	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 8012	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.679bd70.14.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.67c3d90.15.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.67c3d90.15.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.27e0000.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32049:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x320bb:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32145:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x321d7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32241:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x322b3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32349:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x323d9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.679bd70.14.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3a89550.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.6813db0.13.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.aspnet_compiler.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33e49:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33ebb:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33f45:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33fd7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34041:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x340b3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34149:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x341d9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.454d018.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.4774240.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.4774240.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.454d018.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7510000.16.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7510000.16.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33e49:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f069:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33ebb:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f0db:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33f45:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f165:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33fd7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f1f7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34041:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f261:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x340b3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f2d3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34149:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f369:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x341d9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f3f9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe", ParentImage: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe, ParentProcessId: 7752, ParentProcessName: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 8012, ProcessName: aspnet_compiler.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 10.2.aspnet_compiler.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "gator3220.hostgator.com", "Username": "zam8@qlststv.com", "Password": "2htWJg8Ru9SP..!TZmaka!@"}

Multi AV Scanner detection for submitted file

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Joe Sandbox ML: detected

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49709 version: TLS 1.2

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1762618379.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1762618379.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 4x nop then jmp 028759CFh	0_2_02875AE7
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 4x nop then jmp 028759CFh	0_2_0287595B
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 4x nop then jmp 028759CFh	0_2_02875968

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /data-package/mJcm5Gfa/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/vrZBY6VkA2Ae HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/mJcm5Gfa/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/mJcm5Gfa/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/vrZBY6VkA2Ae HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/mJcm5Gfa/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s23.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe	String found in binary or memory: http://filetransfer.io/data-package/mJcm5Gfa/download
Source: aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/mJcm5Gfa/download
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.iovi
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s23.filetransfer.io
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002ADD000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s23.filetransfer.io/storage/download/vrZBY6VkA2Ae
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49709 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_0287AB40	0_2_0287AB40
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_0287C8E8	0_2_0287C8E8
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_028734F0	0_2_028734F0
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_02873DC0	0_2_02873DC0
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_028792F0	0_2_028792F0
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_02879208	0_2_02879208
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_02879248	0_2_02879248
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_02879267	0_2_02879267
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_0287AB31	0_2_0287AB31
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_0287C8D7	0_2_0287C8D7
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_0287595B	0_2_0287595B
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_02875968	0_2_02875968
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_02874705	0_2_02874705
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_02872DA8	0_2_02872DA8
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_05CC0040	0_2_05CC0040
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_05CC0039	0_2_05CC0039
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_05CC03CA	0_2_05CC03CA
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_0844D750	0_2_0844D750
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_08430040	0_2_08430040
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_08430006	0_2_08430006
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Code function: 0_2_0844CB28	0_2_0844CB28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 10_2_02CEA5AA	10_2_02CEA5AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 10_2_02CE4AC0	10_2_02CE4AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 10_2_02CEDA68	10_2_02CEDA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 10_2_02CE3EA8	10_2_02CE3EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 10_2_02CE41F0	10_2_02CE41F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 10_2_065D2188	10_2_065D2188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 10_2_065D13E0	10_2_065D13E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 10_2_065D8628	10_2_065D8628
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 10_2_065D8622	10_2_065D8622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 10_2_065D3248	10_2_065D3248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 10_2_065D3930	10_2_065D3930

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/2

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION_JULQTRA071244#U00faPDF.scr.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Mutant created: NULL

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe "C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1762618379.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1762618379.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7aa0000.17.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7aa0000.17.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7aa0000.17.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7aa0000.17.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7aa0000.17.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.679bd70.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.67c3d90.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.67c3d90.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.27e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.679bd70.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3a89550.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.6813db0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1747718768.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1747373203.00000000027E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1763963999.00000000065E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Code function: 0_2_02876B1B push 1CB8C3AFh; retf

0_2_02876B21

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000003015000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL@\
Source: aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLT-
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000003015000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER;SBIEDLL.DLL<SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER;SBIEDLL.DLL<SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE=VERSION>SERIALNUMBER@VMWARE\|VIRTUAL\|A M I\|XENASELECT * FROM WIN32_COMPUTERSYSTEMBMANUFACTURERCMODELDMICROSOFT\|VMWARE\|VIRTUALEJOHNFANNAGXXXXXXXX

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Memory allocated: FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Memory allocated: 63C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Memory allocated: 73C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 14F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 4E80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798981	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798637	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797639	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797414	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1794968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1794859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1794750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1794641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1794516	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 7439	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 2368	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1651	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 8199	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7848	Thread sleep count: 7439 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7848	Thread sleep count: 2368 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -99753s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -99624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -99515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -99400s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -99171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -99031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -98921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -98771s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -98370s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -98139s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -97921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -97680s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -97561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -97452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -97124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -96997s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -96874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -96765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -96653s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -96531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -96421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -96279s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -96170s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -96046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -95828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -95718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -95609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -95499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -95390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -95276s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -95170s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -95046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -94937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -94828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -94718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -94609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -94499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -94390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1708	Thread sleep count: 1651 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1799875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1708	Thread sleep count: 8199 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1799765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1799656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1799546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1799437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1799328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1799218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1799109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1798981s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1798859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1798750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1798637s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1798516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1798406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1798297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1798187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1798078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1797968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1797859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1797750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1797639s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1797531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1797414s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1797297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1797187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1797078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1796968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1796859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1796750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1796640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1796531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1796422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1796297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1796187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1796078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1795969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1795844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1795734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1795625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1795516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1795406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1795297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1795187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1795078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1794968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1794859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1794750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1794641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704	Thread sleep time: -1794516s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99753	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99624	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99515	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99400	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99171	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99031	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98921	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98771	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98370	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98139	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97680	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97561	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97452	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97124	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96997	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96874	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96765	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96653	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96421	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96279	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96170	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96046	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95718	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95609	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95499	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95390	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95276	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95170	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95046	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94499	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94390	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1799109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798981	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798637	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1798078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797639	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797414	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1797078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1796078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1795078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1794968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1794859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1794750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1794641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1794516	Jump to behavior

Source: aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: aspnet_compiler.exe, 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware\V?q
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q 1:en-CH:Microsoft\|VMWare\|Virtual
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q0VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xent-
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q0Microsoft\|VMWare\|Virtual
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: aspnet_compiler.exe, 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual@\
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareLR
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer;SbieDll.dll<select * from Win32_BIOS8Unexpected WMI query failure=version>SerialNumber@VMware\|VIRTUAL\|A M I\|XenAselect * from Win32_ComputerSystemBmanufacturerCmodelDMicrosoft\|VMWare\|VirtualEjohnFannaGxxxxxxxx
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareLR
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1746499640.0000000000C02000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2501339812.000000000130E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Code function: 0_2_028709F8 CheckRemoteDebuggerPresent,

0_2_028709F8

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 8012, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.454d018.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.4774240.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.4774240.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.454d018.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7510000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7510000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1765846421.0000000007510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751396085.00000000046F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2503660186.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 8012, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 8012, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.454d018.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.4774240.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.4774240.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.454d018.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7510000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7510000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1765846421.0000000007510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751396085.00000000046F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	531 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	11 Input Capture	1 Process Discovery	Remote Desktop Protocol	11 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION_JULQTRA071244#U00faPDF.scr.exe	45%	ReversingLabs	Win32.Trojan.Generic
QUOTATION_JULQTRA071244#U00faPDF.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://filetransfer.io/data-package/mJcm5Gfa/download	0%	Avira URL Cloud	safe
https://s23.filetransfer.io	0%	Avira URL Cloud	safe
http://filetransfer.io	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-net	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-neti	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-netJ	0%	Avira URL Cloud	safe
https://filetransfer.iovi	0%	Avira URL Cloud	safe
https://filetransfer.io/data-package/mJcm5Gfa/download	0%	Avira URL Cloud	safe
https://s23.filetransfer.io/storage/download/vrZBY6VkA2Ae	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
filetransfer.io	188.114.97.3	true	false	unknown
ip-api.com	208.95.112.1	true	true	unknown
s23.filetransfer.io	188.114.97.3	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://filetransfer.io/data-package/mJcm5Gfa/download	false	Avira URL Cloud: safe	unknown
http://filetransfer.io/data-package/mJcm5Gfa/download	false	Avira URL Cloud: safe	unknown
https://s23.filetransfer.io/storage/download/vrZBY6VkA2Ae	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://filetransfer.iovi	QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-net	QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://filetransfer.io	QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s23.filetransfer.io	QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
188.114.97.3	filetransfer.io	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465905
Start date and time:	2024-07-02 08:30:51 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_JULQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original Sample Name:	QUOTATION_JULQTRA071244PDF.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 64 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
02:31:39	API Interceptor	3693x Sleep call for process: QUOTATION_JULQTRA071244#U00faPDF.scr.exe modified
02:32:30	API Interceptor	138862x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	KWOTASIE.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ServerManager.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	x433.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
188.114.97.3	http://url.usb.m.mimecastprotect.com/s/SPnzCDwVznT7kyA0HkOsZj?domain=linkscan.io	Get hash	malicious	HTMLPhisher	Browse	emmalee.sa.com/favicon.ico
	file.exe	Get hash	malicious	FormBook	Browse	www.cavetta.org.mt/yhnb/
	6Z4Q4bREii.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	000366cm.nyashka.top/phpflowergenerator.php
	DHL Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.coinwab.com/efdt/
	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	www.evoolihubs.shop/fwdd/?CbPtaF=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&NV=CzkTp6UpmNmd
	BbaXbvOA7D.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	228282cm.nyashka.top/ExternalimagevmRequestlongpollsqldbLocal.php
	j05KsN2280.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	640740cm.nyashka.top/providerEternalGameWindowstest.php
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/L69kvhYI/download
	Techno_PO LV12406-00311.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/cpGHnqq
	QUOTATION_JUNQTRA031244#U0652PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/Txmfx0A2/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s23.filetransfer.io	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.97.3
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.97.3
	Purchase Order -JJ023639#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.96.3
	QUOTATION_MAYQTRA031244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_MAYQTRA031244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Purchase Order No.P7696#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.13.139
	Price List MAYQTRA031244PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.13.139
	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.13.139
	l8p4UP25ft.exe	Get hash	malicious	AveMaria, GuLoader, PrivateLoader	Browse	172.67.200.96
	SecuriteInfo.com.Win32.DropperX-gen.10565.11333.exe	Get hash	malicious	Remcos, DBatLoader	Browse	104.21.13.139
ip-api.com	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	KWOTASIE.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ServerManager.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	x433.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
filetransfer.io	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.97.3
	30 - 3050324.scr.exe	Get hash	malicious	Remcos	Browse	188.114.97.3
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.97.3
	Purchase Order -JJ023639-PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.96.3
	QUOTATION_JUNQTRA031244#U0652PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.97.3
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.96.3
	QUOTATION_JUNQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.97.3
	QUOTATION_JUNQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse	172.67.74.152
	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	https://128.165.205.92.host.secureserver.net/	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse	104.26.13.205
	JDownloaderSetup.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	JDownloaderSetup.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	FedEx Receipt_53065724643.xls	Get hash	malicious	FormBook	Browse	188.114.96.3
	SecuriteInfo.com.Win32.Evo-gen.6791.6790.exe	Get hash	malicious	Python Stealer, CStealer, Xmrig	Browse	104.26.2.16
	http://differentia.ru	Get hash	malicious	Unknown	Browse	172.67.71.89
TUT-ASUS	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	KWOTASIE.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ServerManager.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	x433.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	188.114.97.3
	New Inquiry CAD.scr.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.97.3
	Payment_Confirmation_Receipts.vbs	Get hash	malicious	GuLoader	Browse	188.114.97.3
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	Inquiry V1774990 Pump and Valve Technical CAD.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	JDownloaderSetup.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	ISOTRAILER Trailer Sheets Inquiry.scr.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	188.114.97.3
	Inquiry V1774990 Pump and Valve Technical CAD.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	JDownloaderSetup.exe	Get hash	malicious	Unknown	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1459
Entropy (8bit):	5.357867833060924
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeRE4Kx1qE4qpsXE4qdKm:MxHKlYHKh3owH8tHo6hAHKzeRHKx1qHW
MD5:	A773BB5737D2A64BDB410F2E8FB75AE4
SHA1:	376EEAB4713E33649D2173B61BB04E0783E26AE0
SHA-256:	C1A11C048FF076862518318A5F07D95CFA07AE8B23552DA5CF627AA7A023CCF5
SHA-512:	66E6C2A97ABC2481F330676B5AB195BB5CD6DC2A0726C4109ED95EA3561E73DD345F8C87994132E985CC19A8CDD8FC9CEE290B88415F5D9AA21591F65B6893C8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.500355915308088
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	QUOTATION_JULQTRA071244#U00faPDF.scr.exe
File size:	345'088 bytes
MD5:	2756768c9b94948e6ac6877fd26178e3
SHA1:	30f772fdfdb5a1567d37c9a998f82939d60b6667
SHA256:	b75793ac0d57482cfb4abf41303bc240bb13a089b4b048c0d5ff36f3a19cdc7a
SHA512:	27bcd7ea9b9869f06c8475ebf0c30c1afa34448208cc1fb762d9d7728652f91ea922cf1c5c1f47548e9b2fe1de6c410dd5f82601b2190ceba21e63b83cd5b8df
SSDEEP:	768:JYimXjjjjjjjjjjjjjJp1uHQe21zEjss2S3g1Ircn0sspAgpq8bLyg1uMN0+dzsn:JYi4gQbk/pqELy0uyT+fX
TLSH:	A6740C5A7A745132ED04CA3419F69E11D2DBEE6C2BE0951D24C8F66D1B326FE8F039C1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.f.................$...........B... ...`....@.. ....................................`................................

File Icon


Icon Hash:	0e3333b0bbb3b035

Static PE Info

General

Entrypoint:	0x40422e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x668261CB [Mon Jul 1 07:59:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x41e4	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x51a80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2234	0x2400	c6253b9a2840a87e3afd3f5c56d472c3	False	0.548828125	data	5.584131771576688	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x51a80	0x51c00	8acfe2d7fc6746f254f28cd27d7f9c54	False	0.07165340691896024	data	2.352242504536234	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58000	0xc	0x200	b0841c5250ae8603ad0646edbc6dbbeb	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x60cc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.7601351351351351
RT_ICON	0x6218	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	0.7155963302752294
RT_ICON	0x65a4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6826241134751773
RT_ICON	0x6a30	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.5389784946236559
RT_ICON	0x6d3c	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	0.470679012345679
RT_ICON	0x7a08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4378517823639775
RT_ICON	0x8ad4	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	0.36402439024390243
RT_ICON	0x9160	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	0.33110687022900764
RT_ICON	0xae2c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.30881742738589213
RT_ICON	0xd3f8	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2560	0.2924174174174174
RT_ICON	0xde84	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12800	0.26580996884735203
RT_ICON	0x110d0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.24244213509683515
RT_ICON	0x1531c	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.014139568600763382
RT_GROUP_ICON	0x57380	0xbc	data	0.5797872340425532
RT_VERSION	0x57478	0x3e2	data	0.4134808853118712
RT_MANIFEST	0x57896	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 08:31:40.883423090 CEST	49707	80	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:40.888397932 CEST	80	49707	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:40.888485909 CEST	49707	80	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:40.889220953 CEST	49707	80	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:40.894088030 CEST	80	49707	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:41.553702116 CEST	80	49707	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:41.558413982 CEST	49708	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:41.558480978 CEST	443	49708	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:41.558559895 CEST	49708	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:41.571542025 CEST	49708	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:41.571580887 CEST	443	49708	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:41.594785929 CEST	49707	80	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:42.073191881 CEST	443	49708	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:42.073278904 CEST	49708	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:42.111785889 CEST	49708	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:42.111819029 CEST	443	49708	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:42.112179995 CEST	443	49708	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:42.157736063 CEST	49708	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:42.331387043 CEST	49708	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:42.376502037 CEST	443	49708	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:43.102161884 CEST	443	49708	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:43.102248907 CEST	443	49708	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:43.102298021 CEST	49708	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:43.108203888 CEST	49708	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:43.122684956 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:43.122735977 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:43.122798920 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:43.123156071 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:43.123172998 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:43.596887112 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:43.596982956 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:43.599095106 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:43.599103928 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:43.599391937 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:43.600843906 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:43.648494959 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.869313002 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.869364977 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.869396925 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.869427919 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.869448900 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.869465113 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.869494915 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.869496107 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.869532108 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.869539022 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.869545937 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.869585037 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.869591951 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.869597912 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.869641066 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.869647980 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.874274015 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.874309063 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.874345064 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.874353886 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.874409914 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.874512911 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.874583960 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.874650955 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.874658108 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.874739885 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.874840975 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.874847889 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.876060009 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.876106024 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.876112938 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.876200914 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.876269102 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.876275063 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.877135992 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.877162933 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.877187967 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.877193928 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.877244949 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.877430916 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.878076077 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.878128052 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.878134966 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.878169060 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.878277063 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.878304005 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.878330946 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.878338099 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.878360033 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.879931927 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.880016088 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.880022049 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.880232096 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.880319118 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.880327940 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.884419918 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.884557009 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.884593010 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.884599924 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.884645939 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.884654999 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.885507107 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.885560036 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.885565996 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.886441946 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.886471987 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.886501074 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.886507034 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.886528969 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.886553049 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.887394905 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.887456894 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.887511969 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.887562037 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.887917995 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.888020992 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.888044119 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.888050079 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.888073921 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.888092995 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.889956951 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.890013933 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.890023947 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.890074015 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.890353918 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.890414953 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.890755892 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.890814066 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.890861034 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.890908003 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.890999079 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.891060114 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.891391039 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.891444921 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.973979950 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.974031925 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.974056005 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.974062920 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.974075079 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.974102974 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.974136114 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.974153042 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.974165916 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.974189997 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.974410057 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.974464893 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.977200031 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977262974 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.977273941 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977318048 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.977356911 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977400064 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.977478981 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977504015 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977520943 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.977530003 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977559090 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.977581024 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.977690935 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977722883 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977751970 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.977757931 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977786064 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.977799892 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977819920 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.977827072 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977838993 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.977956057 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977991104 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.977997065 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.978003025 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.978018999 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.978035927 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.978041887 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.978063107 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.978092909 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.978373051 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.978425026 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.988646030 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.988706112 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.988706112 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.988718033 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.988754034 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.989461899 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.989495993 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.989516973 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.989522934 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.989564896 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.989594936 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.989633083 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.989639997 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.989674091 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.989701986 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.989748001 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.989777088 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.989816904 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.989876986 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.989905119 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.989922047 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.989928007 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:44.989945889 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:44.989964962 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.063617945 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.063647032 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.063745022 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.063757896 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.063777924 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.063811064 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.063812017 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.063827991 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.063858986 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.064294100 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.064311981 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.064368963 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.064378977 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.066498041 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.066519976 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.066653967 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.066660881 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.068309069 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.068325043 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.068404913 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.068414927 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.068594933 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.068609953 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.068666935 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.068675995 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.078138113 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.078161001 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.078275919 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.078285933 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.078500032 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.078514099 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.078576088 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.078583002 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.125991106 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.152775049 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.152802944 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.152873039 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.152884960 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.152921915 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.153137922 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.153156042 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.153201103 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.153208017 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.153256893 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.153503895 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.153522015 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.153589964 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.153598070 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.153650999 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.156146049 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.156166077 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.156228065 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.156234026 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.156277895 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.156352043 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.156377077 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.156411886 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.156419039 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.156446934 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.156471014 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.156728029 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.156747103 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.156793118 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.156799078 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.156831980 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.156935930 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.171027899 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.171053886 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.171101093 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.171107054 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.171148062 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.171348095 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.171365976 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.171416998 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.171430111 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.171438932 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.171586037 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.246156931 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.246186018 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.246273041 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.246294022 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.246344090 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.246798992 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.246814966 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.246891975 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.246900082 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.246988058 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.247123957 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.247148037 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.247215033 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.247222900 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.247289896 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.248308897 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.248323917 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.248462915 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.248469114 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.248507023 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.249166965 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.249182940 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.249248028 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.249257088 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.249294996 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.249623060 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.249639034 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.249686003 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.249692917 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.249717951 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.249742985 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.260620117 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.260646105 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.260695934 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.260708094 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.260756969 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.260782957 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.260853052 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.260874033 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.260935068 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.260942936 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.260987997 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.335844040 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.335869074 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.335946083 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.335974932 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.336021900 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.336312056 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.336328030 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.336363077 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.336370945 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.336409092 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.336422920 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.336766958 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.336782932 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.336844921 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.336853027 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.336894989 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.337593079 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.337609053 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.337666035 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.337673903 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.337726116 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.338509083 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.338522911 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.338581085 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.338588953 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.338629961 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.339123964 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.339139938 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.339195013 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.339202881 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.339325905 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.349936008 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.349951982 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.350028038 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.350035906 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.350078106 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.350261927 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.350276947 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.350334883 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.350342035 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.350383043 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.350387096 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.350398064 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.350426912 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.391618013 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.425067902 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.425086021 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.425148964 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.425168037 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.425215006 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.425930023 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.425950050 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.426013947 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.426022053 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.426062107 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.426243067 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.426290035 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.426320076 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.426326036 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.426351070 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.426366091 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.427045107 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.427059889 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.427115917 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.427124977 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.427186966 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.428378105 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.428394079 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.428452015 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.428459883 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.428497076 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.428875923 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.428889990 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.428940058 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.428947926 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.429028034 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.439868927 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.439884901 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.439945936 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.439956903 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.439985037 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.440006018 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.440162897 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.440177917 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.440239906 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.440248013 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.440347910 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.514647007 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.514671087 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.514759064 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.514782906 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.514830112 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.515146017 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.515163898 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.515232086 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.515239000 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.515283108 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.515676022 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.515692949 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.515772104 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.515778065 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.515816927 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.516623974 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.516643047 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.516714096 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.516721010 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.516768932 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.517817974 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.517838001 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.517900944 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.517908096 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.517945051 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.518285990 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.518301964 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.518382072 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.518388987 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.518429995 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.529155016 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.529176950 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.529247999 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.529267073 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.529314041 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.529505014 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.529520988 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.529587984 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.529597044 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.529634953 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.608455896 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.608494997 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.608560085 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.608577013 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.608602047 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.608613968 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.609702110 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.609724998 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.609802008 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.609823942 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.609870911 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.610387087 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.610404968 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.610464096 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.610471964 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.610512972 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.610557079 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.610575914 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.610608101 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.610614061 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.610640049 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.610658884 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.610923052 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.610940933 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.610987902 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.610995054 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.611033916 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.611237049 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.611253977 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.611298084 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.611305952 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.611332893 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.611349106 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.618868113 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.618897915 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.618942022 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.618949890 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.618976116 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.618997097 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.619292974 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.619308949 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.619366884 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.619374037 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.619420052 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.697905064 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.697927952 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.698009014 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.698024988 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.698091984 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.698848963 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.698865891 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.698920012 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.698926926 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.698964119 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.699445009 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.699461937 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.699512005 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.699518919 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.699556112 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.699714899 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.699733019 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.699779987 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.699786901 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.699821949 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.700063944 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.700087070 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.700119972 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.700125933 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.700160027 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.700344086 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.700365067 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.700414896 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.700421095 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.700459003 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.708115101 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.708138943 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.708197117 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.708206892 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.708244085 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.708266973 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.708617926 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.708645105 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.708708048 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.708714962 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.708756924 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.787482023 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.787503004 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.787612915 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.787628889 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.787673950 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.788321972 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.788337946 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.788371086 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.788378954 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.788422108 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.788827896 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.788845062 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.788906097 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.788913012 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.788958073 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.789275885 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.789294004 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.789338112 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.789344072 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.789386988 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.789835930 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.789851904 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.789916039 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.789923906 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.789973021 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.789979935 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.789985895 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.790014029 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.790029049 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.790035009 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.790066957 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.790091991 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.798055887 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.798074961 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.798120975 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.798126936 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.798140049 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.798158884 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.798176050 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.798216105 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.798222065 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.798266888 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.877254009 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.877274990 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.877351046 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.877389908 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.877429962 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.877902031 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.877918005 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.877994061 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.878001928 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.878037930 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.878401041 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.878415108 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.878479958 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.878485918 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.878526926 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.878667116 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.878681898 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.878742933 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.878748894 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.878829956 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.879031897 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.879048109 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.879092932 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.879098892 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.879136086 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.879465103 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.879479885 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.879539013 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.879544973 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.879580021 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.890989065 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.891012907 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.891108990 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.891136885 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.891191006 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.891304970 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.891328096 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.891362906 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.891376019 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.891411066 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.891431093 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.966877937 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.966905117 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.967092991 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.967125893 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.967205048 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.967581987 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.967598915 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.967696905 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.967706919 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.967756987 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.967953920 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.967972040 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.968039989 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.968046904 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.968095064 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.968266964 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.968282938 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.968359947 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.968368053 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.968413115 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.968655109 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.968671083 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.968754053 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.968761921 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.968812943 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.968981981 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.968997955 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.969069004 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.969075918 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.969121933 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.980432987 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.980459929 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.980540037 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.980547905 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.980607033 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.980746031 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.980767965 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.980829954 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:45.980838060 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:45.980891943 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.056619883 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.056642056 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.056711912 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.056731939 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.056773901 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.057059050 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.057082891 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.057117939 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.057126045 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.057152987 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.057173967 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.057646990 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.057668924 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.057723045 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.057729959 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.057768106 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.057904959 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.057924986 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.057982922 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.057990074 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.058027029 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.058716059 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.058733940 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.058810949 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.058818102 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.058854103 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.070053101 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.070075989 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.070131063 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.070146084 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.070183992 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.070322037 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.070343018 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.070390940 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.070398092 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.070437908 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.070609093 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.070625067 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.070683002 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.070689917 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.070735931 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.317197084 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.317228079 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.317279100 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.317293882 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.317321062 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.317341089 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.317487955 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.317503929 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.317555904 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.317564011 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.317608118 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.317744970 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.317765951 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.317806959 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.317815065 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.317848921 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.318101883 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.318118095 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.318176031 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.318183899 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.318223953 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.318361998 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.318377972 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.318442106 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.318449020 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.318485022 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.318506956 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.318533897 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.318542004 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.318556070 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.318586111 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.319154978 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.319170952 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.319226027 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.319233894 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.319272995 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.319303989 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.319323063 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.319355011 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.319363117 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.319385052 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.319405079 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.319958925 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.319974899 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.320025921 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.320033073 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.320045948 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.320064068 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.320072889 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.320080996 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.320111990 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.320121050 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.320136070 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.320137978 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.320147991 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.320179939 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.320213079 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.320971966 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.320990086 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.321048021 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.321050882 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.321068048 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.321083069 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.321101904 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.321132898 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.321140051 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.321150064 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.321177959 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.321192026 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.321198940 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.321249008 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.321265936 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.321894884 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.321917057 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.321969986 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.321980000 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.322025061 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.322026014 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.322036028 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.322065115 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.322076082 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.322082043 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.322109938 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.322124958 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.331202984 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.331218004 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.331283092 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.331291914 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.331338882 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.332144976 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.332159996 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.332222939 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.332235098 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.332283020 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.332799911 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.332814932 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.332866907 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.332878113 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.332922935 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.333230019 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.333245039 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.333297014 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.333303928 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.333350897 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.333589077 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.333605051 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.333659887 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.333668947 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.333708048 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.339243889 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.339261055 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.339328051 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.339359999 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.339404106 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.339581013 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.339596033 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.339637041 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.339644909 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.339670897 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.339685917 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.339867115 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.339883089 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.339939117 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.339946985 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.339998007 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.421350002 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.421391010 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.421452045 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.421480894 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.421498060 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.421524048 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.421977043 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.421993971 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.422048092 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.422055960 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.422094107 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.422534943 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.422552109 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.422600031 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.422606945 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.422630072 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.422646999 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.423194885 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.423218966 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.423268080 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.423274040 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.423299074 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.423319101 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.423593044 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.423643112 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.423659086 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.423665047 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.423680067 CEST	443	49709	188.114.97.3	192.168.2.10
Jul 2, 2024 08:31:46.423691988 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.423712015 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.423737049 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:31:46.424202919 CEST	49709	443	192.168.2.10	188.114.97.3
Jul 2, 2024 08:32:30.479021072 CEST	49707	80	192.168.2.10	188.114.97.3
Jul 2, 2024 08:32:30.951042891 CEST	49714	80	192.168.2.10	208.95.112.1
Jul 2, 2024 08:32:30.956034899 CEST	80	49714	208.95.112.1	192.168.2.10
Jul 2, 2024 08:32:30.956161022 CEST	49714	80	192.168.2.10	208.95.112.1
Jul 2, 2024 08:32:30.956738949 CEST	49714	80	192.168.2.10	208.95.112.1
Jul 2, 2024 08:32:30.961803913 CEST	80	49714	208.95.112.1	192.168.2.10
Jul 2, 2024 08:32:31.434479952 CEST	80	49714	208.95.112.1	192.168.2.10
Jul 2, 2024 08:32:31.485347033 CEST	49714	80	192.168.2.10	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 08:31:40.863044024 CEST	53506	53	192.168.2.10	1.1.1.1
Jul 2, 2024 08:31:40.874078989 CEST	53	53506	1.1.1.1	192.168.2.10
Jul 2, 2024 08:31:43.110055923 CEST	59229	53	192.168.2.10	1.1.1.1
Jul 2, 2024 08:31:43.121818066 CEST	53	59229	1.1.1.1	192.168.2.10
Jul 2, 2024 08:32:30.932450056 CEST	64223	53	192.168.2.10	1.1.1.1
Jul 2, 2024 08:32:30.939244032 CEST	53	64223	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 08:31:40.863044024 CEST	192.168.2.10	1.1.1.1	0xbaeb	Standard query (0)	filetransfer.io	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:31:43.110055923 CEST	192.168.2.10	1.1.1.1	0x570d	Standard query (0)	s23.filetransfer.io	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:32:30.932450056 CEST	192.168.2.10	1.1.1.1	0x8872	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 08:31:40.874078989 CEST	1.1.1.1	192.168.2.10	0xbaeb	No error (0)	filetransfer.io	188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:31:40.874078989 CEST	1.1.1.1	192.168.2.10	0xbaeb	No error (0)	filetransfer.io	188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:31:43.121818066 CEST	1.1.1.1	192.168.2.10	0x570d	No error (0)	s23.filetransfer.io	188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:31:43.121818066 CEST	1.1.1.1	192.168.2.10	0x570d	No error (0)	s23.filetransfer.io	188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:32:30.939244032 CEST	1.1.1.1	192.168.2.10	0x8872	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

filetransfer.io

s23.filetransfer.io

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	188.114.97.3	80	7752	C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 08:31:40.889220953 CEST	95	OUT	GET /data-package/mJcm5Gfa/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
Jul 2, 2024 08:31:41.553702116 CEST	822	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 02 Jul 2024 06:31:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://filetransfer.io/data-package/mJcm5Gfa/download CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zYApBKPfV%2FGuJ9y6JoAHQ4Tt1rKql9j9eImCwPow6DF%2BnnO%2BwxoL9d69U%2BJZGiJi%2Fv8wZFGsF1aSWEHA0qgpIU5xjJyP4DgWmI31VEvLZNyf9buU9eKsPc2itVRsjwSkyis%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cc98232cf84271-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49714	208.95.112.1	80	8012	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 08:32:30.956738949 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 2, 2024 08:32:31.434479952 CEST	175	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 06:32:31 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49708	188.114.97.3	443	7752	C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 06:31:42 UTC	95	OUT	GET /data-package/mJcm5Gfa/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
2024-07-02 06:31:43 UTC	1055	IN	HTTP/1.1 302 Found Date: Tue, 02 Jul 2024 06:31:43 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Nette Framework 3 X-Frame-Options: SAMEORIGIN Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=035g0k1hb4th4dua7po4fm3nec; expires=Tue, 16-Jul-2024 06:31:41 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: X-Requested-With Location: https://s23.filetransfer.io/storage/download/vrZBY6VkA2Ae CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Em3QIJ0FKuZcTaX1v2BclFAtHg58V6TUNxG%2B6TUrGxfA%2FCw0cJKTBlv5Sf6HaJ9QPJO9TyEgH2CyTOWQugG08ts%2BaztcFb04kAUxhLGVPZeHvrKzFw%2FPwSbaogELC8CPcoA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cc9829efca7cf9-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 06:31:43 UTC	134	IN	Data Raw: 38 30 0d 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 33 2e 66 69 6c 65 74 72 61 6e 73 66 65 72 2e 69 6f 2f 73 74 6f 72 61 67 65 2f 64 6f 77 6e 6c 6f 61 64 2f 76 72 5a 42 59 36 56 6b 41 32 41 65 22 3e 50 6c 65 61 73 65 20 63 6c 69 63 6b 20 68 65 72 65 20 74 6f 20 63 6f 6e 74 69 6e 75 65 3c 2f 61 3e 2e 3c 2f 70 3e 0d 0a Data Ascii: 80<h1>Redirect</h1><p><a href="https://s23.filetransfer.io/storage/download/vrZBY6VkA2Ae">Please click here to continue</a>.</p>
2024-07-02 06:31:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49709	188.114.97.3	443	7752	C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 06:31:43 UTC	98	OUT	GET /storage/download/vrZBY6VkA2Ae HTTP/1.1 Host: s23.filetransfer.io Connection: Keep-Alive
2024-07-02 06:31:44 UTC	1053	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 06:31:44 GMT Content-Type: application/octet-stream Content-Length: 2257416 Connection: close Last-Modified: Mon, 01 Jul 2024 04:57:35 GMT Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=05682a500a5b67feea2a911e92a7fcf5; expires=Tue, 16-Jul-2024 06:31:44 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Disposition: attachment; filename="Dhgkkh.wav" Accept-Ranges: bytes Accept-Ranges: bytes ETag: "6682373f-227208" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qgI7MIAa5kXjUCvriQ12doUdBAjm3LQsqKU4o%2FKFudpSI8gPPVstfbwEKGrFzns17aWxZ5aNZNxamnCgtfq94r0Nia48tVLQf%2Fa7Lq1tVArAqRYwhnpnN8sZ5UxqDf3HKmsgOug%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89cc9831e862439f-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 06:31:44 UTC	316	IN	Data Raw: 45 22 33 b7 8e d6 69 ef 85 95 03 92 f8 10 1d 32 5f d0 bb f1 dc 97 a3 74 61 ff 66 cb bf 4d 09 c6 6d 38 7b 40 a0 9a 39 2e e2 af ba 77 1f 99 89 21 6a 79 d2 bc f3 e1 bb 8e 9a d4 44 a6 bb 0f 6f b2 c6 fc c4 93 56 33 48 3c 55 cd 8b 37 4e 7a 6b 35 6a 22 51 bf 0d e8 b3 e7 1b 61 c6 81 7e ac e4 b9 db bf 1b 4f 89 6a 1e d3 c9 ce 4e 77 70 24 7f 1e d1 e6 78 7c 8d 60 64 1f a2 09 6d 7f ba f8 18 9e 0a c2 cd c3 3f 25 d6 a0 65 a5 6a 99 5a 20 11 e4 9e bf 2f cc 56 00 0f 61 ca 14 c2 5c 8e 34 fd cc 3d b1 44 06 fe f4 54 8b 15 bf c9 f7 3a 9a 0f 2c e4 91 14 83 00 9d eb 18 4e ed 5b 32 c5 da 11 17 e4 28 33 2c 35 43 df eb 28 25 b0 af 93 c7 0f fc aa 24 11 e7 8d 9a d0 ee 0c 32 5d 21 e4 b4 9b 98 43 07 26 3a 55 a1 e3 04 6e f0 94 33 46 bc a7 3b 4c e1 6d 85 20 f7 c4 a8 a8 0b 07 d7 e4 07 b2 Data Ascii: E"3i2_tafMm8{@9.w!jyDoV3H<U7Nzk5j"Qa~OjNwp$x\|`dm?%ejZ /Va\4=DT:,N[2(3,5C(%$2]!C&:Un3F;Lm
2024-07-02 06:31:44 UTC	1369	IN	Data Raw: 81 19 1b 18 ec 04 dd 51 64 7e 26 c4 5c 4a 24 80 e3 0c 22 28 7e c3 9f 2c f8 28 a2 90 c8 25 61 20 0a 62 49 ed c3 4c 67 77 ba cd 8c f3 00 f8 cc 47 25 4b 5c 8e 27 17 72 16 7f 38 ea 9a 8a c0 2c 67 f8 3c 25 cc b3 b1 e2 b7 c5 43 e3 9a 34 56 dc 15 c4 ef c7 c2 e2 e7 66 f4 8a 55 51 0d a6 44 7a 17 11 4a 12 0c ad 3b 0b 3d e3 85 9b b6 b6 79 62 2a e7 01 dd 31 f9 e4 ef 87 2e 7c 54 29 dd 6a 71 39 24 88 2a 6e 33 7f ac b6 37 59 0a 99 bc 29 02 a0 d3 af 7f e0 0c e3 f4 b6 b7 f6 29 d4 81 ee bc c8 da ec a3 ae fe 8b ea c2 9a 53 12 dd 5b 0f 5b cf ea 32 14 d9 35 d3 4b 51 d4 4d af 9e c9 45 73 4d 53 11 81 cf f6 f3 59 98 65 1b ff bb a4 7f 16 c1 bf bf 78 df 83 17 1e 0e d2 51 a2 54 2b 52 cb 55 6d 69 d2 41 e1 e4 d7 48 c1 7a bd a8 48 fc 60 76 64 9a 55 36 42 c6 63 69 9c ed b4 e3 c9 01 30 Data Ascii: Qd~&\J$"(~,(%a bILgwG%K\'r8,g<%C4VfUQDzJ;=yb1.\|T)jq9$n37Y))S[[25KQMEsMSYexQT+RUmiAHzH`vdU6Bci0
2024-07-02 06:31:44 UTC	1369	IN	Data Raw: 52 c2 4b 27 5a c5 7d b5 dd 7c dc 36 87 e1 dc dd f7 77 c7 21 bb b7 14 3e 2a 3e c1 1e a6 1b 1c 79 47 a2 2d 36 93 ff 33 a0 e4 07 88 cc 7f 33 28 65 7f 42 ee bf 21 37 b4 09 dd 0b d9 8d 22 f6 0f 37 ca 2c ac 0b 21 d4 80 6b af ae 60 1c 1b f2 ee d9 6f d7 f9 76 c4 e2 b5 6e 62 24 9d f5 97 87 2d fe 60 18 85 ab b3 7b 62 a3 cd c9 3d d8 7b a6 7b 81 6f 51 96 a4 9c 8e 39 db 77 2e 73 be 7e cb 5b 8e 7b a3 85 67 4f 38 4e 6e 17 33 f7 65 3a b0 b8 c9 f4 bd 25 8f 8a 8b 9e 78 3e 83 a2 b5 50 9b 5b c4 88 a1 3c d3 1d 6f ab 10 72 52 ba 2f a6 18 de 87 fb 99 6f 12 df 18 75 11 67 c7 e1 1b ba 6b 7e dd a7 b6 1b 46 a2 72 47 87 ee 23 30 42 d2 7a b7 36 b2 2b 82 65 d2 e1 1c 95 8c d6 5c 5c 75 96 ea ce cc 94 ec 7e 3e 5a 56 72 3d 01 c7 cb 30 61 5f 99 d7 a7 cd ea 3c 26 1c fc 40 dd 7f c4 a0 26 54 Data Ascii: RK'Z}\|6w!>*>yG-633(eB!7"7,!k`ovnb$-`{b={{oQ9w.s~[{gO8Nn3e:%x>P[<orR/ougk~FrG#0Bz6+e\\u~>ZVr=0a_<&@&T
2024-07-02 06:31:44 UTC	1369	IN	Data Raw: a1 7b d2 10 e3 bc 66 1c 05 77 d6 87 91 bd a6 b9 23 aa d5 f9 3a 79 3e ac 52 40 65 e8 6a 04 c0 b7 86 a7 28 64 5c 11 e0 1e 42 98 88 3f b4 35 a6 3e 83 c3 ef a3 83 9d 6e 26 7a 76 28 a2 6a 62 02 78 5d 67 ee ab 1a ff c9 2a ef 23 a3 e0 e3 77 3d c5 92 4a 4c 57 a9 e7 62 ff 2e 53 f5 45 71 59 36 76 5f 2b 45 d5 ec 43 07 1f 5c da fc 0a 34 eb 0d ba eb cb 65 02 95 ce fb b8 35 56 57 e3 76 b6 2b 0d b6 7b 7f d9 56 10 d0 4c 75 48 f9 18 7f 4d 81 01 d9 6c 23 02 07 f3 0f c5 78 64 b2 09 85 8c 94 25 80 34 12 bc e3 0f 62 c7 9d 8d f1 42 f3 ee 76 1b 30 e3 92 75 74 3f d4 0d de c7 f2 1e b8 a0 6f 00 37 3f 24 aa 35 9f 9a 0c 48 11 3b f8 9b f5 c2 86 12 6f a5 c2 66 e3 4e 98 46 82 bb 47 fa 03 da ad a4 12 72 8c a5 10 1c d3 d3 64 80 f6 6a 76 9b 5f 48 de 37 c7 1e ab 35 e0 6a a6 97 c0 8f 83 1d Data Ascii: {fw#:y>R@ej(d\B?5>n&zv(jbx]g*#w=JLWb.SEqY6v_+EC\4e5VWv+{VLuHMl#xd%4bBv0ut?o7?$5H;ofNFGrdjv_H75j
2024-07-02 06:31:44 UTC	1369	IN	Data Raw: 3a 2e d4 0d 95 82 7d 14 4b 12 bd da 8d 60 88 e4 7a 40 17 ef 8a 87 0e 68 57 53 05 46 de a9 ed 2f 1d f7 fe 8d 3d aa 02 0e 29 e0 a0 04 2b 97 26 f1 95 77 40 48 91 41 85 21 58 72 7f 23 b6 a2 13 1e 2f e7 42 10 96 4a 8f 80 05 0c 22 db 5b f4 4c ef 13 8b e9 32 44 16 07 ee af 0f c6 01 24 3c a7 a1 c5 87 87 7e 2e 58 a2 4e b4 da 0c a6 4a 38 d4 e4 e6 11 1e dd fb a4 0b dd 86 7c 8a b6 a9 09 ed 91 90 d9 11 59 4a 58 f0 8e 2b aa a4 57 2a e5 b8 f8 0b 93 23 21 a6 08 40 8b 8e 64 7d 2d a7 e0 91 8b 2c 50 6f a6 2d 7a c2 ee 05 6d 9b 7c aa d0 87 49 6f 9f 12 18 d9 4b b7 b8 f0 bd 77 7a d9 bb 0b c7 d1 44 85 76 7e 20 c0 f7 eb d5 1e 62 80 70 c4 e0 76 51 39 1e 0b 68 38 a8 e5 6d 2c f3 b3 65 b7 3b be 34 a6 11 cf 0b 4f 02 1c f9 2f db ad b4 0d ec 86 29 1e 59 de ca 8f 59 0c 9f be 21 7a 2d b1 Data Ascii: :.}K`z@hWSF/=)+&w@HA!Xr#/BJ"[L2D$<~.XNJ8\|YJX+W*#!@d}-,Po-zm\|IoKwzDv~ bpvQ9h8m,e;4O/)YY!z-
2024-07-02 06:31:44 UTC	1369	IN	Data Raw: 84 36 5f 95 dc ab 56 6e a8 ea a5 d9 d1 a8 95 be bd 44 75 61 8b eb f5 e3 08 f3 62 f7 01 34 22 f2 1c 3c 45 5e 71 83 2b 3f bb 33 13 ce fe d2 83 6e 0c bf 04 46 e3 f6 8e 5c 43 51 27 cc 94 7a 3e 57 9a b4 6b fa 4e 1a e7 14 69 f8 dc c1 6f 27 11 a5 54 a1 53 c7 91 fd d1 33 3d 4c de d1 c0 aa 15 f4 14 b9 78 89 86 4e 70 e8 36 25 a0 08 c4 d5 ed 02 39 5c 2d 3d 4f 53 70 4f d0 32 13 22 cb d6 ae 68 e8 46 09 d3 5b 4d 17 33 55 c4 dc 8d d2 d5 66 42 2d 74 f3 a6 3b 36 c3 70 4c 59 f4 68 9d 1e fd 6f 34 45 47 76 9b c4 60 6c b8 db de 05 a5 05 e7 4f 4f 89 d0 9d c5 c8 68 de 2f c8 d1 45 8f dd 5d 3b 84 72 42 54 35 91 75 1a 9b 2e 0a b1 d6 5e 98 48 ef e7 3b f5 d3 a5 e9 c8 32 00 97 ae 88 5d 91 22 79 16 aa 0f 93 4b 4c 6f ed 3b fc 9b f4 e9 0a e7 83 f6 02 45 a5 44 bf 31 31 73 74 4d 3a 31 6e Data Ascii: 6_VnDuab4"<E^q+?3nF\CQ'z>WkNio'TS3=LxNp6%9\-=OSpO2"hF[M3UfB-t;6pLYho4EGv`lOOh/E];rBT5u.^H;2]"yKLo;ED11stM:1n
2024-07-02 06:31:44 UTC	1369	IN	Data Raw: 8d 56 2b 2b 28 59 b0 8e 54 25 f4 5e b6 b2 3c 6d 9b c3 20 15 0c e5 7e eb c8 be 83 9e 7c 02 94 aa d3 f6 e1 d2 ad aa 3b 18 c8 74 1c 81 58 69 46 e9 a4 2f 14 1d b9 60 b7 4e cf 8d 4e 56 92 ea 64 ef 2c 86 fd d1 b8 fa 24 01 8f 17 89 38 12 c2 69 61 59 b2 2a 88 2b be bb 76 6e bb a1 a3 ca c8 51 97 8b 4a 0f 1f e4 24 0c de 80 61 9d f4 84 14 f5 bf e7 3b 5a 91 d0 c3 f4 c3 0c c6 2d 46 07 71 62 50 f4 c7 ec c6 e9 4e 5b 2c 17 eb c5 5e a4 5c 73 9a ff 5c 71 a6 04 f8 bf 5b 02 43 b4 f4 18 ff 48 68 9f fb c0 58 b1 68 90 b0 63 d9 79 00 57 b2 11 a0 b6 62 f8 fa 10 e7 75 c5 71 9e 3d 25 b3 6a bf 95 38 e6 31 0a 54 47 d4 4b 57 9d 10 94 3b 1e da a7 10 f7 7c f2 01 97 9f 32 eb 8a 61 53 0b b8 ba 24 b7 3e be a9 04 df be 1d 11 15 3c cd de 8b dd cf 20 74 c5 85 a3 f9 97 a8 c9 74 76 0a 80 bf f6 Data Ascii: V++(YT%^<m ~\|;tXiF/`NNVd,$8iaY*+vnQJ$a;Z-FqbPN[,^\s\q[CHhXhcyWbuq=%j81TGKW;\|2aS$>< ttv
2024-07-02 06:31:44 UTC	1369	IN	Data Raw: 79 a0 05 4a e7 10 e5 04 3b dd 63 f9 49 dc b5 c0 a7 37 90 8c c9 da 17 5f 0a 71 b7 ef a7 a0 31 92 42 fe 10 e3 a4 83 1f a0 95 75 e8 20 39 92 6c b4 b7 ee 6d d4 b3 9c c7 70 26 de c9 55 7f b1 ae 46 29 4f db 16 93 ef 63 0c af 6b bb c7 9e 1d ed 7f 84 65 aa 79 89 01 c3 58 a5 3d 48 f7 09 8d da 29 c7 b5 41 02 ff 5a d8 53 18 db 40 e8 df f7 c8 b0 49 c7 64 49 7d 05 e3 6a cd b5 6f 8e 04 b5 57 ee 57 b7 1e 20 dd b5 c3 6a b1 20 ad 0e 5e de 0b 55 4e 0a de 40 53 4f cf 47 d9 12 04 55 e3 ae 0b e3 59 21 06 f0 bb cd 90 48 e4 63 ca 1e d4 66 c7 0e d2 31 b1 65 99 6d 8a 67 69 36 c8 98 78 84 e8 ce 1d 14 23 b3 ba b3 4d 35 9e bd 60 3a 0f c8 80 7a 62 59 62 3a bb 4d e0 ea 56 1f 6f 62 02 44 4e 76 b5 a3 28 0c 22 94 2c 57 10 2b b6 9e 9e 7a 8c a3 dc 7d 22 2a f5 aa 4a 92 1e 25 d4 a7 fd 59 6f Data Ascii: yJ;cI7_q1Bu 9lmp&UF)OckeyX=H)AZS@IdI}joWW j ^UN@SOGUY!Hcf1emgi6x#M5`:zbYb:MVobDNv(",W+z}"*J%Yo
2024-07-02 06:31:44 UTC	1369	IN	Data Raw: 2f ba 55 2a 0b 12 e6 9c 59 a0 81 b6 d1 e3 f4 e1 55 43 6c a4 76 1d 96 30 88 cb 15 f6 73 51 90 2e 5b 06 27 35 fd 80 1f 07 52 62 19 af 32 8b 4f 35 d8 7c b6 d9 ed fc 35 34 b0 3c e3 54 46 64 c3 20 16 d0 6a f5 37 89 fe 01 b5 6f fe 36 d9 e4 cf a8 4d 10 7a 82 7b 32 ca 00 09 ff d6 5b f6 7a c3 00 2f eb 2b 45 60 54 cd bc 6d 05 6f 85 61 a8 2e ce 86 6d a0 93 b7 a4 5f 4f cc c6 d8 76 a5 04 ed b3 36 af d6 f3 00 aa 48 1e 73 d5 fc ec d9 8c 4b 90 af 42 c2 3b 33 41 99 c8 c7 f9 32 1a 3a 5e b7 0e 92 be 2e f8 dd 72 48 6f 96 61 97 fa 45 bd b8 38 2f 04 a6 91 fe a8 2e d8 ea ad 9f 96 b9 8d d6 c0 14 da 42 5b 57 0c 1b af be f5 d1 87 13 e8 6f bd bb 2f c4 5f 39 8e c9 aa bc 4d 76 2a 7f c0 98 20 c0 6e b2 a6 7a 1a 95 6b 35 d0 71 70 db d1 6e 80 1f d0 2b 90 1c 7b 78 59 81 c9 39 60 a4 04 fe Data Ascii: /UYUClv0sQ.['5Rb2O5\|54<TFd j7o6Mz{2[z/+E`Tmoa.m_Ov6HsKB;3A2:^.rHoaE8/.B[Wo/_9Mv nzk5qpn+{xY9`
2024-07-02 06:31:44 UTC	1369	IN	Data Raw: 80 a9 87 6f 77 46 1a 39 7c ff 55 df 6d 23 e5 b1 24 45 f6 e4 5d c0 dc d2 ad 58 d5 b1 94 c1 f6 6d c9 8b ee 68 3e e8 26 92 76 55 2b fe 75 c3 db 8b 04 55 9b e1 6f 38 5f 92 07 2b 6b 06 9c ae 1d 26 b0 f1 78 53 8a 7b a9 9b 06 55 35 e4 69 82 45 d3 6e 4d 02 01 62 be 17 86 66 34 de 53 58 a0 67 1a 86 93 ae ef 9a 84 41 55 d7 12 84 ad 1e d2 e0 20 fc 0f 76 03 07 7a 02 30 34 b1 12 7d 3a 9e 57 e1 4f 9d 84 db c4 0c be 80 ae 33 bf 4b b4 bf d8 b3 c3 f1 42 db 8b 8c 87 8a b2 a0 09 fc 15 3a a1 26 75 91 88 92 67 8c c5 78 33 2d 9f e7 f0 58 af 50 fa 71 97 c2 53 1e df 9a dd 4e 77 2c 5e 05 36 45 14 6a 72 25 db 53 fe 63 65 17 79 68 ed f1 d0 a1 fd a3 6c 26 ff 52 b3 3c da 0d 20 a3 af 8c 96 a6 6d 08 a7 5b ae 7e 6b 6c e6 76 80 11 60 75 80 42 b4 f4 0a e4 a5 7b 59 00 f5 fc 9b d2 de dd cf Data Ascii: owF9\|Um#$E]Xmh>&vU+uUo8_+k&xS{U5iEnMbf4SXgAU vz04}:WO3KB:&ugx3-XPqSNw,^6Ejr%Sceyhl&R< m[~klv`uB{Y

Target ID:	0
Start time:	02:31:39
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe"
Imagebase:	0x600000
File size:	345'088 bytes
MD5 hash:	2756768C9B94948E6AC6877FD26178E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1747718768.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1747373203.00000000027E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1765846421.0000000007510000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1751396085.00000000046F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1763963999.00000000065E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:32:29
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0xb70000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2503660186.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	72.7%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 028709F8 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02870A6F

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 9b583765284c190192c2136ed726b43caa25bcead04e8aacf6b0eb7d212a659e
Instruction ID: 99cf6fb0769c07686c43fe62e470a2e2ab8eff89e948febd3bac10065dfb6ed9
Opcode Fuzzy Hash: 9b583765284c190192c2136ed726b43caa25bcead04e8aacf6b0eb7d212a659e
Instruction Fuzzy Hash: E1216A76D003498FDB14CFAAC4447EEFBF5AF48320F14842AD859A7290C7789A45CFA0

Function 028734F0 Relevance: 1.5, Strings: 1, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VBm, xrefs: 028737A7

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: \VBm
API String ID: 0-971115878
Opcode ID: 9e46c5fd84fa1dea85c07e37322cdac609c4619a8750247d3d74f5bb27e3fe2a
Instruction ID: ab39dfeb1de2400620aca32a0ceab98ef65b9483a37d68408294e440ad9fd851
Opcode Fuzzy Hash: 9e46c5fd84fa1dea85c07e37322cdac609c4619a8750247d3d74f5bb27e3fe2a
Instruction Fuzzy Hash: 36B12D78E002198FDB14CFA9C88579EBBF2BF88354F148169D419E7294EB74D845DB82

Function 0844D750 Relevance: 1.5, Strings: 1, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Dq, xrefs: 0844D855

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: 8a57948b897638c8651e77fe3da2da452d0d1867e9d64bd4bd85e7fb7486be1e
Instruction ID: 8eed79ac22eb0da7161a3e8f585f5edc16ffbee701e660eb869107eaab9f56d1
Opcode Fuzzy Hash: 8a57948b897638c8651e77fe3da2da452d0d1867e9d64bd4bd85e7fb7486be1e
Instruction Fuzzy Hash: 97D1C274E01218CFDB54DFA9D984B9DBBB2FF89301F2081A9D509AB365DB319982CF50

Function 0287C8D7 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175bb0d6721f55b2f72bbb529b4fe139a5fe812cda83bdcb5930d399803f4f22
Instruction ID: ee6a82a5e28710288b641f40000c2be99e6aaaa07ff78fa1b497523c25e03b4f
Opcode Fuzzy Hash: 175bb0d6721f55b2f72bbb529b4fe139a5fe812cda83bdcb5930d399803f4f22
Instruction Fuzzy Hash: B7D1C278E00218CFDB54DFA8D844BEEBBF1FB49309F10916AD419AB294D7749985CF90

Function 0287C8E8 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513bbcc9a0b1dd4d03a382a3fbe77e5e5e0a0db4a05c7bb6cb86b5ac4bfb5963
Instruction ID: 7093168a23ae9bc2243bc778c2e086cb4c7e5f7d02e16d85fb0092015745c770
Opcode Fuzzy Hash: 513bbcc9a0b1dd4d03a382a3fbe77e5e5e0a0db4a05c7bb6cb86b5ac4bfb5963
Instruction Fuzzy Hash: B1D1E178E00218CFDB54DFA8D844BEEBBF1FB49309F10816AD419AB294D7789985CF90

Function 02873DC0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0a54875ff0805a44d514edc17403724d16644dd8c2f562f1a4e471b98ce05f
Instruction ID: 32f7a56f88390e29768b41d35bca915cc924299d60c0ca1dc3b56ddccffbf396
Opcode Fuzzy Hash: 3f0a54875ff0805a44d514edc17403724d16644dd8c2f562f1a4e471b98ce05f
Instruction Fuzzy Hash: 88B15E79E00209CFDB14CFA9D88579EBBF2BF88354F148529E419E7294EB74D845CB81

Function 0287AB31 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db458aabf2f19dba2a950f280becaabaa3206007069f27dede10a21280718d5
Instruction ID: b22e706ecfc742d3a4f5b6f99abfa17c4daffc1b49680a265bd60ce36b8d3ea9
Opcode Fuzzy Hash: 5db458aabf2f19dba2a950f280becaabaa3206007069f27dede10a21280718d5
Instruction Fuzzy Hash: FDB13878E05218DFEB14DFA5D844B9DBBF1FB89304F1080A9E409AB395DB759986CF04

Function 0287AB40 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f986aad21c5cd2e8491bd21275ff316e09f19be58712256f0534466e0183f464
Instruction ID: b3cbcbf335d460735e14884ffef6e9c29128955e2224d9317195a48d042492d2
Opcode Fuzzy Hash: f986aad21c5cd2e8491bd21275ff316e09f19be58712256f0534466e0183f464
Instruction Fuzzy Hash: ECB13978E04218CFEB58DFA5D844B9DBBF1FB89304F108069D409AB395DB759986CF04

Function 02874705 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cae3fed80e154fff97acab6b4cae35842efd0dd59b861810bb664f7c7898b22
Instruction ID: 85fe556bd1d044d2f3f9398afca03354b204eb54209ade49e2f639e2a447af3b
Opcode Fuzzy Hash: 5cae3fed80e154fff97acab6b4cae35842efd0dd59b861810bb664f7c7898b22
Instruction Fuzzy Hash: 439128B8E0420CCFDB44DFA9E444BADBBF5FB8A348F109129D419AB265DB759946CF00

Function 028709F1 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02870A6F

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: f218de58c3c218763985663d549e1d45bed96d80b5babac49df2baa3a6500846
Instruction ID: e145af995360c12252fa58f289f2eca012de2d3f98263575f4241978150a867c
Opcode Fuzzy Hash: f218de58c3c218763985663d549e1d45bed96d80b5babac49df2baa3a6500846
Instruction Fuzzy Hash: 14214A76D003498FDB14CFAAD4447EEFBF5AF48320F14842AD859A7250C7789A45CFA0

Function 02874490 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 028744EE

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: e4cccfea7c7e6c9ec112f124eb5ce63d37b554e5d4abb17d69f24f0caa32ef7a
Instruction ID: 9c4af78c239607c568c249c30dc2f9b14da036f56d60ac6c927dc86be7698c7b
Opcode Fuzzy Hash: e4cccfea7c7e6c9ec112f124eb5ce63d37b554e5d4abb17d69f24f0caa32ef7a
Instruction Fuzzy Hash: 9621DCB59043898FCB21CFA9C4097EEFFF0EB09314F14805AD549AB251C378A584CFA1

Function 028744A0 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 028744EE

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b9fa54fd9cf8cd2849c54448c4627c465a0ab75c6d4afddaf7e13f5ebbca88b4
Instruction ID: 52d27ff582493c5d4f6ebcaa8537fc832b3b457e941f75c74dc55e099bb7b57a
Opcode Fuzzy Hash: b9fa54fd9cf8cd2849c54448c4627c465a0ab75c6d4afddaf7e13f5ebbca88b4
Instruction Fuzzy Hash: 8A2113B99003498FDB20DF9AD4497EEFFF4EB08314F24841AD559A7250C3B9A984CFA5

Function 0844F6E0 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

4'q, xrefs: 0844F719

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 8db2e7e3454a6dd663e5493ad3787fe4ad448f64c9b9f2ffde99c4f2bb1cdf7e
Instruction ID: f322ad72def34b41122b95d6deafb34e340f849a726ed1d5b5c319bdf4a92066
Opcode Fuzzy Hash: 8db2e7e3454a6dd663e5493ad3787fe4ad448f64c9b9f2ffde99c4f2bb1cdf7e
Instruction Fuzzy Hash: ED216076700204AFDF089FA4C954A5ABBB6FFCC311B1544A9EA05AB361DE71EC16CB90

Function 01020A20 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

Teq, xrefs: 01020A54

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: bb4f577364cf5530c2d5d1c7eeb1c2b1b55ca15b087e5daacb9ed3591571d71e
Instruction ID: b141bd37e85d928e32c626bd4c7d88dee8999e56e5d852b30f845aa0a7027e9e
Opcode Fuzzy Hash: bb4f577364cf5530c2d5d1c7eeb1c2b1b55ca15b087e5daacb9ed3591571d71e
Instruction Fuzzy Hash: 0621EB30B08360CFC744E7384455A7E7BB5AB85600B944666F447DB349EA319D01C7D3

Function 010208E7 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

Teq, xrefs: 0102090E

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: b9f759833cc06818b80cbb57a445aae74a5cc25aa5f68330a028414eafe7d0b7
Instruction ID: 74c85846a0e9256b61c35bafb0e696c3191efa0ecdcb37f31421b67efe31cfc6
Opcode Fuzzy Hash: b9f759833cc06818b80cbb57a445aae74a5cc25aa5f68330a028414eafe7d0b7
Instruction Fuzzy Hash: F8212874700324CFE744DB69C898B6DBBA2BF89710F2544A9F487AB3B9CA709C41CB51

Function 01020A30 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

Teq, xrefs: 01020A54

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 9cc818b98521d3996b34a85267d882512de9fa41b965ae3f346572d2c96891fc
Instruction ID: f444d3e633a87a4f5eab94dcd1088a5f70d088ccda18bec050d80f62b400f65d
Opcode Fuzzy Hash: 9cc818b98521d3996b34a85267d882512de9fa41b965ae3f346572d2c96891fc
Instruction Fuzzy Hash: BF119830B04320DF8B44EB788454A7E76F6EB85611B944666F44BEB348EF719D4187D3

Function 01020AD5 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Teq, xrefs: 01020A54

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: d45069cbd022843c9a9b5216ec06f29cf778bdacc96b522116d8802bcd5c1ddd
Instruction ID: ef59e76a8117f1d44ab1022e4cc63d9cd40d6084a496cd2a95a66ac2704adbb3
Opcode Fuzzy Hash: d45069cbd022843c9a9b5216ec06f29cf778bdacc96b522116d8802bcd5c1ddd
Instruction Fuzzy Hash: 16119631708330CFCA08A7288458B3E76A6ABC5611BD48666F48BDF75DEF719D428793

Function 01021FBC Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c6254a6703e9c5433726c1f1ea9dbe85cbd9ebd56710ff4c420d3d07740f29
Instruction ID: c1d0ab254908b6a4f01d9bf94ce8d6c693a0da541fa46173956d79cf896da550
Opcode Fuzzy Hash: 38c6254a6703e9c5433726c1f1ea9dbe85cbd9ebd56710ff4c420d3d07740f29
Instruction Fuzzy Hash: 94F0653520A261CFC302A7B4E4517393BB6EF4665475540A6E086CB267EA699C42CBA2

Function 010212FC Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0a35a49430752c0f0507b0276bb837c350900880b296b3d42d0b78a8623ba0
Instruction ID: 2a02292547d4f1250f8aa01a9bcfacc50858e8ec348d2c147f191a20e6d50e2c
Opcode Fuzzy Hash: 6c0a35a49430752c0f0507b0276bb837c350900880b296b3d42d0b78a8623ba0
Instruction Fuzzy Hash: B7311971D00258DFDB24CFAAC594BEEBFF5BF48300F248429E949AB250DB759942CB90

Function 01021308 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a774438a9210de0eb8e68eb088609feaa79e732ed4dfdcca6687594cb056860c
Instruction ID: ae39c359f5cdcb1d79e46299912d25e45222845bf3c38f727456261996e5b8a1
Opcode Fuzzy Hash: a774438a9210de0eb8e68eb088609feaa79e732ed4dfdcca6687594cb056860c
Instruction Fuzzy Hash: 63310871D00258DFDB24CFAAD594ADEBFF5BF48310F248429E949AB250DB749942CB90

Function 00E4D044 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747001534.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e4d000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d989202b3efe5f62a78cc69cbf547f62439dd0d427434f97877046065fbde14
Instruction ID: 62f450e750a31b36f4896551b885e0a98856198e7bf0f19c1816deee0b77b728
Opcode Fuzzy Hash: 0d989202b3efe5f62a78cc69cbf547f62439dd0d427434f97877046065fbde14
Instruction Fuzzy Hash: 192125B2508244DFDB15DF10ED80B26BB66FB88314F24C569E9092B245C336D806CAB2

Function 08435A01 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf88458312ece69536fbcd4064a1b6bba50fad643f6accb92fc7b105f04c0e0
Instruction ID: 7f6c2a3f5a7115b0142fc279f6a0eb4c42fd8669720567dcd28c0fbcd5283d66
Opcode Fuzzy Hash: fcf88458312ece69536fbcd4064a1b6bba50fad643f6accb92fc7b105f04c0e0
Instruction Fuzzy Hash: 26311874A00229CFDB69DF28D844E99B7B1FB48305F1185E9E819A7345DB349E82CF50

Function 00E4D03F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747001534.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e4d000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633f671973706fbafc265e8a78a39be7cd23416c3fb565de0cfc706c6b37537b
Instruction ID: 7e96fa9806448927bf8c57e7669ed061f29533709a1519d4516e0ac4740a024c
Opcode Fuzzy Hash: 633f671973706fbafc265e8a78a39be7cd23416c3fb565de0cfc706c6b37537b
Instruction Fuzzy Hash: 4E11B676508284CFDB16CF10E9C4B16BF72FB84314F24C5A9DC495B656C33AD91ACBA2

Function 0844DBD8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8128cc51e510e56a7f4ca925832e54f8b384c093b4bc8a48e4801247827bd781
Instruction ID: 7e1bb3edd419bd8b009330f527a8f9ce15f9dbad0682b9233ddfdc0f97d4dd96
Opcode Fuzzy Hash: 8128cc51e510e56a7f4ca925832e54f8b384c093b4bc8a48e4801247827bd781
Instruction Fuzzy Hash: 7E11B3B4E002099FDB44DFB9C9567AFBBF1FF89300F14846A9418A7354DA749A418F91

Function 00E3D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746956635.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd68842c5513d19865ed239ccc85ca174fbd82a107c4676389b9264b38bda4c
Instruction ID: 7620ad28e686ffa5d7c6f7d4ef1f4d40b3416f7e8d83f568f6c264e95432ae4d
Opcode Fuzzy Hash: 3bd68842c5513d19865ed239ccc85ca174fbd82a107c4676389b9264b38bda4c
Instruction Fuzzy Hash: 5101A77140C3449BE7104A15ED887A6BFD8EF42324F28C41BED0A5A186C2799841CA72

Function 08431DFF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8639d8cf7773122b9389225d2872ee542f8b1ccb2ab50c00ac3f0f4534bf80
Instruction ID: 45fe5123851c29f286e3ace88137513bc051d2ba60cfbfe05dbeff37a5112542
Opcode Fuzzy Hash: aa8639d8cf7773122b9389225d2872ee542f8b1ccb2ab50c00ac3f0f4534bf80
Instruction Fuzzy Hash: E7116470D04229CFCB65DF64D998BAAB7B1EB48305F1048EAE018A3381CBB45EC9CF41

Function 00E3D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746956635.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a04290c49d00c04e7cccc84140ea44ce32d557a21dfb648bd8626ffcf464f22
Instruction ID: 7d1aa8bae8e22db6267e008ffa1160bee47fe189fb54eeae4006a10a52e78b8a
Opcode Fuzzy Hash: 9a04290c49d00c04e7cccc84140ea44ce32d557a21dfb648bd8626ffcf464f22
Instruction Fuzzy Hash: F5F0C2714083449EEB208A05DC88B62FFD8EB41728F28C45AED485F286C2789C41CAB1

Function 08434AB7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330abea0e05ca80afae0abcd2c6ebea2ccc8d8b12d8dbc53bf11e62c11dfde24
Instruction ID: dec50852b55439a40672446ff12944fe1d7a5954ac51db937ee2c432bebf8dc2
Opcode Fuzzy Hash: 330abea0e05ca80afae0abcd2c6ebea2ccc8d8b12d8dbc53bf11e62c11dfde24
Instruction Fuzzy Hash: 1201A574A011288FE759DF68D899E5ABBB1FB88304F1185E9E80DA7395CF349E85CF10

Function 01020871 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3621fefa67d6b3f6ef5f71137d912fe983c38e703f520d4b43f2c7055dc6dc0
Instruction ID: 383c5ea9eea7439a684b25909ef68c7d8f39283af52fc4bfd1dae5305699dea3
Opcode Fuzzy Hash: a3621fefa67d6b3f6ef5f71137d912fe983c38e703f520d4b43f2c7055dc6dc0
Instruction Fuzzy Hash: 6DE092353147249FD306DB28E854C997BF8FF4A61431202D2F185CB7B3C661EC018B91

Function 08431380 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5843925e439240c7eccbc2276c0d751e33cf86194334963cbf3a8d7e2df970c3
Instruction ID: 275468e10b372b0f373ab1bbec95ca4a4b599332be85049e72020f96a629c218
Opcode Fuzzy Hash: 5843925e439240c7eccbc2276c0d751e33cf86194334963cbf3a8d7e2df970c3
Instruction Fuzzy Hash: 0D01D674A002289FCB65DF24D845A99B7F5FB48300F1095E9E419A3344EB349F84CF40

Function 0844DFA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fccaaa19d53d147c238da0007430648f732a2276054269514967757f2a531d
Instruction ID: 3ac772ffd5947136456c45f16c6cea279f1655f298168ec3f647feef546ad13b
Opcode Fuzzy Hash: 75fccaaa19d53d147c238da0007430648f732a2276054269514967757f2a531d
Instruction Fuzzy Hash: AFF0F874D08248EFCB90DFA9D840AADBBF8EB49311F14C0AAA868D3341D6359A16DF50

Function 0844F690 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d236c89cd2686a778e953db4e2db1ec3f68858cdd5f237bd0c1d6e4027bfca
Instruction ID: 08690a97b55f153988b121c9339ad09a7d215dcee5475bbc761f2b48ba0a239a
Opcode Fuzzy Hash: c2d236c89cd2686a778e953db4e2db1ec3f68858cdd5f237bd0c1d6e4027bfca
Instruction Fuzzy Hash: FAE01A713003055BC7109A2AE88494BF79AEEC5664750CA3AE15A87225EEB4AD468AA0

Function 010208B9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51247346114b665c382b8d5fad4139a1b52eab52a81cf9b09dc3fe093631aa6c
Instruction ID: ece671cd9525435c742df760776bd3a42529331d6c897a7b16752ce521ad7140
Opcode Fuzzy Hash: 51247346114b665c382b8d5fad4139a1b52eab52a81cf9b09dc3fe093631aa6c
Instruction Fuzzy Hash: FDE0263080D3A89BE71341BD88057DFBFE44B0A310F8003A6FBD5762CAC2952905C792

Function 084492E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df79c7a47bb10412235f61cf5aafb0fe1cddc67c6f9aa0b75841074841e41399
Instruction ID: c0a6cdd260e6af4ef8df81b37ac155a53231e1fa5e7cccdc69a96fd950141790
Opcode Fuzzy Hash: df79c7a47bb10412235f61cf5aafb0fe1cddc67c6f9aa0b75841074841e41399
Instruction Fuzzy Hash: 58E0C974D04208EFCB84DFA9D941AADFFF4EB49310F10C0AA9818A3350D6359A56EF80

Function 0844C300 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df79c7a47bb10412235f61cf5aafb0fe1cddc67c6f9aa0b75841074841e41399
Instruction ID: 492eb9829f74bcf204f829a5ffca8a7dfcb6ea2745d5543b0adcdcb69102144f
Opcode Fuzzy Hash: df79c7a47bb10412235f61cf5aafb0fe1cddc67c6f9aa0b75841074841e41399
Instruction Fuzzy Hash: D2E0C974D05208EFCB84DFA9D8416ADFBF4EB48311F14C0AA9818A3350D6359A56DF80

Function 08445138 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df79c7a47bb10412235f61cf5aafb0fe1cddc67c6f9aa0b75841074841e41399
Instruction ID: c349020bfe10e64184db799339e0dbfa80c2562af49f3e69d986db21774a12a3
Opcode Fuzzy Hash: df79c7a47bb10412235f61cf5aafb0fe1cddc67c6f9aa0b75841074841e41399
Instruction Fuzzy Hash: E0E0C974D04208EFCB84DFA9D8416ADBBF4EB48311F10C0AA9819A3350D6359A56DF80

Function 0844EC20 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4193e1559ff4b2e7399dd8ea1f32e1766c50a208542a653493fc447573905a7b
Instruction ID: a89c9e029e288629d69079bdaaaf0ab2c21ace40198e4d1cb5bfc2a9a027253e
Opcode Fuzzy Hash: 4193e1559ff4b2e7399dd8ea1f32e1766c50a208542a653493fc447573905a7b
Instruction Fuzzy Hash: 34E086B490820CEFC754DFA4D84197DBFB9AB46311F10D0AAD88857341CA319E57DB90

Function 05CC05E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1762861010.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855f07f77c0207a4beaeafae367d2f6375f96e07229388b1176cf0d785f39381
Instruction ID: 0807ce265d43ecf19dcd72f3040b8bb547a8ed81758def8b6d09c3759005bf71
Opcode Fuzzy Hash: 855f07f77c0207a4beaeafae367d2f6375f96e07229388b1176cf0d785f39381
Instruction Fuzzy Hash: B8E0CD75009114EFC750CF51E8417A87BB8E75A304F10449DD80893311D7369D47DB44

Function 08447C40 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f177758ee8273db90c2f98d4a92b63ac7d7353df2c5b2d24c4ae35789faab05
Instruction ID: 8d0b9b8e76d5947b578f551c108e5ed2d07a01522bfb2edffb2cc0cebe2bf636
Opcode Fuzzy Hash: 5f177758ee8273db90c2f98d4a92b63ac7d7353df2c5b2d24c4ae35789faab05
Instruction Fuzzy Hash: 0DE01274D08208EFCB54DFA9D8416ACBBB4AB89201F1080AAC86863341D7369A07DF80

Function 0844CAE8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb86c28f7f07759975b85dc4779ea516f24179f80446d3a324c6e8128c7cf83
Instruction ID: 8571431a5add5b26ed05bf581351b4f1d5c8f3825c8edf06407c230c69c903da
Opcode Fuzzy Hash: 4cb86c28f7f07759975b85dc4779ea516f24179f80446d3a324c6e8128c7cf83
Instruction Fuzzy Hash: 15E08C74909208DBC704DFA5E88156CBBB8AB86301F1490AEC80823340CB315E0BCB81

Function 08430372 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0235a7590eea3ec976ad0452703db884e5b6962b612a8fb54b42a9bf435e24f5
Instruction ID: 02a2e3de9ab6e2d8f2ad0c2c7ed1c9d95850aacc4fab80893f0647e05de22742
Opcode Fuzzy Hash: 0235a7590eea3ec976ad0452703db884e5b6962b612a8fb54b42a9bf435e24f5
Instruction Fuzzy Hash: 45F01534D442288FEB24CF24D905BD8BBF0EB08344F0005EAE019A3346DB389E84CF40

Function 01020839 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28be843af346a18f5a07f437c9366d36d6776631b3159bf920fc57f78cb2305b
Instruction ID: 4dc146b1e801f8aacfcd32c8c8df99b2feaa57476f11e60436309382825c6df7
Opcode Fuzzy Hash: 28be843af346a18f5a07f437c9366d36d6776631b3159bf920fc57f78cb2305b
Instruction Fuzzy Hash: C5D017B85083918FC7022762AC1A6AE7F30BE02205305029AE086E94B3C6A50C1B8B41

Function 05CC05F0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1762861010.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8001cbb973def83a2459accaf395376a20b5673506a3f4cb484d57bf32ec059c
Instruction ID: 967d5ea16c78d3fc46a1454843c0662f1568fbda317aa92b7a1a069358beeb96
Opcode Fuzzy Hash: 8001cbb973def83a2459accaf395376a20b5673506a3f4cb484d57bf32ec059c
Instruction Fuzzy Hash: E1D05EB4549108DFC784CFA6D805A6DBBBCEB86218F1084DDCC0963351CB329E06CB84

Function 0844CF28 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b989800378a57d018c3957502faaa19acfc83efa52d87f37aaaf35b5c313fef4
Instruction ID: 3b36f82e0e015d975e7681908257e30d9dd2e6f73314d96b5fcc00732a3a397d
Opcode Fuzzy Hash: b989800378a57d018c3957502faaa19acfc83efa52d87f37aaaf35b5c313fef4
Instruction Fuzzy Hash: 42C08C6106A30486E2501BA6684933172ECD30A206F086812850C009B0DBB8842ACA84

Function 01020848 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a1cc776532fbd1b1cbe61ef2f7baf989c870862f928a6bd754510ffef8720b
Instruction ID: bd621fb8bfe6885c33bffd2245f076fef31aa73bde1560356372cc63fa33a871
Opcode Fuzzy Hash: a9a1cc776532fbd1b1cbe61ef2f7baf989c870862f928a6bd754510ffef8720b
Instruction Fuzzy Hash: 9EC04CF9244715CFC2003B63FD0E32E3B28BB027123000020F08BA84B69BF01C6B8B81

Function 084332A8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fdbcd082cf25a8fad672b2b668e4674546e1b7deed5b21ef6fea45c45c48b5a
Instruction ID: da2b9c804080378b34a46e46588a8f05ececa145ec2a0f5a047a8d082d015ae0
Opcode Fuzzy Hash: 9fdbcd082cf25a8fad672b2b668e4674546e1b7deed5b21ef6fea45c45c48b5a
Instruction Fuzzy Hash: 47D06C78D092288BCFA5CF50D888A99BBF1AB09310F1091EA841DA3210DB752E808F05

Function 010209FC Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747268876.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c27ab09775365d0fcc15884f660e0b68a56a0a2ab0fb32540d70e5b7dbffce
Instruction ID: f63df67cc3f08281c3f8f28c10e32c6384faf0225463c8b2e48d5ff825127b41
Opcode Fuzzy Hash: 02c27ab09775365d0fcc15884f660e0b68a56a0a2ab0fb32540d70e5b7dbffce
Instruction Fuzzy Hash: 2FB01220200520061059A17D001102D098129A82007250218E046F7245DD410E090287

Non-executed Functions

Function 02872DA8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\VBm, xrefs: 02872FF3

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: \VBm
API String ID: 0-971115878
Opcode ID: 6dd6e6a52ab0122cecc36340636702afbcfb21b09a74525a7d164d5392f46684
Instruction ID: f5a9796a4df1c989049f5665109ae58ff6e2d4004945fb4f8c1fb8dd3b647972
Opcode Fuzzy Hash: 6dd6e6a52ab0122cecc36340636702afbcfb21b09a74525a7d164d5392f46684
Instruction Fuzzy Hash: C0915079E00209CFDF24DFA9C88579EBBF2AF88714F148129E819E7258DB749985CB41

Function 05CC0040 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1762861010.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9780bbb9d556394fa2009cffb6aab5e86609a9dea79e0c61a6747052129644ba
Instruction ID: 7aec511fbd1451a3587af74fc2cec6c4f31e672b9acab1985d1a3bd5611f2ffc
Opcode Fuzzy Hash: 9780bbb9d556394fa2009cffb6aab5e86609a9dea79e0c61a6747052129644ba
Instruction Fuzzy Hash: 6AB11974E04218CFDB14DFA5D888BAEBBB2FB49304F1094A9D519BB265DB749D86CF00

Function 05CC0039 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1762861010.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff1567c7348fe7636416008f34b749e4e35b149bcd9129a4022d142d5e6be2b
Instruction ID: 6378068994b35cecdcd2f8971ed77a852c600b37b9e6777d18e839e756620d65
Opcode Fuzzy Hash: 5ff1567c7348fe7636416008f34b749e4e35b149bcd9129a4022d142d5e6be2b
Instruction Fuzzy Hash: 2AB12974E04218CFDB14DFA5D888BAEBBB2FB49304F1094A9D519BB265DB749986CF00

Function 05CC03CA Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1762861010.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c0eaed173a35324ef2632e3b7b06e86db51c7495e679e91ea06fa150d1cd72
Instruction ID: 830f9bcb7f344b74bb9917ce1a2690af74e2996d6b2e503f1de826a280ede050
Opcode Fuzzy Hash: 27c0eaed173a35324ef2632e3b7b06e86db51c7495e679e91ea06fa150d1cd72
Instruction Fuzzy Hash: AAA12874E04218CFDB14EF65D888BAEBBB2FB49304F5094A9D509BB265DB749D86CF00

Function 0287595B Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5f536325178c1b71a4da3a317728cd103b572916c4f9ba2044e488935c0fab
Instruction ID: b01b468e86d9f31ff84cf05483bfa4b454b637acf9c3e7e8269ab4bbdaef2dee
Opcode Fuzzy Hash: bf5f536325178c1b71a4da3a317728cd103b572916c4f9ba2044e488935c0fab
Instruction Fuzzy Hash: CB916DB8E04248CFEB14DFA9D484BADBBF1FB49308F509069D419EB255DB389985CF00

Function 02875968 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bedfa54536aec1ca1db1d015edfede9812e372940cdfeffb20c870b5d01b6733
Instruction ID: ca1ddb6bcc7af329001158651a1a1c8762f0c15cb038e20081959ba60bf65499
Opcode Fuzzy Hash: bedfa54536aec1ca1db1d015edfede9812e372940cdfeffb20c870b5d01b6733
Instruction Fuzzy Hash: 24815BB8E04208CFEB14DFA9D488BADBBF1FB49309F509069D419E7255DB389985CF00

Function 0844CB28 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b4a6f16d94124929085c96b5c9e8d792c5443583b6ec1dd86fc12abf6ea01f3
Instruction ID: 58303456847bbb27e16c3302d65cb09966e6c9a9d9b9aab751fedf4aca10937d
Opcode Fuzzy Hash: 8b4a6f16d94124929085c96b5c9e8d792c5443583b6ec1dd86fc12abf6ea01f3
Instruction Fuzzy Hash: 3E811DB0D06218CFEB24DF65D8847EDBBF5BF49305F18A0AAD409A7251DB345A86CF41

Function 02875AE7 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24edc85e6ef2a5995ef5a27f61694c88635a745c421b1c1954577bcf6dbb3d9c
Instruction ID: 74acb00a903c323a83a97fe3c41e8bad054c5dc499fa801cc463e6da764f3889
Opcode Fuzzy Hash: 24edc85e6ef2a5995ef5a27f61694c88635a745c421b1c1954577bcf6dbb3d9c
Instruction Fuzzy Hash: 4D714FB8E05248CFEB14DFA9D484BADBBF1FB49309F509069D419E7265DB389986CF00

Function 02879208 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b684ba18452ef394ea3fb42d0a445e302e984e798e72bd6451837283354238
Instruction ID: 441e1353d545689ae12fa5bc2452f93619ab2406cf370a96c26ce10ad4e00c00
Opcode Fuzzy Hash: c0b684ba18452ef394ea3fb42d0a445e302e984e798e72bd6451837283354238
Instruction Fuzzy Hash: 2C414978D042588FDB25DF6AC8547DDBBF2BB8A304F1490AAC458E7266DB308989CF40

Function 02879248 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f575ba9c85ce7401cde7b3d4802296ad27c936419d6846c4edcd591dfd41af21
Instruction ID: 829781643793d8866e69ed9f0cfee477d3b1c0286785f65e70a6097424239bad
Opcode Fuzzy Hash: f575ba9c85ce7401cde7b3d4802296ad27c936419d6846c4edcd591dfd41af21
Instruction Fuzzy Hash: 8B515BB8D042188FEB24DF6AC8947DDBBF2EB8A304F54D0AAC419E7255DB348985CF51

Function 02879267 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3d1bbbbf79bfe81d474d2057732eaa2b6c6f7420b545e26793638454d5a62f
Instruction ID: 79a1c0a401e86d7e5717b16720932e904a1bdc9c7905b3d1a377879619d22322
Opcode Fuzzy Hash: ff3d1bbbbf79bfe81d474d2057732eaa2b6c6f7420b545e26793638454d5a62f
Instruction Fuzzy Hash: 3C41F278E042188FDB24DF6AD84479DBBF6BB8A304F54D1AAC418E7255DB308985CF40

Function 028792F0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747519828.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a920d07b795355914542959dfd86ed02b15e0a4fe2e9722d0cc87e17a4608d1
Instruction ID: f5981ca1a3b75a0266c68b1c69f68f231065b3edb4e42a12b129d5d00c64f179
Opcode Fuzzy Hash: 2a920d07b795355914542959dfd86ed02b15e0a4fe2e9722d0cc87e17a4608d1
Instruction Fuzzy Hash: BE510278E04218CFDB24DF6AD8847EDBBF2BB8A304F5494AAC408E7254DB308985CF40

Function 08430006 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754168c1193b1dc0173a38caaf1195bcc9bb77ce5ffb721badc47f715bb6d486
Instruction ID: 2d347ef37772a4e1943961738e560fe1ae7122537f0a4ad443c9bd58a0fe6265
Opcode Fuzzy Hash: 754168c1193b1dc0173a38caaf1195bcc9bb77ce5ffb721badc47f715bb6d486
Instruction Fuzzy Hash: 1E313071D097949FDB5ACF6AC854299BFF2AF86300F19C1EBC44CAA262DB350985CF11

Function 08430040 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae83af6dbdb7118f9b59e9a432f57603a08a3583ce06073b87a6447520f0851
Instruction ID: 4455ec0c9fd8782618f8501d4f9016c88ee1b631b23540fdab9e324db6805a1b
Opcode Fuzzy Hash: fae83af6dbdb7118f9b59e9a432f57603a08a3583ce06073b87a6447520f0851
Instruction Fuzzy Hash: 9731E971D04669DBEB69CF6BCC4479EBAF6BFC8301F10C5AAD41CA6254DB740A858F00

Function 0844F868 Relevance: 7.9, Strings: 6, Instructions: 406COMMON

Download Yara Rule

Strings

4'q, xrefs: 0844F9B2
4'q, xrefs: 0844F8EC
4'q, xrefs: 0844F93A
4'q, xrefs: 0844F91C
pq, xrefs: 0844F9BF
(q, xrefs: 0844FA32

Memory Dump Source

Source File: 00000000.00000002.1771456302.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8430000_QUOTATION_JULQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: (q$4'q$4'q$4'q$4'q$pq
API String ID: 0-2944075406
Opcode ID: abd13f44651886f528f87cab35925a6d283385756ad04d4a77f3ff96eaf5bde7
Instruction ID: fb4da28e65b58a28e1fa1fa04e0cb938df53bed21bc81cd6f4e20d8906434f49
Opcode Fuzzy Hash: abd13f44651886f528f87cab35925a6d283385756ad04d4a77f3ff96eaf5bde7
Instruction Fuzzy Hash: 31D18F72A00214DFDB09DF64C844E9A7BB2FF89310F0584A9E509AB272DB71ED56CF90

Analysis Process: aspnet_compiler.exePID: 8012, Parent PID: 7752COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	162
Total number of Limit Nodes:	18

Executed Functions

Function 065D9012 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065D912A

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 183d27b731f894dfc913fc933070e1b805ce49acb80e488a22bdc918ad2eed7c
Instruction ID: 3e15a5c004096b057e04df6b685a42d8888a40a4ca22cd4f58eff60462af20b0
Opcode Fuzzy Hash: 183d27b731f894dfc913fc933070e1b805ce49acb80e488a22bdc918ad2eed7c
Instruction Fuzzy Hash: 0B51C1B5D00309DFDB24CF9AD884ADEBBB5FF48310F24852AE819AB250D7719985CF91

Function 065D9018 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065D912A

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 06f4e69234e6d06c4633b15bb76d95879052821697ac01c2dcf470bbc91e0a76
Instruction ID: b897b379e3e20e40dbd89eebf1c4fd12978620ebd986c90fb8de46cb28747b6a
Opcode Fuzzy Hash: 06f4e69234e6d06c4633b15bb76d95879052821697ac01c2dcf470bbc91e0a76
Instruction Fuzzy Hash: B841B0B5D00309DFDB24CF9AD884ADEBBB5FF48310F24812AE819AB250D775A945CF94

Function 065DC84C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 065DDA51

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 74365792dfc330d1884224fc1c94364f959189302daf9188c477c9a1400a441e
Instruction ID: c757e54468865440559f72971c94e6cb962000fe0e3d1ef8b4de3b7aa88816ad
Opcode Fuzzy Hash: 74365792dfc330d1884224fc1c94364f959189302daf9188c477c9a1400a441e
Instruction Fuzzy Hash: 984137B5904305DFDB64CF99C888AAABBF5FF88314F24C559D419AB361C330A841CFA0

Function 065DE6DC Relevance: 1.6, APIs: 1, Instructions: 79
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 065DE770

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: df7cfb35aa0c24c0ce1e6719f2740e615065066e04e42bf7518ee67ae87f8db9
Instruction ID: be12810858b5fc715aafc3c77812f8470a7b4a356849a4cef2117335d7deabb9
Opcode Fuzzy Hash: df7cfb35aa0c24c0ce1e6719f2740e615065066e04e42bf7518ee67ae87f8db9
Instruction Fuzzy Hash: 4A3112B4D01349EFDB64CFA9C985BCEBBF5BB48304F248019E004AB291D7B5A845CFA5

Function 065DDF18 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 065DE770

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 599d1b0308bb9b7768cd4be865d116cf9469f570728e8c716010d99dd39a49cd
Instruction ID: bc2274ef8e7c2d6ce1c301aedce45d6d6ef923e06f85df04b2ae16f4f0188ae2
Opcode Fuzzy Hash: 599d1b0308bb9b7768cd4be865d116cf9469f570728e8c716010d99dd39a49cd
Instruction Fuzzy Hash: B931F0B0D01349EFDB64DF99C985B9EBBF5BB48304F248019E404AB290D7B4A845CFA5

Function 02CE70A0 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02CE711F

Memory Dump Source

Source File: 0000000A.00000002.2503229858.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ce0000_aspnet_compiler.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 16274111c1e3eb76e1d14d9d7c9ad3a4cb4a93a3d4b30c6c812850f36d0e1e16
Instruction ID: da417f331fb814f979bf878ff0be8a1ab39bc7153191b92bacff5cd9532102c6
Opcode Fuzzy Hash: 16274111c1e3eb76e1d14d9d7c9ad3a4cb4a93a3d4b30c6c812850f36d0e1e16
Instruction Fuzzy Hash: AB2139B29003598FCB10CF9AD8847EEFBF4AF49310F14845AE859A7240D778AA45CF65

Function 065DCAE8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 065DCB77

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 652df7010f1753801c22e2433a7708178a703f758c98637811214693b22e4bf4
Instruction ID: 5ac62a41467fb517deac07c68dc3e8420bb12888f4ad941b64b23f1270d50a3d
Opcode Fuzzy Hash: 652df7010f1753801c22e2433a7708178a703f758c98637811214693b22e4bf4
Instruction Fuzzy Hash: 7E21E5B5D00349AFDB10CFAAD884ADEBFF8FB48310F14842AE954A7250C374A945CF65

Function 02CE70A8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02CE711F

Memory Dump Source

Source File: 0000000A.00000002.2503229858.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ce0000_aspnet_compiler.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: f2e2b4a233c1111fb626ad0f68dec99e5ec3c7fd3b3edac4a6d9ccd7b9c1cea5
Instruction ID: 1a2a793bc020efd188e7e9f7af6ce423889d418750231175efded560c0fc645b
Opcode Fuzzy Hash: f2e2b4a233c1111fb626ad0f68dec99e5ec3c7fd3b3edac4a6d9ccd7b9c1cea5
Instruction Fuzzy Hash: 962159B1D003598FCB10CF9AD884BEEFBF4AF48310F14841AE859A3240D778A944CF61

Function 065DCAF0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 065DCB77

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 26d3c09ea8840cd822dc8dc178229ee8762b5362a1d2dc5831c350dd5ff65353
Instruction ID: 379ae1c0dd1ccef353e57a67138178cf1705f6b0fc3adcc105d70fdf247d90a3
Opcode Fuzzy Hash: 26d3c09ea8840cd822dc8dc178229ee8762b5362a1d2dc5831c350dd5ff65353
Instruction Fuzzy Hash: 2A21C2B5D003499FDB10CFAAD984ADEBBF9FB48320F14841AE958A7350D374A944CFA5

Function 065D6564 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 065D7FD6

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7500a16761e8020f144d790d8f58bba8a83ac398cd7d487fc7e43ef044f65123
Instruction ID: 1ab867014ac1284bf0e3f460ef56a1f7bcbb59a64cec5d595e67663dcad298c9
Opcode Fuzzy Hash: 7500a16761e8020f144d790d8f58bba8a83ac398cd7d487fc7e43ef044f65123
Instruction Fuzzy Hash: CF11F0B6C047498FDB20DF9AC844BDEFBF5EB88210F14842AD829A7340D375A545CFA5

Function 065D7F6A Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 065D7FD6

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3bb8bdc2b470161b52599552fc2f0ac94320b61bb631a171e17b7d7ce6536d6f
Instruction ID: 8e0d18f15516bbd1ea0ab3cbff6be578fda94deffe92736e0cb281849570d4f7
Opcode Fuzzy Hash: 3bb8bdc2b470161b52599552fc2f0ac94320b61bb631a171e17b7d7ce6536d6f
Instruction Fuzzy Hash: CF1102B6D0124A8FCB20DF9AD844BDEFBF4AF88310F14842AD469A7250C375A545CFA5

Function 065DDE04 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 065DE5F5

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d01614b84f70c6b21555ee688ce46c599f50731a986f5ca5445c19d0b440cf9f
Instruction ID: 4e88ed71d1b5e46d9328c374d705808b34c0f89a718a14e82cec9ef657219193
Opcode Fuzzy Hash: d01614b84f70c6b21555ee688ce46c599f50731a986f5ca5445c19d0b440cf9f
Instruction Fuzzy Hash: 761112B59043498FDB20DFAAD549BDEBBF4EB48324F20841AD519AB340D374A944CFA9

Function 065DDBCC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,065DE0AD), ref: 065DE137

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 62ed5dbbc44d00799c35dabba2265d20d971718a02398b25b88a6a55b007bfef
Instruction ID: 7ae67d5550f96dabe0d7e8961f7556284eca5a79dde35529b69806b2f86f595f
Opcode Fuzzy Hash: 62ed5dbbc44d00799c35dabba2265d20d971718a02398b25b88a6a55b007bfef
Instruction Fuzzy Hash: 1411F2B59047498FDB20DF9AD885BDEBBF4FB48320F24842AD519A7240C774A944CFA5

Function 065DE599 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 065DE5F5

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 17a1ff04a6508f67380254a1f3efc2a29f3ebfffed0af348e570e17e33cfb983
Instruction ID: 8883ccd71c1db431ec777fce7bf3ba2a69a61d2bbcf6283c24fff3378bd002e8
Opcode Fuzzy Hash: 17a1ff04a6508f67380254a1f3efc2a29f3ebfffed0af348e570e17e33cfb983
Instruction Fuzzy Hash: 241142B1C003888FCB20CFAAD448BDEFBF4EB48310F24841AD418AB250C378A940CFA4

Function 065DE0D0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,065DE0AD), ref: 065DE137

Memory Dump Source

Source File: 0000000A.00000002.2508563348.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_65d0000_aspnet_compiler.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d33beab4b8ca3f292884a7a8e63b28f4bdad16a8464d37a470b057ca2a464f1b
Instruction ID: f382370f6aecd8820f4f3b0e30f0fbb680d24f3a1d505834fb4298423e9fd875
Opcode Fuzzy Hash: d33beab4b8ca3f292884a7a8e63b28f4bdad16a8464d37a470b057ca2a464f1b
Instruction Fuzzy Hash: D4112EB5C003488FCB20CF9AD885BDEFBF4EB48320F20842AD419A7240C375A945CFA5

Function 0145D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2502852213.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_145d000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55dcb2fd72f4eea7411e933e9d27130f9da5a69a4371cf86f8f57342680b726e
Instruction ID: 5b0b3ec3dd1b0480c4e036b2d0a6555e76018eb9d2febc4dc5e17569d8c02394
Opcode Fuzzy Hash: 55dcb2fd72f4eea7411e933e9d27130f9da5a69a4371cf86f8f57342680b726e
Instruction Fuzzy Hash: 192100B1A04200DFDB55DF54D880B26BBA1EF84618F24C56EDD0A4B367C33AD847CA62

Function 0145D005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2502852213.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_145d000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94473c02430695b7a4514a999ae53825cb64c96b4b1997b3a632010a85b2bba
Instruction ID: df5f7bdabe4844775ee8290d6c5dd7803c58f87c282c498a73d35b39e9aa0aae
Opcode Fuzzy Hash: b94473c02430695b7a4514a999ae53825cb64c96b4b1997b3a632010a85b2bba
Instruction Fuzzy Hash: CB2171755083809FDB03CF64D994716BF71EF46214F28C5EAD8498F2A7C33A9806CB62

Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002B45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename39b65d59-f6bc-48b5-8d23-a6d96b36d336.exe4 vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000000.1246002493.0000000000655000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameKuulogkewv.exe> vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1765846421.0000000007510000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGyokxqciy.dll" vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.00000000046F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGyokxqciy.dll" vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1746499640.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1762618379.0000000005C60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Binary or memory string: OriginalFilenameKuulogkewv.exe> vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION_JULQTRA071244#U00faPDF.scr.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Function 028709F8 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 028734F0 Relevance: 1.5, Strings: 1, Instructions: 281
COMMON

Function 0844D750 Relevance: 1.5, Strings: 1, Instructions: 276
COMMON

Function 028709F1 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 02874490 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 028744A0 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre