Edit tour

Windows Analysis Report
B24E33 ENQUIRY.vbe

Overview

General Information

Sample name:	B24E33 ENQUIRY.vbe
Analysis ID:	1466649
MD5:	a61b17519bd7dfbfe0fab5dae5846500
SHA1:	d2112323be6db1e792584bc65bdd4f95e89992df
SHA256:	e56047d7cac83d463327286f0c39cb6ca99c56e331f3b090357323fc94690a8c
Tags:	vbe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: AspNetCompiler Execution

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6388 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\B24E33 ENQUIRY.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)

HHhHh.exe (PID: 3624 cmdline: "C:\Users\user\AppData\Local\Temp\HHhHh.exe" MD5: 4E7F57441EA44798FDB4C7387334ADC8)

aspnet_compiler.exe (PID: 6176 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.technique.net.au", "Username": "logo@technique.net.au", "Password": "Business@2222"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.4494963592.000000000337B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2072028048.0000000002570000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2072331401.000000000259B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2072436946.000000000433C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2072436946.000000000433C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4492523946.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4492523946.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2072436946.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2072436946.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: HHhHh.exe PID: 3624	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HHhHh.exe PID: 3624	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6176	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.HHhHh.exe.2570000.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.HHhHh.exe.259c334.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.HHhHh.exe.2570000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.HHhHh.exe.259c334.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.aspnet_compiler.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3313d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x331af:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33239:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x332cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33335:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x333a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3343d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x334cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.HHhHh.exe.42dbff0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.HHhHh.exe.42dbff0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.HHhHh.exe.42dbff0.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3133d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x313af:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31439:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x314cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31535:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x315a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3163d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x316cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.HHhHh.exe.42dbff0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.HHhHh.exe.42dbff0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.HHhHh.exe.42dbff0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3313d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x331af:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33239:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x332cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33335:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x333a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3343d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x334cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\B24E33 ENQUIRY.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\B24E33 ENQUIRY.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\B24E33 ENQUIRY.vbe", ProcessId: 6388, ProcessName: wscript.exe

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\HHhHh.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\HHhHh.exe, ParentProcessId: 3624, ParentProcessName: HHhHh.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe", ProcessId: 6176, ProcessName: aspnet_compiler.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 122.201.84.5, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, Initiated: true, ProcessId: 6176, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49713

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\B24E33 ENQUIRY.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\B24E33 ENQUIRY.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\B24E33 ENQUIRY.vbe", ProcessId: 6388, ProcessName: wscript.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe

Avira: detection malicious, Label: HEUR/AGEN.1327012

Found malware configuration

Source: 3.2.aspnet_compiler.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.technique.net.au", "Username": "logo@technique.net.au", "Password": "Business@2222"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe

Virustotal: Detection: 33%

Perma Link

Multi AV Scanner detection for submitted file

Source: B24E33 ENQUIRY.vbe

Virustotal: Detection: 17%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:	Binary string: .pDBCYz0o8r0Yva#I2orhZ/a source: wscript.exe, 00000000.00000003.2027855834.0000012916A5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2027083340.0000012914A91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2028481121.0000012916A68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2027902743.0000012916A66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2027781224.0000012916A4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026971080.0000012916A44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Under.pdb source: HHhHh.exe, 00000002.00000002.2072028048.0000000002570000.00000004.08000000.00040000.00000000.sdmp, HHhHh.exe, 00000002.00000002.2072331401.000000000259B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NJnH887.pdb source: wscript.exe, 00000000.00000002.2072388530.0000012917B96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2062147341.0000012916E33000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2062299353.00000129169AB000.00000004.00000020.00020000.00000000.sdmp, HHhHh.exe, 00000002.00000000.2062029336.00000000002B2000.00000002.00000001.01000000.00000006.sdmp, HHhHh.exe.0.dr

Source: global traffic

TCP traffic: 192.168.2.5:49713 -> 122.201.84.5:587

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:49713 -> 122.201.84.5:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.technique.net.au

Source: aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003471000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000376A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003422000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000385B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003552000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000036FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.technique.net.au
Source: aspnet_compiler.exe, 00000003.00000002.4494963592.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501470939.0000000006B39000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.000000000162A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003471000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000337B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.0000000001637000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000376A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003422000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C70000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000385B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C67000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: aspnet_compiler.exe, 00000003.00000002.4494963592.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501470939.0000000006B39000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.000000000162A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003471000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000337B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.0000000001637000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000376A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003422000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C70000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000385B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C67000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.
Source: aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.enc
Source: aspnet_compiler.exe, 00000003.00000002.4501470939.0000000006B39000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003471000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B77000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4499962027.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.0000000001637000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000376A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003422000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C70000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000385B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003552000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_compiler.exe, 00000003.00000002.4501470939.0000000006B39000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003471000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B77000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4499962027.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.0000000001637000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000376A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003422000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C70000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000385B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003552000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: HHhHh.exe, 00000002.00000002.2072436946.000000000433C000.00000004.00000800.00020000.00000000.sdmp, HHhHh.exe, 00000002.00000002.2072436946.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4492523946.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: HHhHh.exe, 00000002.00000002.2072436946.000000000433C000.00000004.00000800.00020000.00000000.sdmp, HHhHh.exe, 00000002.00000002.2072436946.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003331000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4492523946.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, 3DlgK9re6m.cs

.Net Code: xCBm

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.HHhHh.exe.42dbff0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B3C888	2_2_00B3C888
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B39830	2_2_00B39830
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B31A88	2_2_00B31A88
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B39EF0	2_2_00B39EF0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B333B0	2_2_00B333B0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B32B28	2_2_00B32B28
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B3B089	2_2_00B3B089
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B3B0E8	2_2_00B3B0E8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B38C30	2_2_00B38C30
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B39821	2_2_00B39821
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B36DD0	2_2_00B36DD0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B36DC0	2_2_00B36DC0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B3A508	2_2_00B3A508
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B36AB0	2_2_00B36AB0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B33AA0	2_2_00B33AA0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B3B6A5	2_2_00B3B6A5
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B33A91	2_2_00B33A91
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B3B6F0	2_2_00B3B6F0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B39ECC	2_2_00B39ECC
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B393B0	2_2_00B393B0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B333A0	2_2_00B333A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B393C0	2_2_00B393C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B3D360	2_2_00B3D360
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_00B3D350	2_2_00B3D350
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_071E0006	2_2_071E0006
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_071E0040	2_2_071E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01566708	3_2_01566708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0156214F	3_2_0156214F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01562160	3_2_01562160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_018641C8	3_2_018641C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0186A290	3_2_0186A290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0186D5F8	3_2_0186D5F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01864A98	3_2_01864A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01869A08	3_2_01869A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01863E80	3_2_01863E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01861B24	3_2_01861B24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_05EF7354	3_2_05EF7354
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_05EF9596	3_2_05EF9596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_05EF0448	3_2_05EF0448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_05EF36B8	3_2_05EF36B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_05EF2FD0	3_2_05EF2FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_05EF88A8	3_2_05EF88A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_05EF88A6	3_2_05EF88A6

Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.HHhHh.exe.42dbff0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: HHhHh.exe.0.dr

Static PE information: Section: .sdata ZLIB complexity 0.9983771829044118

Source: 2.2.HHhHh.exe.2570000.0.raw.unpack, yO0hCY2YhNj4ADhpD4.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.HHhHh.exe.2570000.0.raw.unpack, yO0hCY2YhNj4ADhpD4.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.HHhHh.exe.259c334.1.raw.unpack, yO0hCY2YhNj4ADhpD4.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.HHhHh.exe.259c334.1.raw.unpack, yO0hCY2YhNj4ADhpD4.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, slKb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, mAKJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, xQRSe0Fg.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, n3rhMa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, MQzE4FWn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, nSmgRyX5a1.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winVBE@5/2@2/2

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HHhHh.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Mutant created: NULL

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\HHhHh.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: B24E33 ENQUIRY.vbe

Virustotal: Detection: 17%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\B24E33 ENQUIRY.vbe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe"
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: .pDBCYz0o8r0Yva#I2orhZ/a source: wscript.exe, 00000000.00000003.2027855834.0000012916A5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2027083340.0000012914A91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2028481121.0000012916A68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2027902743.0000012916A66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2027781224.0000012916A4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026971080.0000012916A44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Under.pdb source: HHhHh.exe, 00000002.00000002.2072028048.0000000002570000.00000004.08000000.00040000.00000000.sdmp, HHhHh.exe, 00000002.00000002.2072331401.000000000259B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NJnH887.pdb source: wscript.exe, 00000000.00000002.2072388530.0000012917B96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2062147341.0000012916E33000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2062299353.00000129169AB000.00000004.00000020.00020000.00000000.sdmp, HHhHh.exe, 00000002.00000000.2062029336.00000000002B2000.00000002.00000001.01000000.00000006.sdmp, HHhHh.exe.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.2.HHhHh.exe.2570000.0.raw.unpack, yO0hCY2YhNj4ADhpD4.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.HHhHh.exe.259c334.1.raw.unpack, yO0hCY2YhNj4ADhpD4.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: HHhHh.exe.0.dr, OvGJswGBEXQZBiTvEY.cs	.Net Code: VRsjCUDBY System.Reflection.Assembly.Load(byte[])
Source: 0.2.wscript.exe.12917ba3630.0.raw.unpack, OvGJswGBEXQZBiTvEY.cs	.Net Code: VRsjCUDBY System.Reflection.Assembly.Load(byte[])

Source: HHhHh.exe.0.dr

Static PE information: 0xD739F21F [Sat Jun 3 19:29:35 2084 UTC]

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Code function: 2_2_071E3E06 push edi; ret		2_2_071E3E0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01860C55 push edi; retf		3_2_01860C7A

Source: HHhHh.exe.0.dr, OvGJswGBEXQZBiTvEY.cs	High entropy of concatenated method names: 'VRsjCUDBY', 'YGp8wqZMc', 'wZAG3yW7r', 'CKVojXj5P', 'JEQg9QUU5JpfXEesgmP', 'DJWSxEUAH2EUIE2OuQy', 'jtJ3BnU8NiZaNG1XDq0', 'Oep97KURH1auM4YGwyH', 'yxPXIZUtaSEmbw71dHg', 'ogX4KMUlWcm25NV7hFU'
Source: 0.2.wscript.exe.12917ba3630.0.raw.unpack, OvGJswGBEXQZBiTvEY.cs	High entropy of concatenated method names: 'VRsjCUDBY', 'YGp8wqZMc', 'wZAG3yW7r', 'CKVojXj5P', 'JEQg9QUU5JpfXEesgmP', 'DJWSxEUAH2EUIE2OuQy', 'jtJ3BnU8NiZaNG1XDq0', 'Oep97KURH1auM4YGwyH', 'yxPXIZUtaSEmbw71dHg', 'ogX4KMUlWcm25NV7hFU'
Source: 2.2.HHhHh.exe.2570000.0.raw.unpack, yO0hCY2YhNj4ADhpD4.cs	High entropy of concatenated method names: 'cPW09tS3KG', 'KDikMXewCI', 'qoP0zORjR1', 'HldO1IQfZM', 'GwUO0ZwWJf', 'PPAOO2oUdt', 'prVJL3hUSH33s', 'h8Y6COPVJ', 'I0KlQy4qL', 'BJmVDArGt'
Source: 2.2.HHhHh.exe.259c334.1.raw.unpack, yO0hCY2YhNj4ADhpD4.cs	High entropy of concatenated method names: 'cPW09tS3KG', 'KDikMXewCI', 'qoP0zORjR1', 'HldO1IQfZM', 'GwUO0ZwWJf', 'PPAOO2oUdt', 'prVJL3hUSH33s', 'h8Y6COPVJ', 'I0KlQy4qL', 'BJmVDArGt'

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\HHhHh.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory allocated: B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory allocated: 2590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory allocated: 4590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory allocated: 4C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory allocated: 5C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory allocated: 5DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory allocated: 6DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199733	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199442	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1194937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1194828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1194719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1194609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1194500	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 8009			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1851			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe TID: 1672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1199844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1199733s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1199563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1199442s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1199312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1199203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1199094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1198984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1198875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1198765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1198656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1198547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1198437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1198328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1198219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1198109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1198000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1197890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1197781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1197672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1197562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1197453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1197343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1197233s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1197125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1197015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1196906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1196797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1196687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1196578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1196469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1196359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1196250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1196140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1196031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1195922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1195812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1195703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1195594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1195484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1195375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1195265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1195155s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1195047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1194937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1194828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1194719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1194609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2468	Thread sleep time: -1194500s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199733	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199442	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1199094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1198000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1197015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1196031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1195047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1194937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1194828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1194719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1194609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 1194500	Jump to behavior

Source: wscript.exe, 00000000.00000002.2072250564.00000129171F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:\|
Source: aspnet_compiler.exe, 00000003.00000002.4493885956.0000000001637000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHA%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: HHhHh.exe.0.dr

Jump to dropped file

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 43C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 10A9008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\HHhHh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.42dbff0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2072436946.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4492523946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2072436946.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HHhHh.exe PID: 3624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6176, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.HHhHh.exe.2570000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.259c334.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.2570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.259c334.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2072028048.0000000002570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2072331401.000000000259B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.42dbff0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4494963592.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2072436946.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4492523946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2072436946.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HHhHh.exe PID: 3624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6176, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.42dbff0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.42dbff0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2072436946.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4492523946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2072436946.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HHhHh.exe PID: 3624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6176, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.HHhHh.exe.2570000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.259c334.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.2570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.HHhHh.exe.259c334.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2072028048.0000000002570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2072331401.000000000259B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	311 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
B24E33 ENQUIRY.vbe	8%	ReversingLabs	Script.Trojan.Heuristic
B24E33 ENQUIRY.vbe	17%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\HHhHh.exe	100%	Avira	HEUR/AGEN.1327012
C:\Users\user\AppData\Local\Temp\HHhHh.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\HHhHh.exe	34%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mail.technique.net.au	0%	Virustotal		Browse
api.ipify.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org/	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://x1.c.enc	0%	Avira URL Cloud	safe
http://x1.c.	0%	Avira URL Cloud	safe
http://mail.technique.net.au	0%	Avira URL Cloud	safe
http://mail.technique.net.au	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.technique.net.au	122.201.84.5	true	true	0%, Virustotal, Browse	unknown
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	aspnet_compiler.exe, 00000003.00000002.4494963592.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501470939.0000000006B39000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.000000000162A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003471000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000337B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.0000000001637000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000376A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003422000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C70000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000385B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C67000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003552000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.enc	aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	HHhHh.exe, 00000002.00000002.2072436946.000000000433C000.00000004.00000800.00020000.00000000.sdmp, HHhHh.exe, 00000002.00000002.2072436946.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003331000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4492523946.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	HHhHh.exe, 00000002.00000002.2072436946.000000000433C000.00000004.00000800.00020000.00000000.sdmp, HHhHh.exe, 00000002.00000002.2072436946.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4492523946.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003331000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	aspnet_compiler.exe, 00000003.00000002.4501470939.0000000006B39000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003471000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B77000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4499962027.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.0000000001637000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000376A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003422000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C70000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000385B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003552000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B61000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	aspnet_compiler.exe, 00000003.00000002.4501470939.0000000006B39000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003471000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B77000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4499962027.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.0000000001637000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000376A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003422000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C70000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000385B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003552000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B61000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.	aspnet_compiler.exe, 00000003.00000002.4501716074.0000000006B77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.technique.net.au	aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003471000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000376A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003422000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000385B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003552000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000036FC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://r3.i.lencr.org/0	aspnet_compiler.exe, 00000003.00000002.4494963592.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4501470939.0000000006B39000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.000000000162A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003471000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000337B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4493885956.0000000001637000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000376A000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003422000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C70000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.00000000037CC000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.000000000385B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4500274164.0000000005C67000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4494963592.0000000003552000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
122.201.84.5	mail.technique.net.au	Australia		38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466649
Start date and time:	2024-07-03 08:42:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	B24E33 ENQUIRY.vbe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winVBE@5/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 156 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .vbe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:43:10	API Interceptor	11365872x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.74.152	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	K8mzlntJVN.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	AWB 3609 961.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	MT_0615_60931PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Doc230906103882.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Doc_CI_PL_HBL_COO_Insu_.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	roger.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Remittance Advice.html	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	Drawing specification and June PO #07329.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	llD1w4ROY5.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	arrival notice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	FmQx1Fw3VA.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	https://scm.ci/cgi-bin/redirect.php	Get hash	malicious	Unknown	Browse	27.123.25.1
	https://www.thaicreate.com/outlink.php?l=https://p6f.org/mI1AchQ3EllQ3Ez01lavallQ3EQ3E2APchD5QD5Q4DCz01oTx4RAW4G	Get hash	malicious	HTMLPhisher	Browse	203.170.87.81
	https://is.gd/Drz8uT	Get hash	malicious	Unknown	Browse	103.254.137.2
	malware.html	Get hash	malicious	HTMLPhisher	Browse	185.184.154.145
	tXwY81Gv84.elf	Get hash	malicious	Mirai	Browse	116.0.24.106
	https://rcpd.net.au/?pcr=cGF1LmZlcnJlckBhaWx5bGFicy5jb20=	Get hash	malicious	Unknown	Browse	203.170.87.185
	Embitterer13.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	122.201.64.145
	https://flameministries.org/wp-inlcudes/vieitufh/fgryfgs/itgetfgdg/?userid=amFuLmJhY3praWV3aWN6QGtnaG0uY29t	Get hash	malicious	Unknown	Browse	203.28.49.145
	FLEECE SHIRT STYLES-288AW & 289AW xlsx.exe	Get hash	malicious	AgentTesla	Browse	103.20.200.209
	CANDYS FOOD - WHITE FISH PROGRAM xlsx.exe	Get hash	malicious	AgentTesla	Browse	103.20.200.209
CLOUDFLARENETUS	DHL_AWB 98776013276.xls	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://www.getaround.co.il/wp-logs/?r=mag372@norauto.es	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Get hash	malicious	FormBook	Browse	66.235.200.146
	AWB 3609 961.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Att00173994.exe	Get hash	malicious	FormBook	Browse	104.21.92.152
	aAEsSBx24sxHhRz.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	MT_0615_60931PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	IMG_0178520003023PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	MT_01452_03607PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	Doc230906103882.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Purchase Order N#U00b0 20240702.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	AWB 3609 961.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	MT_0615_60931PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Doc230906103882.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	birectangular.vbs	Get hash	malicious	FormBook, GuLoader	Browse	172.67.74.152
	AWB#276097479258.pdf.html	Get hash	malicious	Unknown	Browse	172.67.74.152
	payment.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
	Doc_CI_PL_HBL_COO_Insu_.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	roger.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://rules-pear-kft5d2.mystrikingly.com/	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\AppData\Local\Temp\HHhHh.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\HHhHh.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	226304
Entropy (8bit):	7.462648336005162
Encrypted:	false
SSDEEP:	6144:n5fNfF7ImRWWKYxzMVKJNz79ap12+gxmj26O/x:51fF7ImR28z8KJlJ616xmt2
MD5:	4E7F57441EA44798FDB4C7387334ADC8
SHA1:	8B097BB71E69AF663E62625A19FC17591D59A942
SHA-256:	ADF1EB40617F8B54B133C7ABE1828849FE3C621CCD574C57C6B9178803FD1846
SHA-512:	D2F7BF0C97F7F8C49EF915B1220A44609CFEBE4DE90AFB909E708FF35F2A6B66A0EB75A311850B170A9592DAE8C6900FEE6E526E34D72C2FF2958A78538AE1FE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 34%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....9.............................>.... ........@.. ....................................`.....................................K.................................................................................... ............... ..H............text...D.... ...................... ..`.sdata........... ..................@....rsrc...............................@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (65242), with CRLF line terminators
Entropy (8bit):	5.773063511331612
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	B24E33 ENQUIRY.vbe
File size:	316'457 bytes
MD5:	a61b17519bd7dfbfe0fab5dae5846500
SHA1:	d2112323be6db1e792584bc65bdd4f95e89992df
SHA256:	e56047d7cac83d463327286f0c39cb6ca99c56e331f3b090357323fc94690a8c
SHA512:	7e64b35399a77b9624ef04a485655288b07adcc1f6a512f9d9e72d66352bbf9d7057dd2b784e834f390a05f1b8819179963ddac72f09b68d6e94716d848c5891
SSDEEP:	3072:m5x8N0px10I1bQPgpSgey2o00nLvyN7F1W55d1RJCl1pauY5dR13Dto9EgE09ZN3:m5xf10I+gpSJoZnLV5b1Hs1IjTouKSdq
TLSH:	8864CF21EA01466FCFAB4F5E7D090BE5B4B908BB9C56D106F68F1D160CF0A35547AF28
File Content Preview:	' Constants for XML and Base64 processing..Const XML_TYPE = "MSXML2.DOMDocument"..Const ELEMENT_TYPE = "text"..Const DATA_TYPE = "bin.base64"....' Declare variables..Dim base64EncodedString, tempFolderPath, executablePath....' Initialize the Base64 encode

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 08:43:10.547698975 CEST	49704	443	192.168.2.5	172.67.74.152
Jul 3, 2024 08:43:10.547739029 CEST	443	49704	172.67.74.152	192.168.2.5
Jul 3, 2024 08:43:10.547940016 CEST	49704	443	192.168.2.5	172.67.74.152
Jul 3, 2024 08:43:10.564836979 CEST	49704	443	192.168.2.5	172.67.74.152
Jul 3, 2024 08:43:10.564872026 CEST	443	49704	172.67.74.152	192.168.2.5
Jul 3, 2024 08:43:11.179339886 CEST	443	49704	172.67.74.152	192.168.2.5
Jul 3, 2024 08:43:11.179455042 CEST	49704	443	192.168.2.5	172.67.74.152
Jul 3, 2024 08:43:11.183701992 CEST	49704	443	192.168.2.5	172.67.74.152
Jul 3, 2024 08:43:11.183716059 CEST	443	49704	172.67.74.152	192.168.2.5
Jul 3, 2024 08:43:11.184111118 CEST	443	49704	172.67.74.152	192.168.2.5
Jul 3, 2024 08:43:11.236222982 CEST	49704	443	192.168.2.5	172.67.74.152
Jul 3, 2024 08:43:11.274245977 CEST	49704	443	192.168.2.5	172.67.74.152
Jul 3, 2024 08:43:11.320498943 CEST	443	49704	172.67.74.152	192.168.2.5
Jul 3, 2024 08:43:11.377074957 CEST	443	49704	172.67.74.152	192.168.2.5
Jul 3, 2024 08:43:11.377155066 CEST	443	49704	172.67.74.152	192.168.2.5
Jul 3, 2024 08:43:11.377338886 CEST	49704	443	192.168.2.5	172.67.74.152
Jul 3, 2024 08:43:11.383354902 CEST	49704	443	192.168.2.5	172.67.74.152
Jul 3, 2024 08:44:56.818065882 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:44:56.823060989 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:56.823153019 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:44:58.102564096 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:58.102941036 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:44:58.108108997 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:58.412111998 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:58.413475990 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:44:58.418299913 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:58.723325014 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:58.723891973 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:44:58.728857040 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:59.043159962 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:59.043179989 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:59.043191910 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:59.043287039 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:44:59.078727007 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:44:59.083631992 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:59.389945030 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:59.397917032 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:44:59.402827024 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:59.706480980 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:44:59.712024927 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:44:59.716968060 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:00.021214962 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:00.026570082 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:00.031521082 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:00.640564919 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:00.644541025 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:00.651247025 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:00.953193903 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:00.957293987 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:00.962188005 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.281443119 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.283839941 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.289664030 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.594157934 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.622881889 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.623040915 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.623091936 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.623202085 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.624846935 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.628143072 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.628196001 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.628335953 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.628345966 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.628355026 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.628393888 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.630270958 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.630307913 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.630335093 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.630343914 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.630345106 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.630378008 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.630395889 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.630420923 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.630429983 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.630438089 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.630460978 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.630477905 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.630870104 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.630906105 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.630914927 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.630949020 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.633573055 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.633610010 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.634035110 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.634087086 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.635895967 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.635948896 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.635951996 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.636002064 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.636007071 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.636044025 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.636076927 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.636116982 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.636459112 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.636512995 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.636516094 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.636553049 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.636746883 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.636787891 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.636807919 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.636847973 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.636889935 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.636936903 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.639332056 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.639378071 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.639897108 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.639934063 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:01.641666889 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.641725063 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.641755104 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.641798973 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.641830921 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.641860008 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.641896963 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.642426968 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.642436028 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.642491102 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.642498970 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.642508030 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.642539978 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.642548084 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.642587900 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.642596006 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.642991066 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.643070936 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.643079996 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.643114090 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.643121958 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.643198967 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.643207073 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.644824028 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.644831896 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.644864082 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.645312071 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.645375967 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.645384073 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.645972967 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:01.645982027 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:02.388746023 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:02.439384937 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:09.077378988 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:09.082320929 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:09.389313936 CEST	587	49713	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:09.391762972 CEST	49713	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:09.395344973 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:09.400535107 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:09.403523922 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:10.630567074 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:10.633431911 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:10.638290882 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:10.941961050 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:10.945528030 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:10.951977015 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:11.255361080 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:11.257771015 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:11.264256954 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:11.578694105 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:11.578713894 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:11.578742981 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:11.578896046 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:11.580415964 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:11.586340904 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:11.889143944 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:11.890240908 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:11.896522045 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:12.197385073 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:12.197729111 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:12.202953100 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:12.505459070 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:12.505716085 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:12.511357069 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:12.835061073 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:12.835290909 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:12.840205908 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.146334887 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.146639109 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.151468992 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.474309921 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.477603912 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.482429028 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.784486055 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.784893990 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.785048008 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.785103083 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.785204887 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.786887884 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.789695024 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.789750099 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.789917946 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.789927006 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.789958954 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.789993048 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.791758060 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.791774988 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.791804075 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.791822910 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.791826963 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.791836023 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.791845083 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.791866064 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.791896105 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.791946888 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.791992903 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.794549942 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.794559956 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.794615984 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.794697046 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.794707060 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.794738054 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.794751883 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.794780970 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.796648979 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.796691895 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.796694040 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.796740055 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.796777010 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.796787024 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.796818018 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.796833992 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.796886921 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.796933889 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.796936035 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.796974897 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.799578905 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.799631119 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.799669027 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.799741030 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.801537991 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.801597118 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:13.801603079 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.801651955 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.801671028 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.801681042 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.801764011 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.801772118 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.801810026 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.801889896 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.801928043 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.802011967 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.802021980 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.802031994 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.804426908 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.804487944 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.804508924 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.804574966 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.804584026 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.804630041 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.804639101 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806437016 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806446075 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806463003 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806504965 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806546926 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806555033 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806598902 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806607962 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806634903 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806644917 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806687117 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806695938 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:13.806727886 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:14.550039053 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:14.595607042 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:25.507374048 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:25.513073921 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:25.815537930 CEST	587	49714	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:25.820652962 CEST	49714	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:25.822689056 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:25.829487085 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:25.829560995 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:26.965991020 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:26.969377995 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:26.974205017 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:27.276597977 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:27.277137041 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:27.282037020 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:27.585300922 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:27.585774899 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:27.590677977 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:27.901952982 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:27.901976109 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:27.901988029 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:27.902038097 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:27.925920010 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:27.930762053 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:28.232820034 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:28.241872072 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:28.246763945 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:28.548458099 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:28.548747063 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:28.553558111 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:28.855953932 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:28.856216908 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:28.861023903 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:29.188622952 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:29.189516068 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:29.194480896 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:29.496702909 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:29.497529030 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:29.502360106 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:29.862443924 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:29.862664938 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:29.867536068 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.271426916 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.271742105 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.271806002 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.271833897 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.271893024 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.273264885 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.276530027 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.276607037 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.276659012 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.276669979 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.276679039 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.276730061 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.278136969 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.278150082 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.278173923 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.278182983 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.278187037 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.278191090 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.278235912 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.278300047 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.278310061 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.278354883 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.281300068 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.281311035 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.281348944 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.281373024 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.281424046 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.281466007 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.281616926 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.281660080 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.282941103 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.282999992 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.283085108 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.283139944 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.283164024 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.283205032 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.283217907 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.283227921 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.283260107 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.283282995 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.283296108 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.283344984 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.283348083 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.283397913 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.286163092 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.286189079 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.286236048 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.286268950 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.286422968 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.286473989 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.286490917 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.286535978 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.287817001 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.287882090 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.287978888 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.287987947 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.288125992 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.288228989 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.288264036 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.288274050 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.288311958 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.288326025 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.290962934 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291023970 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291033030 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291042089 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291050911 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291066885 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291076899 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291085958 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291115046 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291122913 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291152954 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291162014 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291228056 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291287899 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291296959 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291305065 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.291315079 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.292584896 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.292596102 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.292612076 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.292632103 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.292646885 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.292776108 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.292783976 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.292802095 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.292818069 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.292826891 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.292834997 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:30.299329042 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:30.304106951 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:31.036279917 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:31.079981089 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:50.255062103 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:50.260009050 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:50.562182903 CEST	587	49715	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:50.562684059 CEST	49715	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:50.563661098 CEST	49716	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:50.568579912 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:50.568669081 CEST	49716	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:51.691510916 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:51.691737890 CEST	49716	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:51.696641922 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:51.998724937 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:51.998868942 CEST	49716	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:52.003705978 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:52.305717945 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:52.306411028 CEST	49716	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:52.311275959 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:52.620090961 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:52.620111942 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:52.620125055 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:52.620179892 CEST	49716	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:52.623775959 CEST	49716	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:52.628876925 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:52.929642916 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:52.933351994 CEST	49716	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:52.938170910 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:52.987248898 CEST	49716	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:52.992506981 CEST	587	49716	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:52.992887020 CEST	49716	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:53.045448065 CEST	49717	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:53.050271988 CEST	587	49717	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:53.050448895 CEST	49717	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:53.473403931 CEST	49717	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:53.480370045 CEST	587	49717	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:53.481499910 CEST	49717	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:53.525358915 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:53.531975031 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:53.533488989 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:54.347923040 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:54.348061085 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:54.356986046 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:54.660808086 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:54.661045074 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:54.665841103 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:54.974323988 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:54.975934982 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:54.980890036 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:55.302620888 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:55.302639961 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:55.302651882 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:55.302772045 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:55.304567099 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:55.310056925 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:55.617068052 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:55.623718977 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:55.628519058 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:56.131993055 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:56.132230997 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:56.137473106 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:56.444649935 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:56.445292950 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:56.452147961 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:56.781035900 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:56.781641006 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:56.788003922 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.093357086 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.093599081 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.098388910 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.417958021 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.419539928 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.424801111 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.731281996 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.731615067 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.731690884 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.731764078 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.731870890 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.733457088 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.736449003 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.736502886 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.736506939 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.736553907 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.736767054 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.736812115 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.738420963 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.738466024 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.738578081 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.738626957 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.738639116 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.738683939 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.738754988 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.738799095 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.738862038 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.738872051 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.738922119 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.738940001 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.742362976 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.742387056 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.742396116 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.742404938 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.742408037 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.742439985 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.742461920 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.742719889 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.742767096 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.744700909 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.744744062 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.744786978 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.744844913 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.745420933 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.745486021 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.745569944 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.745635986 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.745717049 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.745743036 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.745786905 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.745809078 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.747484922 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.747587919 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.749475002 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.749528885 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.749571085 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.749696970 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.749864101 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.750386953 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.750396013 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.750663042 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.750725985 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.750735998 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.750745058 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752381086 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752392054 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752444029 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752475977 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752495050 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752511024 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752552986 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752563000 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752598047 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752686024 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752695084 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752708912 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.752718925 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.754307985 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.754416943 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.754432917 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.754442930 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.754555941 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.754565954 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.754575014 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.754591942 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.754601002 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.754694939 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.754703999 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.877537012 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.882693052 CEST	587	49718	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.882750034 CEST	49718	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.949443102 CEST	49719	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:57.954731941 CEST	587	49719	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:57.954910994 CEST	49719	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:58.739748955 CEST	587	49719	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:58.745372057 CEST	49719	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:58.750171900 CEST	587	49719	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:59.002002954 CEST	49719	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:59.008358002 CEST	587	49719	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:59.008538961 CEST	49719	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:59.075768948 CEST	49720	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:59.080663919 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:59.080780029 CEST	49720	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:59.952402115 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:45:59.952560902 CEST	49720	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:45:59.957405090 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:00.256196976 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:00.256417036 CEST	49720	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:00.261327028 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:00.561238050 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:00.561713934 CEST	49720	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:00.566592932 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:00.873233080 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:00.873250008 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:00.873261929 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:00.875238895 CEST	49720	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:00.875240088 CEST	49720	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:00.880127907 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:01.137370110 CEST	49720	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:01.142735958 CEST	587	49720	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:01.142952919 CEST	49720	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:01.183763981 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:01.188627005 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:01.189424038 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:01.979645967 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:01.979790926 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:01.984551907 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:02.284550905 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:02.303286076 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:02.308161974 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:02.621424913 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:02.621905088 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:02.627455950 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:02.936660051 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:02.936707020 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:02.936728001 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:02.936739922 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:02.936805010 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:02.936902046 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:02.938404083 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:02.943249941 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:03.242871046 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:03.244834900 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:03.249690056 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:03.549078941 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:03.549345970 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:03.554258108 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:03.853988886 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:03.854290962 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:03.859142065 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:04.469779015 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:04.470046997 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:04.475397110 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:04.775355101 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:04.775835037 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:04.780725956 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.091607094 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.091875076 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.096759081 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.399996042 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.401647091 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.401743889 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.401743889 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.403060913 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.403060913 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.406542063 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.406563997 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.406574011 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.406708002 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.408114910 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.408126116 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.408135891 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.408144951 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.408154964 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.408164978 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.408173084 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.408181906 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.408202887 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.408309937 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.411411047 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.411436081 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.411511898 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.411642075 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.413070917 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.413125038 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.413408995 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.413459063 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.413646936 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.413785934 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.416879892 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.417443037 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.421010017 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.421019077 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.421133995 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.421385050 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:05.422952890 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.425390005 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.425404072 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.425415039 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.425424099 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.426156998 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.426959038 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.427103043 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.427263975 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.427278996 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.427292109 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.427308083 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.427325010 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.427421093 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.427437067 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.427448988 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:05.427460909 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:06.163804054 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:06.204952955 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:08.312216997 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:08.317925930 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:08.616421938 CEST	587	49721	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:08.616908073 CEST	49721	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:08.617928028 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:08.622764111 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:08.622859001 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:09.423458099 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:09.423677921 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:09.428467035 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:09.730400085 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:09.730576038 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:09.735477924 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:10.038655996 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:10.039175034 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:10.044008017 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:10.358869076 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:10.358921051 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:10.358961105 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:10.359009981 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:10.361417055 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:10.366183043 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:10.668607950 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:10.670562983 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:10.676683903 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:10.978092909 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:10.981657982 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:10.986866951 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:11.294851065 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:11.295129061 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:11.299968958 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:11.617618084 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:11.621584892 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:11.626389980 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:11.928463936 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:11.928746939 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:11.933568954 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.245784044 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.246114969 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.250901937 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.552911043 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.557909966 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.558088064 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.558185101 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.558311939 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.561728001 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.562732935 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.562777042 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.562844038 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.562944889 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.563065052 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.563107014 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.566617966 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.566663027 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.566663980 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.566701889 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.566709995 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.566745996 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.566767931 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.566812992 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.566883087 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.566894054 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.566941023 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.566955090 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.566965103 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.566973925 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.567006111 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.567034960 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.567558050 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.567599058 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.567886114 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.567930937 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.572163105 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.572175026 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.572217941 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.572248936 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.572300911 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.572349072 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.572422981 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.572432041 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.572441101 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.572485924 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.572560072 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.572570086 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.572618961 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.572721004 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.572761059 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.573112965 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.573162079 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.573455095 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.573494911 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:12.577074051 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577227116 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577275991 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577323914 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577410936 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577430964 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577512026 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577588081 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577656031 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577722073 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577744961 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577754021 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577771902 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577786922 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577795029 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577835083 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577861071 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577868938 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.577899933 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.578258038 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.578267097 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.578309059 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.578336000 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.578346014 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.578353882 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.578402996 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.578412056 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.581897020 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.581921101 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.581938982 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:12.581955910 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:13.339926004 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:13.393394947 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:19.288294077 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:19.323978901 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:19.626410007 CEST	587	49722	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:19.627971888 CEST	49722	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:19.627970934 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:19.632863998 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:19.632967949 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:20.423695087 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:20.423959017 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:20.428855896 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:20.729613066 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:20.729773998 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:20.734611988 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:21.036778927 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:21.040076971 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:21.044941902 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:21.360584021 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:21.360611916 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:21.360626936 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:21.360694885 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:21.360692024 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:21.360845089 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:21.363775015 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:21.368645906 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:21.669624090 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:21.673496962 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:21.678502083 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:21.979661942 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:21.979923010 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:21.984772921 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:22.286067963 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:22.286396027 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:22.291362047 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:22.612091064 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:22.612405062 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:22.617300987 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:22.918615103 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:22.919579029 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:22.924499035 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.236562014 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.236949921 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.241867065 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.545084953 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.545414925 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.545466900 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.545466900 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.549422026 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.550499916 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.550512075 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.550523043 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.554713011 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.556128025 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.561724901 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.561736107 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.561825991 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.561861038 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.561870098 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.561897993 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.561943054 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.561947107 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.561985016 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.562012911 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.562021971 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.562064886 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.562092066 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.562120914 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.562138081 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.567636013 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.568253040 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.568339109 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.568367004 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.568389893 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.568418980 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.568427086 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.568497896 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.568594933 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.568656921 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.568665028 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.568675041 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.568855047 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.574326038 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.574377060 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.574481964 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:23.574760914 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575550079 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575661898 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575670958 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575728893 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575737000 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575752020 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575784922 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575793028 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575840950 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575850010 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575886965 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575896025 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575952053 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.575961113 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.576014042 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.576023102 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.576055050 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.576086998 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.576143026 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.579603910 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.579615116 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.579624891 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.579678059 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.579803944 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:23.579813004 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:24.329106092 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:24.376827955 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:42.692749977 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:42.699091911 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:42.999806881 CEST	587	49723	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:43.004112005 CEST	49723	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:43.007507086 CEST	49724	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:43.012527943 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:43.015783072 CEST	49724	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:44.207823992 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:44.208363056 CEST	49724	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:44.213241100 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:44.514386892 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:44.514533043 CEST	49724	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:44.519437075 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:44.826350927 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:44.833452940 CEST	49724	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:44.842231989 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:45.153970003 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:45.153992891 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:45.154006004 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:45.154067993 CEST	49724	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:45.155714035 CEST	49724	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:45.160548925 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:45.378560066 CEST	49724	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:45.384110928 CEST	587	49724	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:45.384336948 CEST	49724	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:45.429991007 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:45.434914112 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:45.435058117 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:46.220710039 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:46.221041918 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:46.226214886 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:46.525522947 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:46.525688887 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:46.530723095 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:46.830775976 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:46.831353903 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:46.836185932 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:47.146369934 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:47.146394968 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:47.146404982 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:47.146502018 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:47.146528959 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:47.146608114 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:47.147998095 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:47.152874947 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:47.451107979 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:47.453061104 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:47.458735943 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:47.757371902 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:47.757709980 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:47.763408899 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:48.062392950 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:48.062825918 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:48.067920923 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:48.387092113 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:48.387608051 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:48.393491030 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:48.692246914 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:48.693284988 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:48.700036049 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:49.007791042 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:49.009655952 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:49.014489889 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:49.112019062 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:49.117451906 CEST	587	49725	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:49.117526054 CEST	49725	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:49.164437056 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:49.169353008 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:49.171850920 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:49.963140011 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:49.963299990 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:49.968204975 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:50.267501116 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:50.267658949 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:50.272587061 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:50.573928118 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:50.574421883 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:50.579243898 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:50.887051105 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:50.887073994 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:50.887084961 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:50.887290001 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:50.889432907 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:50.894258022 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:51.193788052 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:51.197431087 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:51.202301025 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:51.501750946 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:51.505652905 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:51.510550976 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:51.810383081 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:51.810781002 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:51.815752029 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:52.130410910 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:52.130749941 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:52.135626078 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:52.582726955 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:52.582962990 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:52.588027000 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:52.898889065 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:52.901725054 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:52.906764984 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.206670046 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.207086086 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.207086086 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.207170963 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.207170963 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.208785057 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.212215900 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.212228060 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.212236881 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.212246895 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.212320089 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.213641882 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.213705063 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.213713884 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.213725090 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.213773966 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.213783026 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.213877916 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.213923931 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.213934898 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.214031935 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.217235088 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.217245102 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.217377901 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.217942953 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.217952967 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.218028069 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.218873024 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.218918085 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.218943119 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.218971968 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.218976021 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.219026089 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.219041109 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.219063044 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.219110012 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.219147921 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.219178915 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.219209909 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.219258070 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.223028898 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.223177910 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.223464012 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224198103 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224208117 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224232912 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224260092 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224282980 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224311113 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.224359989 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224373102 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224376917 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.224490881 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:53.224493027 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224512100 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224526882 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224572897 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224642038 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224651098 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224659920 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224675894 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224684954 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224703074 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224711895 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.224745989 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.228091002 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.228916883 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.228938103 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.228945971 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229207993 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229228020 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229312897 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229321957 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229329109 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229336977 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229353905 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229362965 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229403019 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229413033 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229422092 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229449987 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229458094 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.229485989 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:53.964385986 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:54.017477036 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:56.785202980 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:56.790479898 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:57.089915037 CEST	587	49726	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:57.091109037 CEST	49726	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:57.091121912 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:57.097565889 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:57.097889900 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:57.893332005 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:57.893791914 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:57.898662090 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:58.197108030 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:58.197298050 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:58.202141047 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:58.501854897 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:58.502254963 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:58.507097006 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:58.813925028 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:58.813950062 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:58.813960075 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:58.814007998 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:58.814013958 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:58.814074039 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:58.815505981 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:58.820317984 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:59.121032000 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:59.122895956 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:59.127779961 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:59.433571100 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:59.437644958 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:59.442687988 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:59.493427038 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:59.500220060 CEST	587	49727	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:59.505431890 CEST	49727	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:59.536942959 CEST	49728	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:46:59.542264938 CEST	587	49728	122.201.84.5	192.168.2.5
Jul 3, 2024 08:46:59.545574903 CEST	49728	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:00.359153032 CEST	587	49728	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:00.359297037 CEST	49728	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:00.366452932 CEST	587	49728	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:00.668073893 CEST	587	49728	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:00.668231964 CEST	49728	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:00.673135042 CEST	587	49728	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:00.973448038 CEST	49728	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:00.980911970 CEST	587	49728	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:00.981977940 CEST	587	49728	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:00.982009888 CEST	49728	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:00.989444017 CEST	49728	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:01.057456970 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:01.228199959 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:01.229522943 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:02.018666983 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:02.018856049 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:02.026199102 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:02.329386950 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:02.329684973 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:02.334680080 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:02.636360884 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:02.637017012 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:02.644493103 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:02.951708078 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:02.951730013 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:02.951740980 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:02.951884031 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:02.955499887 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:02.960393906 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:03.259463072 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:03.263986111 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:03.271173954 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:03.569561005 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:03.569843054 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:03.574736118 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:07.872910023 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:07.873375893 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:07.878281116 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:08.483289003 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:08.483666897 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:08.488820076 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:08.565423965 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:08.570779085 CEST	587	49729	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:08.570856094 CEST	49729	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:08.641469002 CEST	49730	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:08.646604061 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:08.646678925 CEST	49730	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:09.431899071 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:09.432153940 CEST	49730	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:09.437041998 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:09.735466003 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:09.763726950 CEST	49730	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:09.768654108 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.069654942 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.070247889 CEST	49730	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.077100992 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.387980938 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.388006926 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.388020992 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.388088942 CEST	49730	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.388123989 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.388159990 CEST	49730	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.390444994 CEST	49730	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.395260096 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.693866968 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.695909023 CEST	49730	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.700834990 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.705323935 CEST	49730	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.710515976 CEST	587	49730	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.710629940 CEST	49730	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.759180069 CEST	49731	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.764089108 CEST	587	49731	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.764225960 CEST	49731	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.941483974 CEST	49731	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.946717024 CEST	587	49731	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.952260017 CEST	49731	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.990950108 CEST	49732	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:10.996325970 CEST	587	49732	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:10.996505976 CEST	49732	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:11.811985970 CEST	587	49732	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:11.812211037 CEST	49732	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:11.817998886 CEST	587	49732	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:12.121937990 CEST	587	49732	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:12.122179985 CEST	49732	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:12.127747059 CEST	587	49732	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:12.432936907 CEST	587	49732	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:12.517487049 CEST	49732	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:13.824600935 CEST	49732	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:13.827451944 CEST	49732	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:13.829684019 CEST	587	49732	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:13.832695007 CEST	587	49732	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:13.839551926 CEST	49732	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:13.863208055 CEST	49733	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:13.868124962 CEST	587	49733	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:13.868232012 CEST	49733	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:14.673078060 CEST	587	49733	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:14.673360109 CEST	49733	587	192.168.2.5	122.201.84.5
Jul 3, 2024 08:47:14.678217888 CEST	587	49733	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:14.983036041 CEST	587	49733	122.201.84.5	192.168.2.5
Jul 3, 2024 08:47:15.033102036 CEST	49733	587	192.168.2.5	122.201.84.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 08:43:10.531975985 CEST	61116	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:43:10.539401054 CEST	53	61116	1.1.1.1	192.168.2.5
Jul 3, 2024 08:44:56.339860916 CEST	65164	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:44:56.816852093 CEST	53	65164	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 08:43:10.531975985 CEST	192.168.2.5	1.1.1.1	0x17ef	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:44:56.339860916 CEST	192.168.2.5	1.1.1.1	0x401b	Standard query (0)	mail.technique.net.au	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 08:43:10.539401054 CEST	1.1.1.1	192.168.2.5	0x17ef	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:43:10.539401054 CEST	1.1.1.1	192.168.2.5	0x17ef	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:43:10.539401054 CEST	1.1.1.1	192.168.2.5	0x17ef	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:44:56.816852093 CEST	1.1.1.1	192.168.2.5	0x401b	No error (0)	mail.technique.net.au	122.201.84.5	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.74.152	443	6176	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 06:43:11 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-03 06:43:11 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 06:43:11 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89d4e65bcb4c43d5-EWR
2024-07-03 06:43:11 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 3, 2024 08:44:58.102564096 CEST	587	49713	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:52:02 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:44:58.102941036 CEST	49713	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:44:58.412111998 CEST	587	49713	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:44:58.413475990 CEST	49713	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:44:58.723325014 CEST	587	49713	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:45:10.630567074 CEST	587	49714	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:52:15 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:45:10.633431911 CEST	49714	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:45:10.941961050 CEST	587	49714	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:45:10.945528030 CEST	49714	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:45:11.255361080 CEST	587	49714	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:45:26.965991020 CEST	587	49715	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:52:31 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:45:26.969377995 CEST	49715	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:45:27.276597977 CEST	587	49715	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:45:27.277137041 CEST	49715	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:45:27.585300922 CEST	587	49715	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:45:51.691510916 CEST	587	49716	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:52:56 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:45:51.691737890 CEST	49716	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:45:51.998724937 CEST	587	49716	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:45:51.998868942 CEST	49716	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:45:52.305717945 CEST	587	49716	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:45:54.347923040 CEST	587	49718	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:52:59 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:45:54.348061085 CEST	49718	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:45:54.660808086 CEST	587	49718	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:45:54.661045074 CEST	49718	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:45:54.974323988 CEST	587	49718	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:45:58.739748955 CEST	587	49719	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:53:03 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:45:58.745372057 CEST	49719	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:45:59.952402115 CEST	587	49720	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:53:04 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:45:59.952560902 CEST	49720	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:46:00.256196976 CEST	587	49720	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:46:00.256417036 CEST	49720	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:46:00.561238050 CEST	587	49720	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:46:01.979645967 CEST	587	49721	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:53:06 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:46:01.979790926 CEST	49721	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:46:02.284550905 CEST	587	49721	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:46:02.303286076 CEST	49721	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:46:02.621424913 CEST	587	49721	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:46:09.423458099 CEST	587	49722	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:53:14 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:46:09.423677921 CEST	49722	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:46:09.730400085 CEST	587	49722	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:46:09.730576038 CEST	49722	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:46:10.038655996 CEST	587	49722	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:46:20.423695087 CEST	587	49723	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:53:25 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:46:20.423959017 CEST	49723	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:46:20.729613066 CEST	587	49723	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:46:20.729773998 CEST	49723	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:46:21.036778927 CEST	587	49723	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:46:44.207823992 CEST	587	49724	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:53:48 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:46:44.208363056 CEST	49724	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:46:44.514386892 CEST	587	49724	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:46:44.514533043 CEST	49724	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:46:44.826350927 CEST	587	49724	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:46:46.220710039 CEST	587	49725	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:53:51 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:46:46.221041918 CEST	49725	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:46:46.525522947 CEST	587	49725	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:46:46.525688887 CEST	49725	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:46:46.830775976 CEST	587	49725	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:46:49.963140011 CEST	587	49726	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:53:54 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:46:49.963299990 CEST	49726	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:46:50.267501116 CEST	587	49726	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:46:50.267658949 CEST	49726	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:46:50.573928118 CEST	587	49726	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:46:57.893332005 CEST	587	49727	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:54:02 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:46:57.893791914 CEST	49727	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:46:58.197108030 CEST	587	49727	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:46:58.197298050 CEST	49727	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:46:58.501854897 CEST	587	49727	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:47:00.359153032 CEST	587	49728	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:54:05 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:47:00.359297037 CEST	49728	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:47:00.668073893 CEST	587	49728	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:47:00.668231964 CEST	49728	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:47:00.980911970 CEST	587	49728	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:47:02.018666983 CEST	587	49729	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:54:06 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:47:02.018856049 CEST	49729	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:47:02.329386950 CEST	587	49729	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:47:02.329684973 CEST	49729	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:47:02.636360884 CEST	587	49729	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:47:09.431899071 CEST	587	49730	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:54:14 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:47:09.432153940 CEST	49730	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:47:09.735466003 CEST	587	49730	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:47:09.763726950 CEST	49730	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:47:10.069654942 CEST	587	49730	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:47:11.811985970 CEST	587	49732	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:54:16 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:47:11.812211037 CEST	49732	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:47:12.121937990 CEST	587	49732	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 08:47:12.122179985 CEST	49732	587	192.168.2.5	122.201.84.5	STARTTLS
Jul 3, 2024 08:47:12.432936907 CEST	587	49732	122.201.84.5	192.168.2.5	220 TLS go ahead
Jul 3, 2024 08:47:14.673078060 CEST	587	49733	122.201.84.5	192.168.2.5	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Wed, 03 Jul 2024 16:54:19 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 08:47:14.673360109 CEST	49733	587	192.168.2.5	122.201.84.5	EHLO 818225
Jul 3, 2024 08:47:14.983036041 CEST	587	49733	122.201.84.5	192.168.2.5	250-biz204.vodien.com.au Hello 818225 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP

Target ID:	0
Start time:	02:43:03
Start date:	03/07/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\B24E33 ENQUIRY.vbe"
Imagebase:	0x7ff6d7cb0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:43:07
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Local\Temp\HHhHh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\HHhHh.exe"
Imagebase:	0x2b0000
File size:	226'304 bytes
MD5 hash:	4E7F57441EA44798FDB4C7387334ADC8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2072028048.0000000002570000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2072331401.000000000259B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2072436946.000000000433C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2072436946.000000000433C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2072436946.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2072436946.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:43:08
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"
Imagebase:	0xff0000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4494963592.000000000337B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4492523946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4492523946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	41.2%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	2

Executed Functions

Function 00B31A88 Relevance: 4.1, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

i)s;, xrefs: 00B31DD6
Te]q, xrefs: 00B31EC8
i)s;, xrefs: 00B31DCF

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: Te]q$i)s;$i)s;
API String ID: 0-1914756382
Opcode ID: 3eab4e3180f61761f190f608f08a6c3f9e75fce10e2155557e0aaed2162871d1
Instruction ID: a5fa2dd860387b6ec98215576d876c7df11029bc58511bdc25ae6a52fe3ec6d2
Opcode Fuzzy Hash: 3eab4e3180f61761f190f608f08a6c3f9e75fce10e2155557e0aaed2162871d1
Instruction Fuzzy Hash: 73D124B4E05229CFDB14CFA9C884BAEBBF6BF49300F2099A9D409B7255D7305985DF14

Function 00B333B0 Relevance: 2.8, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D]/9, xrefs: 00B33704
D]/9, xrefs: 00B3370B

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: D]/9$D]/9
API String ID: 0-3097425034
Opcode ID: 5d2817abe12e594c82776a2338cb14d851f858a94ca131e508bc3ff461c39a60
Instruction ID: 924bb9b28fe3af567f55cc2512b48c4bc68bb3abdb9d289d46dbd036cd4ac853
Opcode Fuzzy Hash: 5d2817abe12e594c82776a2338cb14d851f858a94ca131e508bc3ff461c39a60
Instruction Fuzzy Hash: C1B110B0E05209DFDB04CFA9C585AAEFBF5FB89700F2495AAD415AB310D3309A46CF54

Function 00B3C888 Relevance: 1.8, Strings: 1, Instructions: 584
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 00B3D064

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: c9e6cdf79f424f9f57ce957c10240ab80ecafff5f7174b24f1080fd47b10b561
Instruction ID: 6e56685c631e4fd7432eb8965d1dceb337150b6a5eda4ba3c6711b1884b264b5
Opcode Fuzzy Hash: c9e6cdf79f424f9f57ce957c10240ab80ecafff5f7174b24f1080fd47b10b561
Instruction Fuzzy Hash: 7452BE75D012288FDB68DF65C994BEDBBF2AF89300F6081EA940DA7291DB345E85CF40

Function 00B333A0 Relevance: 1.5, Strings: 1, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D]/9, xrefs: 00B3370B

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: D]/9
API String ID: 0-474947056
Opcode ID: 279f1269ac72fb293d122a83892539a3a32148064bbcfeb18c27a5ca326b5834
Instruction ID: e8021b8b6119fd3529c8858dba5bd37fc90c8ee84a333ad3031d5629e7ba2aa9
Opcode Fuzzy Hash: 279f1269ac72fb293d122a83892539a3a32148064bbcfeb18c27a5ca326b5834
Instruction Fuzzy Hash: 94A132B0E09209DFCB04CFA9C485AAEFBF1FB89700F2495AAD415AB360D7309A45CF54

Function 00B39830 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2286f46c4f171d26d015b02aeeefa8d03248094c4b4c2d1c6596b081611a2ab
Instruction ID: 70bb763d044562015f4ab36ee35f6e8e8c3da45a27d4d7afbaedd93b1412e393
Opcode Fuzzy Hash: f2286f46c4f171d26d015b02aeeefa8d03248094c4b4c2d1c6596b081611a2ab
Instruction Fuzzy Hash: 33E1B074D05228CFDB64DFA5D884BADBBB2FB49300F2081AAD80AA7351DB705A85CF51

Function 00B39821 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5852ee44cf33cd58add6661dae1bd35618c1b8f26da2d8978d57680ce186344e
Instruction ID: 73e917747f3709a83071fb54c2b3b89d3b1293815e7c2745cb2ef775149caaae
Opcode Fuzzy Hash: 5852ee44cf33cd58add6661dae1bd35618c1b8f26da2d8978d57680ce186344e
Instruction Fuzzy Hash: 96E1BF74D05228CFDB64DFA5D980BEDBBB2FB49300F2081AAD80AA7355DB705A85CF51

Function 00B39ECC Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f26744bc05a2392a3061cf34f04afa61faa3c5d2d0433707ed4b25979b2307d
Instruction ID: 0417ae32124508a31f1675c61f434c726c86542ad60e47b4d704df1001f3e9e6
Opcode Fuzzy Hash: 3f26744bc05a2392a3061cf34f04afa61faa3c5d2d0433707ed4b25979b2307d
Instruction Fuzzy Hash: E7816C74E042159FDB05CBA9D88099EFFF2BF89304F28C59AD055AB26AD731E942CF50

Function 00B32B28 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b6e01e41e1924f298296d976131c6984f7ee8b8ef3c6b57b065a29d536568a
Instruction ID: 9a00b0e6380e202056f3bed0e5396145f69c01ebf10c0371d3400782e4afe0ce
Opcode Fuzzy Hash: 38b6e01e41e1924f298296d976131c6984f7ee8b8ef3c6b57b065a29d536568a
Instruction Fuzzy Hash: B8810674D05218CBDB08CFA9D8846EEBBF2FB88300F24E06AD416B7255D7749986CF59

Function 00B39EF0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74046c37c7bad30fa262c7a769ab62207faffef91119fa0928f474258427ce9b
Instruction ID: c96bdaa2984b7cb4ff8174f3417c98d6a5af32bb7be1b7852827c0920f986819
Opcode Fuzzy Hash: 74046c37c7bad30fa262c7a769ab62207faffef91119fa0928f474258427ce9b
Instruction Fuzzy Hash: 6A815D74E041199BDB04CFA9D88099EFBF2BF89344F34C5AAD059A7229D731E942CF90

Function 00B3094B Relevance: 2.6, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 00B30A7C
/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /$2
API String ID: 0-4117719273
Opcode ID: 9806c7b9f1f3d6b958050cd9c0dfcc6cce6b9c7453d462f1d2a7e95c370cc5d5
Instruction ID: 450c7468fb37e302dcf47034cc4b52838ff6a3aedee30b1b0950a08240d36531
Opcode Fuzzy Hash: 9806c7b9f1f3d6b958050cd9c0dfcc6cce6b9c7453d462f1d2a7e95c370cc5d5
Instruction Fuzzy Hash: 82412474D01229CFCB60DFA9D984A9EBBF6FF49301F2485A5D409AB351D7309A85CF40

Function 071E6658 Relevance: 1.7, APIs: 1, Instructions: 236
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071E6837

Memory Dump Source

Source File: 00000002.00000002.2075115965.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71e0000_HHhHh.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9244a8133bad79cbb349351edb0fdc6088b8b91fad20bf5321cad54cb5d9a354
Instruction ID: 31f749cc7cd21df172a0cc892b84bf1302875d4c3bf0900a2339bf620e986a91
Opcode Fuzzy Hash: 9244a8133bad79cbb349351edb0fdc6088b8b91fad20bf5321cad54cb5d9a354
Instruction Fuzzy Hash: AA81AFB5C00229DFCB25CFA9C980BDDBBF5AB19304F0490AAE548B7260DB749A85CF54

Function 071E70C8 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071E7196

Memory Dump Source

Source File: 00000002.00000002.2075115965.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71e0000_HHhHh.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9670f97db77071c368fd21fb2b7f9c1d96a9ba761bd0cdd0da506f94e24edf39
Instruction ID: d86d84ef5a3ddc67b01c9f14ed83dcbf0bbefe9fec383583a550f40e397ffbd2
Opcode Fuzzy Hash: 9670f97db77071c368fd21fb2b7f9c1d96a9ba761bd0cdd0da506f94e24edf39
Instruction Fuzzy Hash: A84188B5D00259DFCB00CFA9D984ADEFBF5BB09314F24902AE818B7250D335AA45CF64

Function 071E6AA0 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071E6B4D

Memory Dump Source

Source File: 00000002.00000002.2075115965.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71e0000_HHhHh.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9c576b5ee889e4754bbe63e1ce53d003a4099e6434f2013108467c065b569784
Instruction ID: 66ca8a9b54fc490e5f644b331283c962f068740abba100443593e81908bbc25a
Opcode Fuzzy Hash: 9c576b5ee889e4754bbe63e1ce53d003a4099e6434f2013108467c065b569784
Instruction Fuzzy Hash: F63167B9D04258DFCF10CFAAD984ADEFBB5BB19310F14A02AE814B7250D335AA45CF65

Function 071E6FC0 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071E7065

Memory Dump Source

Source File: 00000002.00000002.2075115965.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71e0000_HHhHh.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0a1db4a885f4f0455f4109823a815086139b2611c8f25091942d9e02abc455fd
Instruction ID: 6ce180638a997b3a3fcff49e8a33769cff08b675782740eceae8949c6f975fc3
Opcode Fuzzy Hash: 0a1db4a885f4f0455f4109823a815086139b2611c8f25091942d9e02abc455fd
Instruction Fuzzy Hash: E13155B9D04258DFCF10CFA9D984A9EFBB5BB1A310F10A02AE818B7350D335A945CF65

Function 071E6990 Relevance: 1.6, APIs: 1, Instructions: 88
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 071E6A3A

Memory Dump Source

Source File: 00000002.00000002.2075115965.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71e0000_HHhHh.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: edfd424d616b056c6a91cc1b020eadb0f4957aa706f9f7757e1a2b2a89f27fd1
Instruction ID: 47b70eadb18ff440ec66d452b06dfac6c9d62772c1b80d4c33433c24574cd563
Opcode Fuzzy Hash: edfd424d616b056c6a91cc1b020eadb0f4957aa706f9f7757e1a2b2a89f27fd1
Instruction Fuzzy Hash: 0031BBB5D012589FCB10CFAAD984ADEFBF5BB49314F24902AE418B7350D378A945CFA4

Function 071E7208 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 071E727E

Memory Dump Source

Source File: 00000002.00000002.2075115965.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71e0000_HHhHh.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dd9ff1fd4d5b656667f06d4a6de24bc8c418084bad203399d6e6d1566284d0fa
Instruction ID: 624346cf909a06724cf6a28aa14324a6ff65581d03538447bdca5911d9690e18
Opcode Fuzzy Hash: dd9ff1fd4d5b656667f06d4a6de24bc8c418084bad203399d6e6d1566284d0fa
Instruction Fuzzy Hash: 062186B9D002199FDB10CFA9D584ADEFBF4EB09324F24905AE818B7350D335A945CFA4

Function 00B3843F Relevance: 1.5, Strings: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

14b, xrefs: 00B3847D

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: 14b
API String ID: 0-375422290
Opcode ID: a05ee13b63d3b6a575557cc81bd6a1cee8e1081ad15d5e3b20da80ed9744ef04
Instruction ID: a6fb11650e00a46a4c449daae2e24d96a3a33b248121e4b1c160522f2b039e64
Opcode Fuzzy Hash: a05ee13b63d3b6a575557cc81bd6a1cee8e1081ad15d5e3b20da80ed9744ef04
Instruction Fuzzy Hash: D591DDB4D05209CFCB10CFA9D581AAEFBF1FB58300F30969AE816AB215DB309945CF56

Function 00B30DB0 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: b885116538f159424d72375e46f1feba23687cf1fff6f699ee18b9800aa73e2c
Instruction ID: cd2c9f3a8d9689cad59626c523cdb407a73e0a4010d5cd74f917a632367e53fd
Opcode Fuzzy Hash: b885116538f159424d72375e46f1feba23687cf1fff6f699ee18b9800aa73e2c
Instruction Fuzzy Hash: 9B41D174A112298FCB60DFA8C984A9EFBF2FF49301F6585E5D409AB251D730EA85CF50

Function 00B30994 Relevance: 1.3, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 041f7eae9d054d7377b436916561d64cd92a6d017d8c2af27b09ece421e5038d
Instruction ID: 38184385fe8ee6a9e6832fcdf2b15c4135305cb42b622902bd933fc90b267360
Opcode Fuzzy Hash: 041f7eae9d054d7377b436916561d64cd92a6d017d8c2af27b09ece421e5038d
Instruction Fuzzy Hash: 8941E274E11229CFCB60DFA9C984A9EBBF2FF59301F2485A9D409A7351DB309A85CF50

Function 00B3162C Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: c2222a46ab0ff8aaae7eadfbfc28b89b5c3b1adc3f2909d299f3e4543cb0dc21
Instruction ID: 686cb03442a61bf70c5af017d5ad50d2f8287b22e4be3117e910bd2a6df14f52
Opcode Fuzzy Hash: c2222a46ab0ff8aaae7eadfbfc28b89b5c3b1adc3f2909d299f3e4543cb0dc21
Instruction Fuzzy Hash: 3B310274911229CBCB60DFA9C984A9EBBF2FF49301F2489E5D409AB301D730AA84CF50

Function 00B30F5B Relevance: 1.3, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 6c11a151a5eb37a1074fd6c56f1dd881d8c7cb8f2c176aec56d43b1df365a629
Instruction ID: edc5e390727987f58da37f893b9a5afa545bdf581f2f07c5c68098405e8c8d41
Opcode Fuzzy Hash: 6c11a151a5eb37a1074fd6c56f1dd881d8c7cb8f2c176aec56d43b1df365a629
Instruction Fuzzy Hash: F231F274A111298FCB60DF68C980A9EBBF2FF59301F2489E5D409A7301DB309E80CF50

Function 00B30C51 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: c8ed39a6dc004106915387e9e374bc31953eb40d688bbbd6aeb1e5fecbe94eda
Instruction ID: b6ea3549a301e1ac7da23ba1030280e1e9c6171c6b25bfbccc01af9c08d102fe
Opcode Fuzzy Hash: c8ed39a6dc004106915387e9e374bc31953eb40d688bbbd6aeb1e5fecbe94eda
Instruction Fuzzy Hash: 34311374A11129CFCB64DFA8C980A9EBBF6FF49301F2489A9D409A7351D730AA84CF50

Function 00B30C17 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 3fcb2827e01324aeea47bc8ecd262b8b81ee913e41b4785e694843708c15ae69
Instruction ID: f185b790d9794604f73dde6e3851d63e02d0f828b6d30372bded33aa72e6f8fc
Opcode Fuzzy Hash: 3fcb2827e01324aeea47bc8ecd262b8b81ee913e41b4785e694843708c15ae69
Instruction Fuzzy Hash: D0311474A111198FCB60DFA9C980A9EBBF6FF5A301F24C5A5D409AB251DB30AA84CF50

Function 00B3150E Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: d726726c900365c0d5dfdb186d794c5bcb89696f1dc5d2287250eb64418e5fbd
Instruction ID: b83c32d6164b5a580927b7b30c17632db3d42e706b3b3e5d72cbfc76e04cf3d3
Opcode Fuzzy Hash: d726726c900365c0d5dfdb186d794c5bcb89696f1dc5d2287250eb64418e5fbd
Instruction Fuzzy Hash: 5731F174A01129CFDB60DFA8C984A9EBBF2FF59301F2485A5D409A7351DB30AA85CF50

Function 00B30EF8 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a2aab1bc6d5b59813b21bb5df4fcb00a8f00bbb7b4d3b1c51c084275d9097f8c
Instruction ID: 6cd628fe17e7ab99a891f5742ae7cebfdeffff146e42da1bd6259c5fdb3e9811
Opcode Fuzzy Hash: a2aab1bc6d5b59813b21bb5df4fcb00a8f00bbb7b4d3b1c51c084275d9097f8c
Instruction Fuzzy Hash: DE31D274911229CBCB60DFA8C980A9EBBF6FF59301F24C5E5D409AB251DB34AA84CF50

Function 00B31091 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 604cb39b3aea4216bf009a4346a816e522f7afb04ae1d275e2b545b6e823a7f6
Instruction ID: 2480f3331de87f54c7d2481135bf58127bfa917289aed62aa2165fe2577633be
Opcode Fuzzy Hash: 604cb39b3aea4216bf009a4346a816e522f7afb04ae1d275e2b545b6e823a7f6
Instruction Fuzzy Hash: CB310674A11129CFCB64DFA8C980A9EBBF6FF59301F24C5A5D409A7251DB30AE85CF50

Function 00B30CEB Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 50a4161dfa7a3caa75476e002b3be4d2ba0373736db4a1b79db1e6e84663d2d1
Instruction ID: 128e5f752a7999bb0fb81a0e16185ed92765a124dff686e88f7a078a4268565d
Opcode Fuzzy Hash: 50a4161dfa7a3caa75476e002b3be4d2ba0373736db4a1b79db1e6e84663d2d1
Instruction Fuzzy Hash: 0D312874A11119CFCB60DFA8C980A9EBBF2FF49301F24C5A5D409AB251DB309E84CF50

Function 00B3097E Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 599b069aba53cf35c37ed53597ada24d4cf03a3a47dac379de56bbabc4b38b6d
Instruction ID: e2707cabf1e70b6ce4432f97f21f0b1204ad50c9b63d8cca3b89249f68868562
Opcode Fuzzy Hash: 599b069aba53cf35c37ed53597ada24d4cf03a3a47dac379de56bbabc4b38b6d
Instruction Fuzzy Hash: 4B31F274A11129CFCB60DFA8C980A9EBBF6FF59301F24C5A5D409AB251DB30AE84CF50

Function 00B30951 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a8a3c0e2262ea392956d0651387a70a271e260bc5c5e846e7450a8e94f2a3cb6
Instruction ID: a7462c10d886fd778ba5499b59127f36a8b54b3b386f266c7625a027d01f018e
Opcode Fuzzy Hash: a8a3c0e2262ea392956d0651387a70a271e260bc5c5e846e7450a8e94f2a3cb6
Instruction Fuzzy Hash: 73310474A11129CFCB60DFA8C980A9EBBF6FF59301F24C5A5D409AB251DB30AE84CF50

Function 00B312E3 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: ec7abc3ca06264a13705ab6b1ceede58a0be62a5bbe8fe7c390fe7e64f569ec3
Instruction ID: cb9d667a6ecdb8534abb899def7e51a1b186bf7e6d0b66f12e7125ac8aee5fca
Opcode Fuzzy Hash: ec7abc3ca06264a13705ab6b1ceede58a0be62a5bbe8fe7c390fe7e64f569ec3
Instruction Fuzzy Hash: 7D310474A11129CFCB60DFA9C980A9EBBF6FF59301F25C5A5D409AB251DB30AE84CF50

Function 00B31277 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 7be5d9287efe0e862917f94fc62f03361bb843aa3270964cf1d84139f3011513
Instruction ID: 69702219cb97cf594e624cf8b03e83cc99ed3011d2f99dde1ebccc1f79a46ddf
Opcode Fuzzy Hash: 7be5d9287efe0e862917f94fc62f03361bb843aa3270964cf1d84139f3011513
Instruction Fuzzy Hash: CB310374A11119CFCB60DFA9C980A9EBBF2FF49301F24C5A5D409AB251DB30AA85CF50

Function 00B30A43 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: d7dc0ce8e41faf08e080453a20848de61279aa30a9c16e5a880266396f2e5f76
Instruction ID: e405045d5ab9a24abe2cd06307929602bcc5d3fc123ea599a3fada373c839c5e
Opcode Fuzzy Hash: d7dc0ce8e41faf08e080453a20848de61279aa30a9c16e5a880266396f2e5f76
Instruction Fuzzy Hash: 0D31E274A111298BCB60DFA8C980A9EBBF6FF59301F2485A5D409AB351DB30AA85CF50

Function 00B30BAB Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: b6b534c567a58db8eb1b94a071d7b42bc9cfed5db09c9ef6ba09a6ec50ea9147
Instruction ID: ee493e809d1e19a2b0fe3b36e04d04e2b1d861ad4720bce8a4588de48a1f2386
Opcode Fuzzy Hash: b6b534c567a58db8eb1b94a071d7b42bc9cfed5db09c9ef6ba09a6ec50ea9147
Instruction Fuzzy Hash: 4C31F274A11129CFCB60DFA8C980A9EBBF6FF59301F24C5A5D409AB351DB30AA84CF50

Function 00B30F86 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 61c01bb80c6cb63677df1ac52ede2d8572000091e418aec1f7521d958650a640
Instruction ID: 554b37adc84ee341628d34f706659093ef2df3c7cbfc0a2ab66043dfb1369f3d
Opcode Fuzzy Hash: 61c01bb80c6cb63677df1ac52ede2d8572000091e418aec1f7521d958650a640
Instruction Fuzzy Hash: BD31D2749112298BCB60DFA9C984A9EBBF2FF59301F24C5E5D409AB251DB30AA85CF50

Function 00B30F31 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: d57324a7beba90bc352e52d84cba80c0ab3aabfc6927497f4198be46c3a6ca17
Instruction ID: 433908b8bf4021843e85f85a8d9c8c0bcd5ba4b49801da977e02428744c50840
Opcode Fuzzy Hash: d57324a7beba90bc352e52d84cba80c0ab3aabfc6927497f4198be46c3a6ca17
Instruction Fuzzy Hash: D9312674A11119CFCB60DFA8C980A9EBBF6FF49301F24C5A5D409AB251DB30AE84CF50

Function 00B30B3F Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 2100bbd082c0882755084323684a285ceff8f1e5408550e02a21f583c5ad98f7
Instruction ID: 46ac3e5d6d7d8ead4b84a8bfb0e604783ee37f6e596209c6fb1251e72bf71968
Opcode Fuzzy Hash: 2100bbd082c0882755084323684a285ceff8f1e5408550e02a21f583c5ad98f7
Instruction Fuzzy Hash: C1310274A11129CFCB60DFA8C980A9EBBF6FF59301F24C5A5D409AB251DB30AE85CF50

Function 00B30F0E Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: fef9f98546643e9a3f504ce205b29aa98945cbb0978d5fb33bf81bf416a38bea
Instruction ID: 561511fb7ea198bef3a92bbe015fdc5b0c4b009b505e28c1bfc1714932f58453
Opcode Fuzzy Hash: fef9f98546643e9a3f504ce205b29aa98945cbb0978d5fb33bf81bf416a38bea
Instruction Fuzzy Hash: D531EF74A011298FCB60DFA8C984A9EBBF2FF59301F24C5A5D409AB311DB30AA848F50

Function 00B30C8F Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 043b7be83407384b46683d6a6301d14aea5592dc8c66cee145a10d78dd890146
Instruction ID: f7424ce5d28fac2706803ee7cf51feb1892666af528d6ef3523f9d93ec1f0097
Opcode Fuzzy Hash: 043b7be83407384b46683d6a6301d14aea5592dc8c66cee145a10d78dd890146
Instruction Fuzzy Hash: 7531E074A11129CFCB60DFA8C984A9EBBF6FF59301F24C5A5D409AB251DB30AE84CF50

Function 00B311A2 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 82b7d6ee8eb36dd5030ac9505d484c0d0985541fde0c05585383eab38a502b56
Instruction ID: 80c76a9a76114fc0289178d060b1c4cc6732a172e98f572d3deabcd300d238a2
Opcode Fuzzy Hash: 82b7d6ee8eb36dd5030ac9505d484c0d0985541fde0c05585383eab38a502b56
Instruction Fuzzy Hash: 9531E374A11129CFCB60DFA8C984A9EBBF6FF59301F24C5A5D409AB251DB30AE85CF50

Function 00B31234 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 64fb708327aff6a5a51ff0a8f601274c3054a366c3e3d330eaa298be1a89e415
Instruction ID: 88c0499b035cb559fb951914f77e356c0559080384428c3a5ddbf901fced0415
Opcode Fuzzy Hash: 64fb708327aff6a5a51ff0a8f601274c3054a366c3e3d330eaa298be1a89e415
Instruction Fuzzy Hash: 3E31E374A11129CFCB60DFA8C984A9EBBF6FF59301F24C5A5D409AB251DB30AE84CF50

Function 00B311FA Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

/, xrefs: 00B30FF1

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 17b2f20897866dd2b84ad22c85ca0bcafed1e46f6d77e5bd122b34d7778dc184
Instruction ID: 263d0bd850e544fae4905968a3e4ab9f3a748395be3356268e3d9c20b0c28461
Opcode Fuzzy Hash: 17b2f20897866dd2b84ad22c85ca0bcafed1e46f6d77e5bd122b34d7778dc184
Instruction Fuzzy Hash: D131E074A11129CFCB60DFA8C984A9EBBF2FF59301F24C5A5D409AB251DB30AE84CF50

Function 00B34895 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

, xrefs: 00B348C9

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6ee39129045e58bb0c971b56f53bf6e70a90e930d27448be3eb26610652dcf9f
Instruction ID: a2ad2929df9a3ce2057ac836da1e772948b48f87d6ec6f31b9d75f89f9794c25
Opcode Fuzzy Hash: 6ee39129045e58bb0c971b56f53bf6e70a90e930d27448be3eb26610652dcf9f
Instruction Fuzzy Hash: CBE092349042688FDB10CF58C888A9ABBF2BF45300F2692D9D80567226C770F984CE55

Function 00B34D8D Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

2, xrefs: 00B34DC6

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 0e146c680d7454bcf8da4543908475da56a152581c16d701cb8896e9653121f4
Instruction ID: ae27be6b3a0aff50b3aadfe90a2ffafdb57b7455f534e11558d3e3c5e6fa4378
Opcode Fuzzy Hash: 0e146c680d7454bcf8da4543908475da56a152581c16d701cb8896e9653121f4
Instruction Fuzzy Hash: 20E052B49052288FDB90CF59C884B9EB7B6BF88310F248299D419A7365D7309A84CF52

Function 00B34C92 Relevance: 1.3, Strings: 1, Instructions: 6COMMON

Download Yara Rule

Strings

;, xrefs: 00B34CA2

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 816f7aef7905c871e3d4fa2bd0ddc94f00a168363dc4cc54c4f7ed8b705f89fe
Instruction ID: 97abde9723c6f7aeb8f67dad7110d1f640c7d48e4c5be8f45b56073f0d833441
Opcode Fuzzy Hash: 816f7aef7905c871e3d4fa2bd0ddc94f00a168363dc4cc54c4f7ed8b705f89fe
Instruction Fuzzy Hash: 06C09270501228CFD700CF54D988AAEBBF5BB4A386F110299E80A67272C7709E04CE00

Function 00B398A3 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc43336ca594dd668335c9029640a0eb53978ae088633af9bf4880a7feb6c83
Instruction ID: f3953719a2f4ffb9b7416c74fa5028fa359a7c110697545673bc0591cc83b81d
Opcode Fuzzy Hash: 2cc43336ca594dd668335c9029640a0eb53978ae088633af9bf4880a7feb6c83
Instruction Fuzzy Hash: 51E19E74E05228CFDB64DFA5D984BADBBB1BB49300F2081EAD80AA7351DB705E85CF51

Function 00B39B11 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aac22314a5464001c2645f3818c1cab534d4542401351bbb9491817d20f9f10
Instruction ID: 3865e292f2ffb6bc53ab365a1fa34a1575d937f5eb3625a8daf979c26c8e9ab5
Opcode Fuzzy Hash: 7aac22314a5464001c2645f3818c1cab534d4542401351bbb9491817d20f9f10
Instruction Fuzzy Hash: 79D1AD74D05228CFDB64DFA5D984BADBBB2FB49300F2081AAD80AA7351DB705A85CF51

Function 00B3BCD5 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ddc0b439d8a1467917197c30ef4e49c6a4c422fc7690d11d34b748c8e7de5e
Instruction ID: 7483f39ffd981552f1b1565e5f186f22f56dd419cc6aec23e51aa412d26049de
Opcode Fuzzy Hash: 41ddc0b439d8a1467917197c30ef4e49c6a4c422fc7690d11d34b748c8e7de5e
Instruction Fuzzy Hash: 5F71A278E04218CFCB50DFA8D991AEDBBB1BF49300F2091AAD949A7356DB305A45CF52

Function 00B3BF9F Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2005cd049413e5bd18e4397ad28a42b521f385fde96fa4f79a391bbd416f6833
Instruction ID: 263cd5c0d3e2b054580c945b925003614e73e5fc32a621ae046fb61aa68421b0
Opcode Fuzzy Hash: 2005cd049413e5bd18e4397ad28a42b521f385fde96fa4f79a391bbd416f6833
Instruction Fuzzy Hash: CE71B074E04258CFCB54DFA8D881AADBBB1FF49300F2091AAD949B7316DB305A45DF52

Function 00B3A26D Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969e06ba4489ea32e15827618a8b36e7c1b7af23a59270a81cb305dc538ac453
Instruction ID: 4cb3bbbf5d20bc680e278e8f80d61f375a7dedd1fc781914026fae7cbbd63ebe
Opcode Fuzzy Hash: 969e06ba4489ea32e15827618a8b36e7c1b7af23a59270a81cb305dc538ac453
Instruction Fuzzy Hash: BE516D74A041259BCB05CB69D8C095EFBF2BF89344F74C69AD056AB22AD731E942CB90

Function 00B39FCD Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894bc78a3468be6e65ab09ce2ad72f985101f3d8d5afa4261e8a87cb4655fcf5
Instruction ID: b4853bc66cbb66b9296da59d29d9d8de5d1338e26a12bcb0cd2fc4e19d4af029
Opcode Fuzzy Hash: 894bc78a3468be6e65ab09ce2ad72f985101f3d8d5afa4261e8a87cb4655fcf5
Instruction Fuzzy Hash: F9614D74A04125DBCB05CBA9D8C089EFBF2BF89344F34D59AD056AB229C731E942CF50

Function 00B39FA8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c90c8fa1137436284ecb7207ec2bb6ef49b5bd314fc5177610ae924e81dd15
Instruction ID: 136039caf55a3e6b33e047d9989f372955bfdfbc81dfa97505d941487e89ad9f
Opcode Fuzzy Hash: a5c90c8fa1137436284ecb7207ec2bb6ef49b5bd314fc5177610ae924e81dd15
Instruction Fuzzy Hash: 2E516D74A141259BCB04CB69D8C085EFBF2BF89344F74C69AD056DB22AD731E942CF90

Function 00B3BD08 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4b8ff97106560c34e0afac31e5f310d816829decba746469a0890251657b04
Instruction ID: 3699ac2cfbf7b7b701a4480e3a64b330142de092377a6fea7b9f7374739ad3de
Opcode Fuzzy Hash: cb4b8ff97106560c34e0afac31e5f310d816829decba746469a0890251657b04
Instruction Fuzzy Hash: E6616E78E04218CFCB50DFA8D981AADBBB1FB49300F2091AAD959B7356DB305A45CF52

Function 00B3A1AA Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0685d48846a2e20d4406ed82dcbfa6e1a861b969d0a1edc4a14c4b90f5bd2c9
Instruction ID: c8f7eb3f367b9fd9ee2ba8f7227824d3e5eb9df77da90c725bbc64923b97d625
Opcode Fuzzy Hash: a0685d48846a2e20d4406ed82dcbfa6e1a861b969d0a1edc4a14c4b90f5bd2c9
Instruction Fuzzy Hash: 3E517C74A04125DBCB05DB69D8C085EFBF2BF89344F78C59AD0569B22AC731E942CF90

Function 00B3A110 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf146573f77a03f0645f34c2e59ff845165d85ac7cec7d3e139efb760cbe98cd
Instruction ID: b4650b68969ec0969d86d4c6856a9d49b2692ca8be1446df0cdeda6a25b44947
Opcode Fuzzy Hash: bf146573f77a03f0645f34c2e59ff845165d85ac7cec7d3e139efb760cbe98cd
Instruction Fuzzy Hash: 08516B74A041259BCB05DB69D8C085EFBF2BF89344F38C69AD0569B22AC731E942CF90

Function 00B35EA0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0b1fec91ed30a0b1391d50c8f312535ed29327bc1ed34ee5434c71d33a531c
Instruction ID: cbab45b60eb18a4a6f1000311dd18508e9c3be79e2a10632a09cc510e841c7b6
Opcode Fuzzy Hash: cf0b1fec91ed30a0b1391d50c8f312535ed29327bc1ed34ee5434c71d33a531c
Instruction Fuzzy Hash: A74149B0D05A59DFDB24CFA9C884AEEBBF1BF89301F2480AAE405B7250D7349945CF94

Function 00B36080 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114b064e92b6bc48912fcd1d562d815db4d2c38d1b9c85f27da9c0f8f7d0a0ea
Instruction ID: 55db5103bbfb0b96b4ed1f26cb7463b58c768d8f18ee54d72ba88a553a28c1f7
Opcode Fuzzy Hash: 114b064e92b6bc48912fcd1d562d815db4d2c38d1b9c85f27da9c0f8f7d0a0ea
Instruction Fuzzy Hash: 42212674E04108DFCB08CFA8C889AEEBBF1BB4D311F24D0A5E405BB251D7759944CBA0

Function 00B36070 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65800b93acdcfda8b19dc20b808f6a9e761b91ff1d25a171502171f8a6dfe6c
Instruction ID: 4aa6f0912afffd643cc21ff6553df89c49bbd902c79c12e38896ed5df326b9ab
Opcode Fuzzy Hash: a65800b93acdcfda8b19dc20b808f6a9e761b91ff1d25a171502171f8a6dfe6c
Instruction Fuzzy Hash: ED213B34A04148DFCB09CFA8C885AEEBBF1AF4E311F29D199D505BB262C7309945CBA1

Function 00B3C7E0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fafb709816fac45429937bdcda93faae48e11674380faeacfe73b5cacddd53b
Instruction ID: eb1ae24d9cc9fc91540cb204f46cd0dc54803da8422849245eb543747f2c0f6c
Opcode Fuzzy Hash: 2fafb709816fac45429937bdcda93faae48e11674380faeacfe73b5cacddd53b
Instruction Fuzzy Hash: 0311C0B4C05209DEDB00DFE6C5443BEBBF5EB49301F2480AA9814B2251D7B84B85DF90

Function 00B356DC Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08945358daa81eea2fcee22d035640c5f03da81688465656a54902cdbb6a4357
Instruction ID: aceddf34571d78253e635ba61e2fc5c5ce550d5a17cd0a4b3fe9d5764a9e4649
Opcode Fuzzy Hash: 08945358daa81eea2fcee22d035640c5f03da81688465656a54902cdbb6a4357
Instruction Fuzzy Hash: 2F010874904418CFDB20CF98D880BEDFBF1BB49321F24E292D549A7212D730AA95DF64

Function 00B3C310 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f62407092dd03be705baec4926c8e2ff70c93a08347eb8d7a299eb5e8e10fbc
Instruction ID: f039ba9972ddcd66da09582b16f03083581302c4e59d45ba997c4d8384e6d778
Opcode Fuzzy Hash: 0f62407092dd03be705baec4926c8e2ff70c93a08347eb8d7a299eb5e8e10fbc
Instruction Fuzzy Hash: 8D012870D09248AFCB41DFB8D841BEEBFB0FB0A300F2086A9D845B72A2C3705A41DB55

Function 00B30815 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d1e9c4039a3c2ab983f60c5b4747eb88393a24b3b0c2bb4520521496a8ac3a
Instruction ID: a61da99d5b7289017f36c548c106f19db164a4d9a2376affdd33bcf0835cef00
Opcode Fuzzy Hash: 40d1e9c4039a3c2ab983f60c5b4747eb88393a24b3b0c2bb4520521496a8ac3a
Instruction Fuzzy Hash: 72F0E97041E2C09FC711DB748866B98BFB4BF06208F3946DDC6490B063D3264819DB91

Function 00B38799 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7ef5d96d6b03e630a6767bff80ed2c77483ae1cf3be2ca7770d6e03f3dd9fe
Instruction ID: a2a6aadf13788e2e5e887077bb5ae63b253a44c8a8408f41238361d51298c6b4
Opcode Fuzzy Hash: dd7ef5d96d6b03e630a6767bff80ed2c77483ae1cf3be2ca7770d6e03f3dd9fe
Instruction Fuzzy Hash: 06F096748092C8EFCB02CFB498549FD7FF4AF0A301F1481DAE89052162C2358611EB51

Function 00B33300 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a10d8baa26cc59faca7b51e4e64956057f4c300255e44d3b7d826c477fcd17
Instruction ID: 533f30d54d2375aa48a19f709416e0d9cbadb273ab09225486cb74f28fec256a
Opcode Fuzzy Hash: c5a10d8baa26cc59faca7b51e4e64956057f4c300255e44d3b7d826c477fcd17
Instruction Fuzzy Hash: 9CF0177090E2889FCB02DFB8C8519AEBFF0EB0A310F1086DAD854E7262C7705A51DF51

Function 00B33DC7 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca121287b6fc6a424e7b30cad9536f7bf6f9603a32e8f818b733409e9757438a
Instruction ID: b042a50edb5fcae681f551b5ffbb4e5e8eb0adb4775ef57cdda9f465a0447927
Opcode Fuzzy Hash: ca121287b6fc6a424e7b30cad9536f7bf6f9603a32e8f818b733409e9757438a
Instruction Fuzzy Hash: 49F05E31409288EFCF06CFA4D8529DD7FB2EF0A311F1081D9ED4516272C3328A66EB61

Function 00B35E58 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc15253bd07c2a799d307f66b8970e3c0d3fba9740aac2a1b3b4056a14c46cab
Instruction ID: f91d6a237e8e939fd9c1a78b7b84e1b846e8470056fba92ab80f01cc2ebf25c3
Opcode Fuzzy Hash: dc15253bd07c2a799d307f66b8970e3c0d3fba9740aac2a1b3b4056a14c46cab
Instruction Fuzzy Hash: 2FF0A03080E288AFC712CBB4D8599EE7FB8DF0B301F2442DEE88056163C7716A56EB51

Function 00B307D8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b768e8ece768a2c0003725921c8fa7b9a9d298bec3fab0a4c9000a762f470937
Instruction ID: 46dda58977e4e5976e12afd72d87b17a6448b38240e876dbfcb1265bd4675883
Opcode Fuzzy Hash: b768e8ece768a2c0003725921c8fa7b9a9d298bec3fab0a4c9000a762f470937
Instruction Fuzzy Hash: 1BE09A2446F6C4AFD302ABB898659E97FB89F0F300F2542DA8589C20B3D6658806D792

Function 00B3BF50 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cd78c7fbc3f05a46b1d0e5490ba820d79b9a53e711ab7c2f635c3d1dcb10a1
Instruction ID: a885e56831886326eef07f74796845b05dc7894fd4eeed780ba6cf8a5f2c707f
Opcode Fuzzy Hash: 57cd78c7fbc3f05a46b1d0e5490ba820d79b9a53e711ab7c2f635c3d1dcb10a1
Instruction Fuzzy Hash: 28F03030D09248EFCB46DFA8D841ADDBFB0EF49300F2082EAD84497266C3356A55DF41

Function 00B38398 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8129336b795dc57b3811d74bdc0a65c7270956796b419fd4acaf6150bef44a11
Instruction ID: c25d8a5de5a0dc629309a17e6ab420c35bbadaf86db82ff11e914a7196544b83
Opcode Fuzzy Hash: 8129336b795dc57b3811d74bdc0a65c7270956796b419fd4acaf6150bef44a11
Instruction Fuzzy Hash: 4BF0A03080A348AFC7068BB4D8449EDBFB4EF0A311F5042D9EC8026263C7315A56EB05

Function 00B341BE Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1aea5672990735968fd1663a014038ce29f21ebd896c4d0dc80d944d2daaf6
Instruction ID: 87e67da2b643a6247197306d33ae4f2af51c5ced4f55bd62c63531fc7c819076
Opcode Fuzzy Hash: fb1aea5672990735968fd1663a014038ce29f21ebd896c4d0dc80d944d2daaf6
Instruction Fuzzy Hash: 09011578A012688FDB60CF98C994BDDBBB1BB49301F1081DAE809B3361D7719E81DF20

Function 00B31A3F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e341fd6310d4747ba492dbf96b862812cca7d5f1b5933776b96b9ef074e7ca2
Instruction ID: 1e134033a3dffaf5293f397fbd03df2f3cba82c8c6f46dc8bb51e6b75918bf4b
Opcode Fuzzy Hash: 6e341fd6310d4747ba492dbf96b862812cca7d5f1b5933776b96b9ef074e7ca2
Instruction Fuzzy Hash: 5CE09A30C1A248AFDB01CFB8E8446DDBFF4EB0A311F6012EAC845E3263E6314A05CB01

Function 00B387A8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04094c857385dd197bb02ddd1488add32a28dd5e6a2f7c4c64345b7fc022da04
Instruction ID: 9672a68325c4dc1a8796ad1d84b7edd618e57128766ae8cca7031e89f0317d49
Opcode Fuzzy Hash: 04094c857385dd197bb02ddd1488add32a28dd5e6a2f7c4c64345b7fc022da04
Instruction Fuzzy Hash: 49F06574C04248EFCB05DFA494046EDBFF9BB09301F2081E9F85452251D7358A50EF61

Function 00B38F81 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fca478fe96d7f88d65b7481b13e59c00811594fde258cc0327f8dbf4d923619
Instruction ID: fc06c71454f52947e2b12a306e521205d10a520c8a0008c06dd490264c17d6a5
Opcode Fuzzy Hash: 2fca478fe96d7f88d65b7481b13e59c00811594fde258cc0327f8dbf4d923619
Instruction Fuzzy Hash: 0BF08C30809248DFCB06CBB4D8446EC7FB1EF4A304F2482EEE84497222C7350A15EF01

Function 00B33310 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4070e7aedc88dce990d520f2bcc7d818a4131edb8f145f1b1c27090d959ffbc7
Instruction ID: 6787ccdc1bee886e64701df408166bd630f4b4c667350b78f5e9ab78ddf015dc
Opcode Fuzzy Hash: 4070e7aedc88dce990d520f2bcc7d818a4131edb8f145f1b1c27090d959ffbc7
Instruction Fuzzy Hash: D6F0C9B4D0521CDFCB44DFA8D9459AEBBF4FB08311F5086AAE818A3322D7705A51DF84

Function 00B33DD8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2590eb4e31c62f85777be82d8a47708636e96ababd6dcfd24e6c7e80f5f7121
Instruction ID: 9570f369c6971e216943923675bcb34efef5294e6e9f545150ae48a659fa57ec
Opcode Fuzzy Hash: f2590eb4e31c62f85777be82d8a47708636e96ababd6dcfd24e6c7e80f5f7121
Instruction Fuzzy Hash: F3E0ED3540520DEFCF05DFD4E8459DE7FB6FB09311F5081A8F90412221C7328AA1EB91

Function 00B32AE0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08eebcb602d0799d5ac09aec0c7427623fa15f602ad773da53ddc1dc639be8e
Instruction ID: 40395fc0431b045d0bbd037048e25f376130550062d9e295fb9bb48f981b029d
Opcode Fuzzy Hash: e08eebcb602d0799d5ac09aec0c7427623fa15f602ad773da53ddc1dc639be8e
Instruction Fuzzy Hash: FDE0ED3480A248DFCB06CFB4D98969CBFB0EB46301F2482EDD805176A2D3724946DB52

Function 00B33359 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fdb5c1eb45d02fd356443c82e4129174599c9f280bc187af04447720df60fdf
Instruction ID: 2061b062c1e771cca4bb802f64bb0954bc89d3c75a0eeadcf5b8d2ff8e53e0c4
Opcode Fuzzy Hash: 8fdb5c1eb45d02fd356443c82e4129174599c9f280bc187af04447720df60fdf
Instruction Fuzzy Hash: 26E09230809304EFDB05CFB4D5046DDBFB0EB4B311F2082EDE84066262C7318A55EB46

Function 00B39770 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f800bda5f8c2d39bbb1789e8ae9b91461b2fe28cb5199c98a6e0654b9a65757e
Instruction ID: 4b6476f287bfebc946b1826070cfc3688974dbb3cd7862fd9310efc05f1f4bf6
Opcode Fuzzy Hash: f800bda5f8c2d39bbb1789e8ae9b91461b2fe28cb5199c98a6e0654b9a65757e
Instruction Fuzzy Hash: EDE0463045E294AEC316CBB89862AE97FB8DB07210F2405DED885971A3C3A25916EB12

Function 00B3BF60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85904a31ec883abffc2909a69f8758b6e4647b9a31099940b626ba379359b872
Instruction ID: c773a2309eea0e4f9e95f9f7474e9bf9f6be37d308203a465566fcc0c914923b
Opcode Fuzzy Hash: 85904a31ec883abffc2909a69f8758b6e4647b9a31099940b626ba379359b872
Instruction Fuzzy Hash: F0E01A74D05208EFCB44DFA8D840A9DBBF4EB48300F60C1E9D818A3311D735AA51EF81

Function 00B35E68 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abcb9e915c352b93b255866d17d28aeb74f455f84f8c9f4c4bfa298161a400ba
Instruction ID: 85ed07e36cf9c33d388052d1ae2ad919995a682ea651d7d46eb458a38d928dae
Opcode Fuzzy Hash: abcb9e915c352b93b255866d17d28aeb74f455f84f8c9f4c4bfa298161a400ba
Instruction Fuzzy Hash: 30E08670805218EFC714DFE4D4445ED7FB8EB05302F6042A9E40452261C7315B51EB90

Function 00B31A50 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92689fb993c5e1ce679629252f4625cbe2528caa18c110b8b524b28e31e0f005
Instruction ID: 54629c2728e4ff6fc9b25425bc21880c3f757c9864858092741f53e9c63cfce3
Opcode Fuzzy Hash: 92689fb993c5e1ce679629252f4625cbe2528caa18c110b8b524b28e31e0f005
Instruction Fuzzy Hash: 97E0EC74D16208EFC744DFE8E84569CBBF8AB09702F6056A9D80893262E7305E51DB51

Function 00B383A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48329a9b65a86f9b1196b74c2fa57eba42f99054b2cbe78f2bdf88855fd8da3
Instruction ID: 0857574e59a9b9e7c1f6e1f354ee4b26e55f5018187e2e2558d7e9de702d34a9
Opcode Fuzzy Hash: a48329a9b65a86f9b1196b74c2fa57eba42f99054b2cbe78f2bdf88855fd8da3
Instruction Fuzzy Hash: 16E0EC7090A308EFC705DFA4E8449ADBBB9FB49312F6092A9F80422361DB315A51EB95

Function 00B38F90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99f621557bc613836d12929d23edc2bf48101635051a193cdb07af5d4d2d318
Instruction ID: 1c700df1768fa98d1fffb52b1367db298707834c9403dede7a28bbd946d2e51e
Opcode Fuzzy Hash: d99f621557bc613836d12929d23edc2bf48101635051a193cdb07af5d4d2d318
Instruction Fuzzy Hash: 65E04630C05208EFCB04EFA8E8446ACBBB5EB48311F2082E9E80453321CB355A41DF81

Function 00B32AF0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5279b63c9abd507bced8335a7749a21393116b5613f204548602272802fb95
Instruction ID: 27f87225212905162b8548eebb3a5a5203a3b19a7db8ecd63e788cb7223f17ad
Opcode Fuzzy Hash: 2e5279b63c9abd507bced8335a7749a21393116b5613f204548602272802fb95
Instruction Fuzzy Hash: A5E01230805208DFC709DFE4E9455ACBBF4EB45302F6082E8D40813262D7325D55DB91

Function 00B30848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1e4f7258b1f52e8a83c04a5789cf6c7444723a8330dbab732e653f88c6cf3b
Instruction ID: 4f21273590feeb8a4bb4a9ed1428ec9c08f5c56e4ab7121e4235e6728604b00e
Opcode Fuzzy Hash: 7e1e4f7258b1f52e8a83c04a5789cf6c7444723a8330dbab732e653f88c6cf3b
Instruction Fuzzy Hash: 44D0A92042B208EBC200EBE5A808AA576ECAB0E302F2046D8A50982023EB310820AAD1

Function 00B39780 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488936d870ee84d9289270b1ce734f1bcffb5917eacc53be488fd470f602e03e
Instruction ID: b04d1d0458124a004e6937e3a22cdd2aef386940e870a766094c92d753f7221f
Opcode Fuzzy Hash: 488936d870ee84d9289270b1ce734f1bcffb5917eacc53be488fd470f602e03e
Instruction Fuzzy Hash: 10D0A93041A208EBC318DFA8D401AEC73ECEB02311FA005ECE808122A2DBB29D10EB80

Function 00B3087B Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400b1612d3fb21a4d61ba7ea55d089fff6bcceca5b80b90a860cfe99130a5319
Instruction ID: 117e37c5504ee948053b37b7f64c32b3f5bfe806170e5f2805fc9e09cfa07661
Opcode Fuzzy Hash: 400b1612d3fb21a4d61ba7ea55d089fff6bcceca5b80b90a860cfe99130a5319
Instruction Fuzzy Hash: B9C0122809E1045AD626A7A8A869AE97BA49B0A301F205748D44A0087383B14407DE41

Function 00B343A5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8863501e804a1763275b923e63ce006ba6637f52dfe64b15746663ea246ef72
Instruction ID: b7b39cd7804addbeb4ac28fda6e1a35dfb3adb426bf3db66aaaab1aa30be51e8
Opcode Fuzzy Hash: c8863501e804a1763275b923e63ce006ba6637f52dfe64b15746663ea246ef72
Instruction Fuzzy Hash: 0ED0BC74900628CFDB50DF54CA84AEEBBF1AB89302F204196A80977261C770AE91DF51

Function 00B3457A Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521ab68f0628e4d85ee97413f40bc84b10a6c7ef2dcd25de3b64407b6e2b60fd
Instruction ID: b76d276a959a5a7157e7500d71da5ead8945348ac89b0705d152a3aace707916
Opcode Fuzzy Hash: 521ab68f0628e4d85ee97413f40bc84b10a6c7ef2dcd25de3b64407b6e2b60fd
Instruction Fuzzy Hash: ECC04C7491022CCBDB11CF90CC48BEEBBB2BB4D302F105195D80923261C7715D91DEA0

Non-executed Functions

Function 00B36DD0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

f, xrefs: 00B37034
~A, xrefs: 00B3705E

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: f$~A
API String ID: 0-1583423748
Opcode ID: d8dfc50b6cc2c08133aea332860410e83dd140a94d19f015ccbd9e0b3e5400db
Instruction ID: 79300f34b137444853a6c885379a7f34eda106430f4d21e0c2232922fcba159a
Opcode Fuzzy Hash: d8dfc50b6cc2c08133aea332860410e83dd140a94d19f015ccbd9e0b3e5400db
Instruction Fuzzy Hash: 37B1EEB4E04229DFCB10CFA9D884AAEFBF1FB49300F20D56AD429AB215D3749946CF54

Function 00B36DC0 Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

f, xrefs: 00B37034
~A, xrefs: 00B3705E

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: f$~A
API String ID: 0-1583423748
Opcode ID: 5371cca8b8290bb40ed15dc17b0651b7f5b80d0d20db6158aee4a4f1a27be7f0
Instruction ID: 65f23da494635e4204591936b158ce97f6047853786bd2e95f1f5f80ef6d8758
Opcode Fuzzy Hash: 5371cca8b8290bb40ed15dc17b0651b7f5b80d0d20db6158aee4a4f1a27be7f0
Instruction Fuzzy Hash: 01B11274E04229DFCB00CFA9D884AAEFBF1FB49300F20C5AAD419AB211D3749946CF54

Function 00B3D350 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

4']q, xrefs: 00B3D438

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 3294219bb0789c74951d92468770d5780a8d78da5097cee3dcb6d4adf686d54c
Instruction ID: b2ce70cfbdd754af7fba825c164fa94a88ca1f15c01ce209ee88161cbd0a47a7
Opcode Fuzzy Hash: 3294219bb0789c74951d92468770d5780a8d78da5097cee3dcb6d4adf686d54c
Instruction Fuzzy Hash: 7E713075E00209CFDB49DFBAE950A9EBBF6BF89300F14C52AD00497279EB74590ADB50

Function 00B3D360 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

4']q, xrefs: 00B3D438

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 1e7fd2a84f69bc233fee053b0dfce87e4385484553ba464d833d77fe06985325
Instruction ID: 7a619d8e77bec96cb9fcdd2f9d8ccb19496183ff3cd71bbbaf1451504259cc8f
Opcode Fuzzy Hash: 1e7fd2a84f69bc233fee053b0dfce87e4385484553ba464d833d77fe06985325
Instruction Fuzzy Hash: 68612075E00209CFDB4DDFBAE950A9ABBF6BF88300F15C52AD00497279EB74590ADB50

Function 00B3B089 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36e7ef948674403b1478ba5fca349000ba454fe4516feb5cc49366466ef8b7a
Instruction ID: 4f37f74f8fadaec33a96ba4ae32f2a7bdc25a3096b4bca927f9f8e827287fc70
Opcode Fuzzy Hash: a36e7ef948674403b1478ba5fca349000ba454fe4516feb5cc49366466ef8b7a
Instruction Fuzzy Hash: 74819C74E055259FDB05CFA9C89189EFFB3BF89300F28D66AD015AB26AD7309942CB50

Function 00B38C30 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f61fcaf50e5a59ca9978608f6ed50d58bd08d5bd53e26275761bbecc4277b27
Instruction ID: 703df43a8f5a4d6c69a766472b14d19c8fd0059605683828e374a3ee9430265e
Opcode Fuzzy Hash: 8f61fcaf50e5a59ca9978608f6ed50d58bd08d5bd53e26275761bbecc4277b27
Instruction Fuzzy Hash: 26712570D05619CFDB04CFA9C8806EEBBF1BF98310F34946AE025BB258DB7489458F5A

Function 00B36AB0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efdc18c4941c5ccf10f961ba5725d29b528769aad66e785b7b906d18dcae911
Instruction ID: c5dbf84ef933ca927ce72d916d4c88bffdac7c372227bb74daab2b3e20ce01f3
Opcode Fuzzy Hash: 2efdc18c4941c5ccf10f961ba5725d29b528769aad66e785b7b906d18dcae911
Instruction Fuzzy Hash: 737126B0D06208ABCB04CFA9D5816AEFBF2FF49310F68E5AAD411AB251D7709941CF55

Function 00B3B0E8 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d46a05eddcbacae0ed923cffc213160541f936a768eba58a4b383c6a4c4172
Instruction ID: 3c248e172b1a8e81dd0fbdf0edec34f128d9defe242c6684c1526f2f816848f1
Opcode Fuzzy Hash: f8d46a05eddcbacae0ed923cffc213160541f936a768eba58a4b383c6a4c4172
Instruction Fuzzy Hash: AF715D74E045259BCB04CFAAD88089EFFB3BFC8344F28C669D015A721AD730D942CB94

Function 00B393C0 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc7c8b95d13e5465dbb8ef1e04c95edbbfbb313bef0df900172e78671363604
Instruction ID: d98f028ffb5b3242deda323041ecda4d46add6ef58db03bfcc481366be2a2d61
Opcode Fuzzy Hash: 3fc7c8b95d13e5465dbb8ef1e04c95edbbfbb313bef0df900172e78671363604
Instruction Fuzzy Hash: 2C7114B0D15209CBDB08CFA5C5806EEBBF2EB99304F34906AD415B7344D7B59A86CF68

Function 00B33AA0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c17586ddd7000d272e0138e63e4a8beca6ec3834433a45afdb8fc8d26782e4
Instruction ID: ed4e43ef430b8c2d8280a9abce72419e8042de79a0e1181d50e7848224af078a
Opcode Fuzzy Hash: 11c17586ddd7000d272e0138e63e4a8beca6ec3834433a45afdb8fc8d26782e4
Instruction Fuzzy Hash: 1371F270D05209CBDB04CFA9C5846AEFBF2FF49710F64945AD419BB214E734AA86CF94

Function 00B393B0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87bbb6bf7d299116f3eb6a19c392ecec0b29d33000d57c17033a2397560dd9b
Instruction ID: d9131e48803f597d82691c76da2ef8c1bd911566a9e121131eaada7bd1318503
Opcode Fuzzy Hash: d87bbb6bf7d299116f3eb6a19c392ecec0b29d33000d57c17033a2397560dd9b
Instruction Fuzzy Hash: F96125B0D05209CFCB08CFA9C4806EEBBF2EB89300F2494AAD415B7354D7B59986CF64

Function 00B33A91 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fcf8993051bb185cb8a1ee7d67c747277dee1fe644fea650195b3fff2768a4b
Instruction ID: e491d5c3601192f78e5c07ad77aa430aac6dbf841007f3dcd539889ddda38d61
Opcode Fuzzy Hash: 8fcf8993051bb185cb8a1ee7d67c747277dee1fe644fea650195b3fff2768a4b
Instruction Fuzzy Hash: A061F470D0530A8BCB04CFA9C5846EEFBF2FF89710F649556D419BB214D734AA86CB94

Function 00B3B6A5 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e39d6dfb898f0b58c29a171094169bff43b26becfd85d3321ab31d56e8ec3a1
Instruction ID: 526badb06a7253649d118592100b1ded0412299f963d11fbf8b2630ee0892113
Opcode Fuzzy Hash: 2e39d6dfb898f0b58c29a171094169bff43b26becfd85d3321ab31d56e8ec3a1
Instruction Fuzzy Hash: 98416F75E052199FDB04CFA9D9909DEBBF2EF89300F28C16AD504AB369DB305902CB51

Function 071E0006 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2075115965.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71e0000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fedce4eb1365733346731e389a1da3302a11b986b9d90fc8d614ba4c0bc2830c
Instruction ID: 3f7a934bba7d92765dbaaa443681991b2a22cb76acf5d960463378a7ca9131b6
Opcode Fuzzy Hash: fedce4eb1365733346731e389a1da3302a11b986b9d90fc8d614ba4c0bc2830c
Instruction Fuzzy Hash: 9E517DB1D05A548FE71DCF678C5069AFFF7AFC9200F18C1FAC448AA265DA7509468F11

Function 00B3B6F0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e43dcc368635a9e636a6870eccdbdba09ff68541ee8b74a6a8ff1d6e83c2c0
Instruction ID: 2a1b02e70bc685afed56afb9db810f89e4eb2e949c8294004c456a0eb783a289
Opcode Fuzzy Hash: b1e43dcc368635a9e636a6870eccdbdba09ff68541ee8b74a6a8ff1d6e83c2c0
Instruction Fuzzy Hash: FE411C74E00218DBDB18CFAAD98099EFBF6EFC8310F24C16AD519A7265DB309941CF50

Function 071E0040 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2075115965.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71e0000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af80c81b5cd7a2b41b5d145b43e925cc1bb175c6e112cbfb0afb2a9a0604de9
Instruction ID: c321afacc981f2134e08d20b5a3a34591028753738b3399b5d3d23fb4800e35f
Opcode Fuzzy Hash: 1af80c81b5cd7a2b41b5d145b43e925cc1bb175c6e112cbfb0afb2a9a0604de9
Instruction Fuzzy Hash: FC411CB1D01A188BEB5CCF6B8C4479AFAF7BFC9201F14C1BA941CAA265EB7049458F11

Function 00B3A508 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2071760772.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_HHhHh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2e8cd19e24bf0cd31673d60bad3e94d1008727934d198ebfd37ebabec85546
Instruction ID: 2898a20efa8e9c35ca5ae1a03e9eb2beb70613124d0b128db7af7022d5d7c041
Opcode Fuzzy Hash: 7f2e8cd19e24bf0cd31673d60bad3e94d1008727934d198ebfd37ebabec85546
Instruction Fuzzy Hash: 4E41BA75E002189FDB08DFAAD980A9DBBF6AF88310F24C16AD909A7365DB305942CF51

Analysis Process: aspnet_compiler.exePID: 6176, Parent PID: 3624COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	93.1%
Signature Coverage:	0%
Total number of Nodes:	216
Total number of Limit Nodes:	23

Executed Functions

Function 0186A290 Relevance: 2.8, Instructions: 2787COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717ea0cc53d2635f9de946ec094c8977966d50aa0f77ba2d8ae6f3577c21cde1
Instruction ID: 548faba2b99f9e63e71bfcc297df8fa4762b6d652d3825f5800b1c782c225555
Opcode Fuzzy Hash: 717ea0cc53d2635f9de946ec094c8977966d50aa0f77ba2d8ae6f3577c21cde1
Instruction Fuzzy Hash: 7563F831D10B1A8EDB51EB68C8445A9F7B1FF99300F15D79AE448B7221EB70AAD4CF81

Function 0186D5F8 Relevance: 2.3, Instructions: 2300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796b6afc95b24ff1e69fa57246ad06c416c0573ab2c625fd1d6ca47e33a64e89
Instruction ID: 54d5edaa9b545aca3bb0b22e8913fb40aa3cfa2bad7100cc12a7f8a026507952
Opcode Fuzzy Hash: 796b6afc95b24ff1e69fa57246ad06c416c0573ab2c625fd1d6ca47e33a64e89
Instruction Fuzzy Hash: 9E331E31D107198ECB11EF68C8906ADF7B5FF99300F15C79AE459A7221EB70AAC5CB81

Function 01869A08 Relevance: .6, Instructions: 615COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8792953f4e7ad2d9e110556690632449002687956c074c89de45c0c0434d10e3
Instruction ID: 21b24b1ff5c9b1ca2c30bcc454ad32a60a23ceba0d1fd3dd85e35f47fdca69f2
Opcode Fuzzy Hash: 8792953f4e7ad2d9e110556690632449002687956c074c89de45c0c0434d10e3
Instruction Fuzzy Hash: AA32AE30A00205CFDB14DF68D984AADBBBAFF88314F148569E90AEB395DB35DD45CB81

Function 018641C8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f635bc8e5081e4891ce935e57da9812a0a8fab9ec54d9f03a65687cb648e961
Instruction ID: bca9e662a98df2288913c7a072928cb54b7f4ace55d7dd7600e0b779914ccdbe
Opcode Fuzzy Hash: 8f635bc8e5081e4891ce935e57da9812a0a8fab9ec54d9f03a65687cb648e961
Instruction Fuzzy Hash: 27B14E70E00209CFDF14CFA9D985B9DBBF6BF88314F148129E419E7254EB749945CB85

Function 01864A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48abad6e43b5abd78383259a2e27a5732330fc76a2de634b5ecdb4e25a0fdf6
Instruction ID: 95a1762f487af03ef6243a3a47ec54516e41be17a494ba61327c49777404c40a
Opcode Fuzzy Hash: f48abad6e43b5abd78383259a2e27a5732330fc76a2de634b5ecdb4e25a0fdf6
Instruction Fuzzy Hash: 65B14B70E00209CFDB14CFA9C9857ADBFF6AF88354F148529D819EB394EB749985CB81

Function 01863E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7518c01023d9201a68f6336dd2b1b493a7dd304b69746c71059fdcfedfa52b1d
Instruction ID: 2aa78fb11060f9babc2219cdc9b51c0b21b6f4a2a27f26a42883c872d598a030
Opcode Fuzzy Hash: 7518c01023d9201a68f6336dd2b1b493a7dd304b69746c71059fdcfedfa52b1d
Instruction Fuzzy Hash: 8C916E70E00609DFDF14CFA9C98579EBBF6BF88314F148129E819E7254EB749986CB81

Function 01566B90 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4493181160.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1560000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037a7f192d4040ed9d8cae6970106cee33cf82fab25595e0257cc32b8b1fa5ea
Instruction ID: e728378077f6256429b37872fb412f734106c58f43b4acb3ef9039000531361f
Opcode Fuzzy Hash: 037a7f192d4040ed9d8cae6970106cee33cf82fab25595e0257cc32b8b1fa5ea
Instruction Fuzzy Hash: EA411171D047968FCB15DFA9D8002DEBBF1BF89320F1585AAD408AB251DB789881CBE1

Function 05EF9298 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05EF93AA

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2024f35f4e78cb892984005ade4fb63be33fd15c79e3a58ab5094d0265b42abe
Instruction ID: c300184f7ee93f2ee9d78af14b5cfb91d0f42dc4970559c166ea55c14d2d2edf
Opcode Fuzzy Hash: 2024f35f4e78cb892984005ade4fb63be33fd15c79e3a58ab5094d0265b42abe
Instruction Fuzzy Hash: 8C41C0B1D00309DFDB14CF9AC984ADEBBB5BF48314F24812AE519AB250D775A885CF91

Function 05EF9292 Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05EF93AA

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9ee00de2678a0866e6743b9db704df3a0db97c16dc2ebcf9901f8b690c2b6423
Instruction ID: d0545f043a7f15516063e991180ed270cba12a55cea04582b73e45e7556f832c
Opcode Fuzzy Hash: 9ee00de2678a0866e6743b9db704df3a0db97c16dc2ebcf9901f8b690c2b6423
Instruction Fuzzy Hash: 3151D0B1D00309DFDB14CF99C984ADEBFB1BF48304F24812AE559AB250D775A885CF90

Function 05EFCC84 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05EFE0C9

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a39721e27386196b57a242d344bf9053711709321bf017482bf59456f873950c
Instruction ID: ad85d12bd228b4b537b0643b49634b9762b44841be84d7744ad18f1c1ebbb546
Opcode Fuzzy Hash: a39721e27386196b57a242d344bf9053711709321bf017482bf59456f873950c
Instruction Fuzzy Hash: B0415CB4900309CFDB14DF99C488AAABBF9FF89314F24C459D659A7321D735A840CFA0

Function 05EFED44 Relevance: 1.6, APIs: 1, Instructions: 77
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 05EFEDD8

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 80b82ebf262931d2d76f082e9f03052d4bb09f885be33cb62912898ee20b3fe0
Instruction ID: fffe088f7ce082ac3727e1744685735581d814865c1435d3020c8ef86bbd4d38
Opcode Fuzzy Hash: 80b82ebf262931d2d76f082e9f03052d4bb09f885be33cb62912898ee20b3fe0
Instruction Fuzzy Hash: 7C3132B0901248DFDB14CFA9C988BCEBBF9AF48304F248029E544BB3A4DB746944CB65

Function 05EFE8C0 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 05EFEDD8

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 610dc8231c6e0b279a296cea9e90817a3a49cf2f9ed7934fb489f50a58354199
Instruction ID: c12ff736e06118317181ad8587214a54518561114c3bbdc0273914779e5a8307
Opcode Fuzzy Hash: 610dc8231c6e0b279a296cea9e90817a3a49cf2f9ed7934fb489f50a58354199
Instruction Fuzzy Hash: 6C3122B0901209DFDB14DF99C988BCEBBF9AF48304F248029E544BB3A0DB756944CBA5

Function 05EFD170 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05EFD1FF

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 96284c2691eb812283def2438ba72784b954e37f91bfd2ab204a1535a2fe1e8d
Instruction ID: 94e0767d10641dc9404a0895fc85ed85c61f8a02fb5ac8ef049f44c85ae0c118
Opcode Fuzzy Hash: 96284c2691eb812283def2438ba72784b954e37f91bfd2ab204a1535a2fe1e8d
Instruction Fuzzy Hash: A821E6B59002489FDB10CF9AD984AEEBFF5FB48310F14841AE958B3310D379A944CFA1

Function 05EFD178 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05EFD1FF

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8d5efb04f7e4ec5dcd7e1e64defb441ced991dab2f3693a9781b574f303ec8af
Instruction ID: a08886c7b1403e0a4e97b1cf210517b7e104a8c777288ff47e4df2b6befc2d3b
Opcode Fuzzy Hash: 8d5efb04f7e4ec5dcd7e1e64defb441ced991dab2f3693a9781b574f303ec8af
Instruction Fuzzy Hash: DB21E4B59002089FDB10CF9AD984ADEBFF8FB48310F14841AE918A3310D378A940CFA1

Function 01566C78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 01566CDF

Memory Dump Source

Source File: 00000003.00000002.4493181160.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1560000_aspnet_compiler.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 43ebb920d7dc873ca5717a18556237b22d314a3ba33383edf167a284c4eb234f
Instruction ID: e2907e161f7e94d6b4b4713cb4e152bd86943f266951af231897897ee20dbcf5
Opcode Fuzzy Hash: 43ebb920d7dc873ca5717a18556237b22d314a3ba33383edf167a284c4eb234f
Instruction Fuzzy Hash: F111EFB1C0065A9BDB10DF9AC544A9EFBF8FF48320F14856AD918B7240D778A944CFE5

Function 05EF71F8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05EF8256

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 28ceed3309830c1b79b88ae9f80bdb05144bee206573598de5c7a89c91bf6579
Instruction ID: 64008d9e084c6da3418218f5dee7992cf551d8c3f9a5bdd5ecb4c018430acf45
Opcode Fuzzy Hash: 28ceed3309830c1b79b88ae9f80bdb05144bee206573598de5c7a89c91bf6579
Instruction Fuzzy Hash: 8B116FB1C047098FEB20DF9AC444ADEFBF4EB89210F10842AD929B7200D778A540CFA0

Function 05EF81EA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05EF8256

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 07df128e0c1109518635b0c54bd95eb238eeda36783e627592c033325a0b41db
Instruction ID: fe01cf110e8993466873c4ffdc9253e8da119a73e40000de6e022c747ef3c94d
Opcode Fuzzy Hash: 07df128e0c1109518635b0c54bd95eb238eeda36783e627592c033325a0b41db
Instruction Fuzzy Hash: F1113FB6C006098FEB10DF9AC544BDEFBF4AF88214F10851AC969B7200C379A545CFA0

Function 05EFEC01 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05EFEC5D

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6125f265fc8cea2bc440fded840b2e251b0fab66cdc086889bb4d0c6671d327d
Instruction ID: 290c189a23b629284404a28bc0ace36e7b57d8515bdec48af2a3214c39b146b3
Opcode Fuzzy Hash: 6125f265fc8cea2bc440fded840b2e251b0fab66cdc086889bb4d0c6671d327d
Instruction Fuzzy Hash: 791136B08007898FDB20DFAAD549BDEBFF8EB48314F108419E519A3210D378A544CFA5

Function 05EFE7A8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05EFEC5D

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6d87052f92d80760e9eae4335f17794269c517d8c880e271743ea81535445608
Instruction ID: a157e0c61dc05bb3bc1e724c11a6631f1a55d005ed10727bf0f476f7b5690646
Opcode Fuzzy Hash: 6d87052f92d80760e9eae4335f17794269c517d8c880e271743ea81535445608
Instruction Fuzzy Hash: 9D1115B58007488FDB20DF9AD548BDEFBF8EB48314F108459E659A7210D778A944CFA5

Function 05EFCCDC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,05EFE315), ref: 05EFE39F

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a8da67821483e138c8ee9a69313ea94a7e0346092a1264f953bb472197a6b013
Instruction ID: 09e3cde61327c6170be9a8c5993e332ddf6dd40ea356ecfba0e580062a059290
Opcode Fuzzy Hash: a8da67821483e138c8ee9a69313ea94a7e0346092a1264f953bb472197a6b013
Instruction Fuzzy Hash: F21133B08003488FDB20DF9AC448BDEBBF8EB49310F20845AD559B3250D778A940CFA5

Function 05EFE338 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,05EFE315), ref: 05EFE39F

Memory Dump Source

Source File: 00000003.00000002.4501147503.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_aspnet_compiler.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 262f1133fef3f745752b1f10de143f6ce1ae6d2bf29b1f8e255ae70b90c65ce8
Instruction ID: 0b144e8656b8989c6b806019efaa4ab9ca17323e104b0ad490337f2b41526233
Opcode Fuzzy Hash: 262f1133fef3f745752b1f10de143f6ce1ae6d2bf29b1f8e255ae70b90c65ce8
Instruction Fuzzy Hash: 711103B58002498FDB10DF9AD548B9EBBF8EB49314F20841AD519B7250C779A544CFA5

Function 01867C7D Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01867E14

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 811bcdb06428c3ea7110e536870b87057e785b994bb8b8b0cc48eb302f8f2b1f
Instruction ID: 9fbd3ccbdbb133a372a006103715aaef56d3988100b8a63c55c19804ce7b74bc
Opcode Fuzzy Hash: 811bcdb06428c3ea7110e536870b87057e785b994bb8b8b0cc48eb302f8f2b1f
Instruction Fuzzy Hash: 2D31B331E1020ADFDB16CF68C8907AEB7BAEF85718F10882AE501EB255D7749E45CB91

Function 0186FB35 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0186FC83

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 00c3c68eca82506cfccc3a6ce8f30115e38e334472e7af3f27e2aca2549387b5
Instruction ID: 7a88fc2a38916a726eb243c689e6b5cd50faa63c49c79605acd3364eddb3b5e9
Opcode Fuzzy Hash: 00c3c68eca82506cfccc3a6ce8f30115e38e334472e7af3f27e2aca2549387b5
Instruction Fuzzy Hash: 0131F030B002028FDB199B78E46466E3BEABF89710F208528D506DF399DF39CD46CB91

Function 0186FB48 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0186FC83

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 09f26ff0d11d8cad909200caaa0402bb644a21711fce0574633a89384b6e3152
Instruction ID: cc9f82513f66bc3c9bca457dabcc020f1cf2430a804fc7066c982d17eee7a385
Opcode Fuzzy Hash: 09f26ff0d11d8cad909200caaa0402bb644a21711fce0574633a89384b6e3152
Instruction Fuzzy Hash: ED31BE30B002068FDB599B78A46466E7BEABF89700F208438D906DB399DE39DD46C795

Function 01867D90 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01867E14

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: dac6bd20b740565df5420fc706532947d708acfd4fb51bf4b590c38d2aa16f47
Instruction ID: d7ad0119165c6481e271d8e81e71ec0bcfe6c0d6613f9217aed03a7ab4c0ace0
Opcode Fuzzy Hash: dac6bd20b740565df5420fc706532947d708acfd4fb51bf4b590c38d2aa16f47
Instruction Fuzzy Hash: 8D316431E10209DFDB15DFA8C8407AEB7B6FF85714F108529E505EB250DB74AE46CB91

Function 01860848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Co, xrefs: 01860884

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Co
API String ID: 0-3798529171
Opcode ID: b00508eb8cd5f39e057dcfa4340bcfa63294dcd012f6be51a6f9aae6fde20513
Instruction ID: 478b92dccb2977f33378f476b78c497ca79bc25d36a681bb90a35739a1b23fc6
Opcode Fuzzy Hash: b00508eb8cd5f39e057dcfa4340bcfa63294dcd012f6be51a6f9aae6fde20513
Instruction Fuzzy Hash: FB118F30B002088FEF65DABDD84472E769EEB85315F204979F406CF296DA24CE458BC9

Function 01860838 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

Co, xrefs: 01860884

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Co
API String ID: 0-3798529171
Opcode ID: cded6108e55f1c368415d346f78bb5ee11c83675b4a6c02f0e885304ea7d66a6
Instruction ID: 882f835fa2ece5c071890910770dc6a378ab683c505ac721067fb8fac6f596e5
Opcode Fuzzy Hash: cded6108e55f1c368415d346f78bb5ee11c83675b4a6c02f0e885304ea7d66a6
Instruction Fuzzy Hash: 52117330A003048BEF259AADA94437977ADEB45315F104979F406CF246DA79CA458BD9

Function 01866B98 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01866BCF

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 5270c380198c663437fe1eb0baa298e9633aaf2790c903c140e238eba174e166
Instruction ID: 4391368d7151a81fb1e4690da321e39aa7da9c14dbe958e0e76c5a25f7073891
Opcode Fuzzy Hash: 5270c380198c663437fe1eb0baa298e9633aaf2790c903c140e238eba174e166
Instruction Fuzzy Hash: 910100327042059FC305ABBCD42476EBBF6FF8A700F1084AED11ACB294DA359885CB92

Function 01868318 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c459bab47d455c1f6c4bdf6edfd78e5e54dc1029fe539666c8981de8a1cb1e0
Instruction ID: e30cdf7a8d99a28574ccbe09814aaa76ec791bcd9bdccbaaf899546350f1dd50
Opcode Fuzzy Hash: 3c459bab47d455c1f6c4bdf6edfd78e5e54dc1029fe539666c8981de8a1cb1e0
Instruction Fuzzy Hash: 84B150317002069FCB19AB6CE59462D73AAFBCA715F109A39D005CB365CF79DC4AC781

Function 018641BC Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5b98ad9bc0fbdae7b5d1dfd439de5ea2bef399f85f6cfc8f24da081b339d78
Instruction ID: 5834773d479c30cdf4593094ce7370d5deeafa38561fda01bdd501143e388175
Opcode Fuzzy Hash: 0e5b98ad9bc0fbdae7b5d1dfd439de5ea2bef399f85f6cfc8f24da081b339d78
Instruction Fuzzy Hash: 5DB15B70E00209CFDF10CFA9D985B9DBBF6BF88314F248129E819E7254EB749985CB95

Function 01864A8C Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1653c2d292c503163ff8503ad300655da454bd4731269641645f47affdea4ec4
Instruction ID: ca582d7f4925473b19c0acf9f0965fa73f66e137fae0ea84f80cfadf8025fc98
Opcode Fuzzy Hash: 1653c2d292c503163ff8503ad300655da454bd4731269641645f47affdea4ec4
Instruction Fuzzy Hash: 03A14A70E00209CFDB10CFA9D98579DBFF6AF88354F248129E819EB354EB749985CB85

Function 018699F4 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae80cf32a29095249e2814397040f3533a2da7b89989dd1be51c974e20383c0
Instruction ID: 44087f7b0268c8b35d50c8f88e7fcb04bddd219dc63c80af24472659df5d8aca
Opcode Fuzzy Hash: cae80cf32a29095249e2814397040f3533a2da7b89989dd1be51c974e20383c0
Instruction Fuzzy Hash: 29916B34A101098FDB18CF68D584AADBBFAFF88314F148569E806EB3A5DB35DD42CB40

Function 01863E74 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9898acc0c7ead34dc070bc72c704c34c294e17d13f5de418100ea16888c64433
Instruction ID: 90023798c0cc5d13b1b4cf3bbe31265311518026fc700568b92441da2e7dc947
Opcode Fuzzy Hash: 9898acc0c7ead34dc070bc72c704c34c294e17d13f5de418100ea16888c64433
Instruction Fuzzy Hash: FD916C70E0060ADFDF10CFA9C98579EBBF6BF48314F148129E819E7254EB749985CB92

Function 01864810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340c43b75b869ec2305b73a09df380b71bfb89835910fe472f1a594e64911d9b
Instruction ID: 2a1c1398e2e93730ee5f438c0dd302f94b94d80a017222e496adf8c03f5edf8a
Opcode Fuzzy Hash: 340c43b75b869ec2305b73a09df380b71bfb89835910fe472f1a594e64911d9b
Instruction Fuzzy Hash: 237188B0E00249DFDF14DFA9C8817AEBBF6BF88314F148129E419E7254EB349942CB95

Function 01864807 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4270e408fda9b2941150e4b8e45a441e472b252460bf47364a2b2cd64310cc10
Instruction ID: bbbc1f734ae1043b31409eb8600cab209613246ab3480721c8e789d87da87a56
Opcode Fuzzy Hash: 4270e408fda9b2941150e4b8e45a441e472b252460bf47364a2b2cd64310cc10
Instruction Fuzzy Hash: 8A7187B0E00249DFDB14DFA9C9857DEBBF6BF88314F148129E418E7254EB349982CB95

Function 01866CD4 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32ef9d37dcbe03979db12c8baee9d823ac607b9bd0c14ff0df649d76c5cc78c
Instruction ID: e754ed7e64053b7c377702d7291e02b1aa7383c6f718d9ffbf603a9fc63a3426
Opcode Fuzzy Hash: e32ef9d37dcbe03979db12c8baee9d823ac607b9bd0c14ff0df649d76c5cc78c
Instruction Fuzzy Hash: F5511370D00258CFDB18CFA9C885B9DBBF5BF48314F248129E819BB250E774A944CF95

Function 01866CE0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d35ff2c1f20cf838a97cf29258012f96ced32d9aea0fa64fbab30f325c257c3e
Instruction ID: 5f05bd61273bbef1b687e8733839d35a6d4049a12ae132713e50715cf24f8936
Opcode Fuzzy Hash: d35ff2c1f20cf838a97cf29258012f96ced32d9aea0fa64fbab30f325c257c3e
Instruction Fuzzy Hash: 88511370D002588FDB18CFA9C888B9DBBF5BF48314F248129E819BB391E774A944CF95

Function 01866F63 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f4f72bf7c618e9f9806cafda132fb74b44d9a08352513e0d34572cef12e7cb
Instruction ID: 28fc61c42a1552915cb576e17eecc9789573c05fadad45292e3b641e1ee0128e
Opcode Fuzzy Hash: 13f4f72bf7c618e9f9806cafda132fb74b44d9a08352513e0d34572cef12e7cb
Instruction Fuzzy Hash: F9411734710215CFDB14DB68C598AAE7BFAEF4C704F604069E502EB3A1DB759E40CBA1

Function 01861138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c484f3453da90df5ef7de987c80e23b8bb45ccbb2d8817ca8009acc3c52ca7
Instruction ID: c315d701c1789a87ce215b7cab8ef05a7aefde1aacf27b50dda296dc980e40a8
Opcode Fuzzy Hash: 68c484f3453da90df5ef7de987c80e23b8bb45ccbb2d8817ca8009acc3c52ca7
Instruction Fuzzy Hash: BE510A30212141CFCB19DF29F98096A3F6DFB5E716F04A1A8D0455B23ADB38AD49DF92

Function 01869D70 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f601cbbb82451b6cefdc6f4c1710fc1d3bc63c27f632f6c3bd9a150b0b0141
Instruction ID: 030eaafb998f55537a972644be5f0c117625126bdaa197093ee7c90191fb7ee6
Opcode Fuzzy Hash: 23f601cbbb82451b6cefdc6f4c1710fc1d3bc63c27f632f6c3bd9a150b0b0141
Instruction Fuzzy Hash: D9319E30F0020A9FDF259E6CD88076EB76EFB86318F20883AD51ADB291D775DD458782

Function 018697E0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c2df400bda443ffe6d052f64c174a119e6e90c19869e3dcc2ae8c960b6e0eb
Instruction ID: 17bb0c86371ae1b3a68ba7c2920d7373975f56d46bcf287847d1488b5b34dc04
Opcode Fuzzy Hash: 08c2df400bda443ffe6d052f64c174a119e6e90c19869e3dcc2ae8c960b6e0eb
Instruction Fuzzy Hash: 0331C731E00219DFDB19CFA9D44069EBBBAEF89314F10852AE815EB381DB75DD46CB81

Function 0186137F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f285711357454ccfd08a119b63f854dae435927a6e9ffc529b640111d9badf27
Instruction ID: bffd5606a4478223ed7085138f8b6179e1cfcbcf7e3980b813bf729591d8bd49
Opcode Fuzzy Hash: f285711357454ccfd08a119b63f854dae435927a6e9ffc529b640111d9badf27
Instruction Fuzzy Hash: 743184312001058FEB269B2CF5C8B69376DF785316F105529E406CF25ADB3DDD8ACB85

Function 0186F9F9 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6e776fd27036f60c065c1012c95f4acd23f6b2f05c9cd0df37181777b3b64d
Instruction ID: 78aa3ca56b465ed3f8f616665da60164b4c1ee8ebb2d5d633251102dc76b3852
Opcode Fuzzy Hash: bf6e776fd27036f60c065c1012c95f4acd23f6b2f05c9cd0df37181777b3b64d
Instruction Fuzzy Hash: 4C319435A102059BDB09CF69E8A469EB7F6FF89304F108519E956EB350DB70ED42CB40

Function 018626DC Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f7153ac0cdeca486a2197d0af55386db219b195af6d22f69f139aca954fc25
Instruction ID: aebe106fafaf4ed0a6a6c19f0b3f27987a0707a5ff301ab48c60aab09fb20b14
Opcode Fuzzy Hash: 65f7153ac0cdeca486a2197d0af55386db219b195af6d22f69f139aca954fc25
Instruction Fuzzy Hash: 3D41EDB09002499FDB14DFA9C884ADEBFF5FF48310F208069E809AB254DB35A945CB90

Function 0186FA08 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74d7a074733ac3eb61917061d5e7ae46825669cd1e6ddf5708e548c596f924c
Instruction ID: 7e52b855948148bc77371401997f5bdaacb825cd3d2e1fe75ee7cb9b15cc0f70
Opcode Fuzzy Hash: b74d7a074733ac3eb61917061d5e7ae46825669cd1e6ddf5708e548c596f924c
Instruction Fuzzy Hash: C0315034A102059BDB19CF69E8A469EB7B6FF89304F108519E956EB350DB70ED42CB50

Function 01865098 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978b5a884c9d93762fb984c4f79ce03cc827c74a782dc3d5ed04c70a4fbf8e4d
Instruction ID: 028eb32f4f578a274f013860dd943b6134433d5a8e447e1428b514518affa925
Opcode Fuzzy Hash: 978b5a884c9d93762fb984c4f79ce03cc827c74a782dc3d5ed04c70a4fbf8e4d
Instruction Fuzzy Hash: E0317A30700215CFDB15EB68D9506AE77BAEF88385F1000A8D502EB391DB3ADE41CB92

Function 018626E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13024448b83fcc13c835b706c7d132a06072db70e0e8487547cecba8877f551f
Instruction ID: 9a646c89300bcbec6f8ba669bfe1d26be678bba298e945a4c52fcdde5002fa1f
Opcode Fuzzy Hash: 13024448b83fcc13c835b706c7d132a06072db70e0e8487547cecba8877f551f
Instruction Fuzzy Hash: 4141EEB0D002499FDB14DFA9C984ADEBFB5FF48310F148469E409AB254DB75A945CB90

Function 018650A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c641bca7f8edc2434ed19f73f500b2337e088555f343f946a068252a4a178bf8
Instruction ID: 54b9503f702b9d98a1f753c34de0ad3e4a2bceeacc6de004691086de648dfd98
Opcode Fuzzy Hash: c641bca7f8edc2434ed19f73f500b2337e088555f343f946a068252a4a178bf8
Instruction Fuzzy Hash: 2F316C30700615CFDB15EB78C9546AE77BAAF88385F1000A8C502EB395EB3ADE41CB92

Function 01861488 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9175cabccbc122be39f3e65780f5acc26c40b163a10f160b23bbd81b65ecce6
Instruction ID: e5c3724c27baf009c90041a6277543385f1ef3e33298e61908bf4f7e9ec9e98f
Opcode Fuzzy Hash: a9175cabccbc122be39f3e65780f5acc26c40b163a10f160b23bbd81b65ecce6
Instruction Fuzzy Hash: 3621E531A012058FDF26ABBCD4C836D7AAEEB85311F140479E505EB343D735DA418796

Function 018698E0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72281e204ba8e6d785cdb9962c95a86eb904079995d2dbc9f66f2c7a33f6e3f5
Instruction ID: 617f156148a9032c8372d9463cba392a6d2785bdd1c132534fe7c6e7f1be5345
Opcode Fuzzy Hash: 72281e204ba8e6d785cdb9962c95a86eb904079995d2dbc9f66f2c7a33f6e3f5
Instruction Fuzzy Hash: 2131B171E1020A9FDB09CFA8D48069EF7B6FF89304F14C61AE845EB341EB709946CB80

Function 018698F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64b5a751a70787e132cd85aff5b89b127d60ae20c128a71d1ce89039ccf056e
Instruction ID: 88721ccbe02b00bc15edbd6e59ad31a05b8cb905a884395b21afe897ed585145
Opcode Fuzzy Hash: e64b5a751a70787e132cd85aff5b89b127d60ae20c128a71d1ce89039ccf056e
Instruction Fuzzy Hash: 3D218530E1020A9FDB05CF69D48069EF7BAFF89304F10C519E845EB351DB709946CB91

Function 018616A3 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd8925baf0feb93f60cf8585c1295af8e4ab62de90bdada066aa18baedd2756
Instruction ID: c8e6ab5873d90a43ffd4d796e8e0cabb0f2692435d36b89f29a8945d0d2bc988
Opcode Fuzzy Hash: dcd8925baf0feb93f60cf8585c1295af8e4ab62de90bdada066aa18baedd2756
Instruction Fuzzy Hash: C62154346001014FEB25EB6CF888B69376EEB89316F109A25D405CB26BDB3CDD45CF91

Function 015DD1F8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4493686979.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbe4a2df41ed31f68d18fb71538465d62e73708f432b628cfed39e1deed7b52
Instruction ID: 39647f499adabc4d37bfd2e46e3721144349a8552f6e5922312087539fc5c1a3
Opcode Fuzzy Hash: fcbe4a2df41ed31f68d18fb71538465d62e73708f432b628cfed39e1deed7b52
Instruction Fuzzy Hash: B7210771544204DFDB25DF9CD584B2ABBB5FB84324F20C969D8490F286C37AD406C7A1

Function 015DD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4493686979.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee955b07e94e3144b8904d3c177c31c8bcc6c108281a643bb1116c06cdfd9f1
Instruction ID: 7e5845f5688f8c9095627c538e3479fcfa1b09d8a1aec9d65317f66d9e10e84d
Opcode Fuzzy Hash: 6ee955b07e94e3144b8904d3c177c31c8bcc6c108281a643bb1116c06cdfd9f1
Instruction Fuzzy Hash: 06210071504204DFCB25DFA8D980B26BBB5FB84314F20C969D9090E296D33AD446CB62

Function 015DD3A8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4493686979.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5fc4fb38957cba289247e363ee93d12947ef16841132d98e0b573d020550c53
Instruction ID: 284422848bc2459a3a660d9ddd6090fb5164718e9b29e81d7734fbae2025f9c3
Opcode Fuzzy Hash: a5fc4fb38957cba289247e363ee93d12947ef16841132d98e0b573d020550c53
Instruction Fuzzy Hash: 052103B1500204DFCB15DF6CD580B26BBB5FB84314F20C96DD9094E296C7BAE406CB62

Function 01864F88 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0486d03f16dcc8bee2343d40082ee9446ed59041808a5b2605eeb72abb00ed57
Instruction ID: cbe3f683eea858fd820d5aeaf4482c89cbd5620e66268797402ad651674adbf7
Opcode Fuzzy Hash: 0486d03f16dcc8bee2343d40082ee9446ed59041808a5b2605eeb72abb00ed57
Instruction Fuzzy Hash: E2214834B00205CFDB58DB79C558AAD7BF5EB89341F1000A8E406EB3A1DB76DE01CB92

Function 018697F0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb5af79b13f15dbb2076888e84aa8e32fb41bfc93385236517cce03cb68a099
Instruction ID: 6e0b11822ced765cf4abae0b3e1d89a656c3d4f541402b2ef863bd6d537be9e7
Opcode Fuzzy Hash: ccb5af79b13f15dbb2076888e84aa8e32fb41bfc93385236517cce03cb68a099
Instruction Fuzzy Hash: C1218431E00209DFDB19CFA9C450A9EB7B6EF89314F10852AE815FB380DB719946CB51

Function 01861888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d12b834fe70dfc8e664a3a3ba3bdd34279594b6cfed5f4cb5da36054a35ef8
Instruction ID: 474a130541e3f08adc7a66553471642da4b29a808c38cf9205a31830c34d478a
Opcode Fuzzy Hash: 80d12b834fe70dfc8e664a3a3ba3bdd34279594b6cfed5f4cb5da36054a35ef8
Instruction Fuzzy Hash: 05213030B00205CFDB15DB78C5596AE77F9AF89345F500468C505EB352EB36CE45CB96

Function 0186187B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c321fc507d3fee460245661a1ff2a08c16fb460042e484639431c19a8e7d874
Instruction ID: 94d2e29d6523a54ba75eadc4a7fe86032c57d2112cd3469f376a3b93e76c4baf
Opcode Fuzzy Hash: 3c321fc507d3fee460245661a1ff2a08c16fb460042e484639431c19a8e7d874
Instruction Fuzzy Hash: CB214A30B00205CFDB15EB78C5596AE77F9EB89345F500468C502EB392DB368E45CBA6

Function 018616B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26cfbcd7f31e3e0473c1d84390dad11bd39950ae2fc74f4397c3f30fdaa9a676
Instruction ID: d13b53fb637a90a2254380a9c8be5e618f555fdbfdc992c18d2cd5936425c9e8
Opcode Fuzzy Hash: 26cfbcd7f31e3e0473c1d84390dad11bd39950ae2fc74f4397c3f30fdaa9a676
Instruction Fuzzy Hash: 6E2136346001014FEB25DB2CF988B69775EEB89316F109925D405CB25BDB7CDD45CF91

Function 01864F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125339deb1b9dbeb64682942e066de63ff097ab6b0328640c84a7ed88dc6291d
Instruction ID: e9282569cde4b808921fd30331cfb200c031e7c1467c903c3be764bf432485b8
Opcode Fuzzy Hash: 125339deb1b9dbeb64682942e066de63ff097ab6b0328640c84a7ed88dc6291d
Instruction Fuzzy Hash: A2212534B00205CFDB58DB79C558AAE7BF5EB89344F1000A8E506EB3A1DB76DE04CB92

Function 018617C0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23aed931de00ec7b2f6a38ffef3d6138b7c6b3e2b7bd1f8ea7e532e7033412a
Instruction ID: dc4a7f07ba43da6395c900d5e39eb541a6897d4b88a66acd73a6736e32ccf173
Opcode Fuzzy Hash: f23aed931de00ec7b2f6a38ffef3d6138b7c6b3e2b7bd1f8ea7e532e7033412a
Instruction Fuzzy Hash: A511E575B003159FCB10AB79988866FBBEDFB88761F100425E949D7305EB38C902C786

Function 01861498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c7f13382dc25cab3f1ebe2043c846240d183805abe3b86ae1a26f155e99c16
Instruction ID: 6dceea56c4a37287c549b780c31d769f7c15ad0064a692aec83bb12a9315d582
Opcode Fuzzy Hash: 01c7f13382dc25cab3f1ebe2043c846240d183805abe3b86ae1a26f155e99c16
Instruction Fuzzy Hash: 9D014431A012159FCF25EFBC849519DBBFAEF88310B140479E805E7342E735DA418B95

Function 015DD1F3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4493686979.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction ID: 233a068f9c4e060c93a97af6f1694bd84baa311cd5d079c3a84ffb58ade030d0
Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction Fuzzy Hash: 7811BF76504284CFDB22CF58D5C4B19FF71FB84324F24C6AAD8494B696C33AD40ACBA2

Function 015DD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4493686979.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: a0f2d85808047093e8022c3617fe0a632712103fbe093b98c5be5bd4b4899b05
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 7511A975504280CFDB22CF68D584B19BBB1FB84214F28C6AAD9494B696C33AD44ACB62

Function 015DD3A3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4493686979.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: f143d0f365e23a50e91b2f57a5d873c2b4f6a160210f707f3f6c5641c7d86d73
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: C111EE75504240CFCB12CF58C5C4B19BF71FB84314F24C6AAD9494F292C37AE40ACB62

Function 01868783 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db13c19dc9c3908e84b0ea28083a484bf3daba2ee584a3c63dcfdb20bb9307c4
Instruction ID: 794e5e135e1c6ee4e2fdfca9c243b578206c4439ac0a3c42bb5aa50497ed1ab4
Opcode Fuzzy Hash: db13c19dc9c3908e84b0ea28083a484bf3daba2ee584a3c63dcfdb20bb9307c4
Instruction Fuzzy Hash: 31016231940209DFDB45EFB8FD85AAD7BB9EF44305F1095B8C4089B264EB356E09CB82

Function 01868790 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4494411151.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1860000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ddb8500826e96f339d4211e8ab29baabb33976c440f9e6c9af3c8ad5aedfa1
Instruction ID: 481f93e205520d57b1339a08d3ecd91253b81c4523ca12ce3f3ecf3c2146863f
Opcode Fuzzy Hash: 98ddb8500826e96f339d4211e8ab29baabb33976c440f9e6c9af3c8ad5aedfa1
Instruction Fuzzy Hash: FAF03C3190110DDFDB45EFB8F9859AD7BB9EF84305F509278C4089B264EB396E09CB82

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report B24E33 ENQUIRY.vbe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HHhHh.exe.log

C:\Users\user\AppData\Local\Temp\HHhHh.exe

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

SMTP Packets

Statistics

Windows Analysis Report
B24E33 ENQUIRY.vbe

Function 00B31A88 Relevance: 4.1, Strings: 3, Instructions: 317
COMMON

Function 00B333B0 Relevance: 2.8, Strings: 2, Instructions: 258
COMMON

Function 00B3C888 Relevance: 1.8, Strings: 1, Instructions: 584
COMMON

Function 00B333A0 Relevance: 1.5, Strings: 1, Instructions: 249
COMMON

Function 00B3094B Relevance: 2.6, Strings: 2, Instructions: 100
COMMON

Function 071E6658 Relevance: 1.7, APIs: 1, Instructions: 236
processCOMMON

Function 071E70C8 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Function 071E6AA0 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 071E6FC0 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Function 071E6990 Relevance: 1.6, APIs: 1, Instructions: 88
threadCOMMON

Function 071E7208 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Function 00B3843F Relevance: 1.5, Strings: 1, Instructions: 204
COMMON

Function 00B30DB0 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Function 00B30994 Relevance: 1.3, Strings: 1, Instructions: 84
COMMON

Function 00B30F5B Relevance: 1.3, Strings: 1, Instructions: 76
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre