Edit tour

Windows Analysis Report
c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Overview

General Information

Sample name:	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Analysis ID:	1467942
MD5:	e96cdfd7c641b4fea03541b97f6342a1
SHA1:	535e5952f7fa869edae1296ba904632207c44aef
SHA256:	1131e8baca9159531db856b4f814c52fd05e7dc32a5412d7e52a41e731e55be9
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe (PID: 6668 cmdline: "C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe" MD5: E96CDFD7C641B4FEA03541B97F6342A1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.technique.net.au", "Username": "logo@technique.net.au", "Password": "Business@2222"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 E8 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.4093598949.000000000270C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3ed6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3eddf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ee69:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3eefb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ef65:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3efd7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f06d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f0fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fc55:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fcc7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fd51:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fde3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fe4d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3febf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ff55:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ffe5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe PID: 6668	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe PID: 6668	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 E8 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 E8 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3de55:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3dec7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3df51:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3dfe3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e04d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e0bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e155:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e1e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3ed6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3eddf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ee69:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3eefb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ef65:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3efd7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f06d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f0fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3cf6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3cfdf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d069:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d0fb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d165:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d1d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d26d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d2fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fc55:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fcc7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fd51:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fde3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fe4d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3febf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ff55:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ffe5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3de55:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3dec7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3df51:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3dfe3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e04d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e0bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e155:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e1e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3cf6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3cfdf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d069:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d0fb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d165:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d1d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d26d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d2fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3ed6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3eddf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ee69:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3eefb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ef65:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3efd7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f06d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f0fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3ed6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3eddf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ee69:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3eefb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ef65:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3efd7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f06d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f0fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3cf6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3cfdf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d069:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d0fb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d165:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d1d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d26d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d2fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3cf6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3cfdf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d069:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d0fb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d165:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d1d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d26d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d2fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fc55:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fcc7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fd51:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fde3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fe4d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3febf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ff55:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ffe5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3ed6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3eddf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ee69:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3eefb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ef65:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3efd7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f06d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f0fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 45 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 122.201.84.5, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, Initiated: true, ProcessId: 6668, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Avira: detected

Found malware configuration

Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.technique.net.au", "Username": "logo@technique.net.au", "Password": "Business@2222"}

Multi AV Scanner detection for submitted file

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Virustotal: Detection: 54%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Joe Sandbox ML: detected

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Source:

Binary string: _.pdb source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 122.201.84.5:587

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 122.201.84.5:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.technique.net.au

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002854000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000028F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.technique.net.au
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095308322.00000000055E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3865071099.00000000055D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095038772.0000000005559000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548424836.0000000005547000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548447390.0000000005558000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000270C000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095499511.0000000005A10000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002778000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548876333.0000000005A45000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548602855.0000000005590000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864525401.00000000055CF000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095308322.00000000055E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3865071099.00000000055D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095038772.0000000005559000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548424836.0000000005547000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548447390.0000000005558000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000270C000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095499511.0000000005A10000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002778000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548876333.0000000005A45000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548602855.0000000005590000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864525401.00000000055CF000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864438719.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095088181.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864690101.00000000055E4000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864970405.000000000552A000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095276915.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864708408.00000000055FB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548978780.0000000005526000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.000000000049E000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095327160.00000000055FD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095293551.00000000055E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864438719.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095088181.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864690101.00000000055E4000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864970405.000000000552A000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095276915.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864708408.00000000055FB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548978780.0000000005526000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.000000000049E000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095327160.00000000055FD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095293551.00000000055E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, 3DlgK9re6m.cs

.Net Code: xCBm

Installs a global keyboard hook

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0040DC11	0_2_0040DC11
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00407C3F	0_2_00407C3F
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00418CCC	0_2_00418CCC
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00406CA0	0_2_00406CA0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_004028B0	0_2_004028B0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0041A4BE	0_2_0041A4BE
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00418244	0_2_00418244
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00401650	0_2_00401650
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00402F20	0_2_00402F20
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_004193C4	0_2_004193C4
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00418788	0_2_00418788
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00402F89	0_2_00402F89
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00402B90	0_2_00402B90
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_004073A0	0_2_004073A0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0222D620	0_2_0222D620
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0222CA08	0_2_0222CA08
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0222CD50	0_2_0222CD50
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_02220FD0	0_2_02220FD0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_02221030	0_2_02221030
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_05800500	0_2_05800500
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_05B3C5A0	0_2_05B3C5A0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_05B3DD90	0_2_05B3DD90
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_05B3B7C8	0_2_05B3B7C8
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_05B38358	0_2_05B38358
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_05B30006	0_2_05B30006
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_05B30040	0_2_05B30040
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_05B3D6A0	0_2_05B3D6A0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_061C3154	0_2_061C3154
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_061C3A10	0_2_061C3A10
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_064806A8	0_2_064806A8
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0648BF52	0_2_0648BF52
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0648BF60	0_2_0648BF60
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_06485BD1	0_2_06485BD1

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Code function: String function: 0040E1D8 appears 43 times

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092264042.0000000000198000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9952230798192772

Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, slKb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, mAKJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, xQRSe0Fg.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, n3rhMa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, MQzE4FWn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, nSmgRyX5a1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, 6IMLmJtk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, 6IMLmJtk.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, 3HroK7qN.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, 3HroK7qN.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

0_2_004019F0

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

0_2_004019F0

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Command line argument: 08A

0_2_00413780

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Virustotal: Detection: 54%

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

0_2_004019F0

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Static PE information: real checksum: 0x23bfb should be: 0x4d812

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0040E21D push ecx; ret	0_2_0040E230
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd	0_2_0040BBA3
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_02224347 push ebp; iretd	0_2_02224360
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_02224752 pushad ; retf	0_2_02224755
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_02224F5E push edx; ret	0_2_02224F63
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_061CC250 push es; ret	0_2_061CC260
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_061C2856 push 14062C2Fh; retf	0_2_061C2865
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_064833F0 push es; ret	0_2_064833F4
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0648DF2F push ecx; ret	0_2_0648DF49

Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zcCE8fodSZvj4', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zcCE8fodSZvj4', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zcCE8fodSZvj4', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zcCE8fodSZvj4', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Memory allocated: 2180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Memory allocated: 2180000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

0_2_004019F0

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199829	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199704	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199581	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199454	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199344	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199212	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199080	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198938	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198829	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198704	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198579	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198454	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198329	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198204	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198079	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197954	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197829	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197704	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197579	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197454	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197329	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197204	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197079	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196954	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196829	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196704	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196579	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196454	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196250	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195969	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195787	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195640	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195524	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195422	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195310	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195203	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195094	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194969	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194860	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194735	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194610	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194485	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194360	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194235	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194110	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193985	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193860	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193735	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193610	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193485	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193360	Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Window / User API: threadDelayed 2269			Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Window / User API: threadDelayed 7545			Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1199829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1199704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1199581s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1199454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1199344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1199212s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1199080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1198938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1198829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1198704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1198579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1198454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1198329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1198204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1198079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1197954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1197829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1197704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1197579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1197454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1197329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1197204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1197079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1196954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1196829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1196704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1196579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1196454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1196250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1195969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1195787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1195640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1195524s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1195422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1195310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1195203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1195094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1194969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1194860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1194735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1194610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1194485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1194360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1194235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1194110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1193985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1193860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1193735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1193610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1193485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732	Thread sleep time: -1193360s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199829	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199704	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199581	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199454	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199344	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199212	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1199080	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198938	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198829	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198704	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198579	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198454	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198329	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198204	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1198079	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197954	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197829	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197704	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197579	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197454	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197329	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197204	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1197079	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196954	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196829	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196704	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196579	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196454	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1196250	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195969	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195787	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195640	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195524	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195422	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195310	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195203	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1195094	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194969	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194860	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194735	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194610	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194485	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194360	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194235	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1194110	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193985	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193860	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193735	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193610	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193485	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Thread delayed: delay time: 1193360	Jump to behavior

Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1653952673.0000000005A19000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864546853.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095535541.0000000005A2B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548876333.0000000005A27000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

API call chain: ExitProcess graph end node

graph_0-48400

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040CE09

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

0_2_004019F0

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

0_2_004019F0

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree,

0_2_0040ADB0

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040CE09
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040E61C
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00416F6A
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Code function: 0_2_004123F1 SetUnhandledExceptionFilter,	0_2_004123F1

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Code function: GetLocaleInfoA,

0_2_00417A20

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00412A15

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe PID: 6668, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093598949.000000000270C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe PID: 6668, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe PID: 6668, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	35 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	141 Virtualization/Sandbox Evasion	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	54%	Virustotal		Browse
c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	100%	Avira	TR/Spy.Gen8
c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://mail.technique.net.au	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.technique.net.au	122.201.84.5	true	true		unknown
api.ipify.org	104.26.12.205	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095308322.00000000055E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3865071099.00000000055D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095038772.0000000005559000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548424836.0000000005547000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548447390.0000000005558000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000270C000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095499511.0000000005A10000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002778000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548876333.0000000005A45000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548602855.0000000005590000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864525401.00000000055CF000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864438719.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095088181.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864690101.00000000055E4000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864970405.000000000552A000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095276915.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864708408.00000000055FB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548978780.0000000005526000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.000000000049E000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095327160.00000000055FD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095293551.00000000055E6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864438719.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095088181.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864690101.00000000055E4000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864970405.000000000552A000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095276915.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864708408.00000000055FB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548978780.0000000005526000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.000000000049E000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095327160.00000000055FD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095293551.00000000055E6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.technique.net.au	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002854000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000028F9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.i.lencr.org/0	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095308322.00000000055E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3865071099.00000000055D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095038772.0000000005559000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548424836.0000000005547000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548447390.0000000005558000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000270C000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095499511.0000000005A10000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002778000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548876333.0000000005A45000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548602855.0000000005590000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864525401.00000000055CF000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
122.201.84.5	mail.technique.net.au	Australia		38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467942
Start date and time:	2024-07-05 06:00:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 84 Number of non-executed functions: 37
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:00:55	API Interceptor	10106515x Sleep call for process: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exe	Get hash	malicious	Conti, PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/
122.201.84.5	0NJYTCJYLo.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
122.201.84.5	B24E33 ENQUIRY.vbe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.technique.net.au	0NJYTCJYLo.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	122.201.84.5
mail.technique.net.au	B24E33 ENQUIRY.vbe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	122.201.84.5
api.ipify.org	XX(1).exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Ship Docs_CI PL HBL COO_.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	M.V TBN - VESSEL'S DETAILS.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	0001.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Zz3h8cOX1E.exe	Get hash	malicious	Quasar	Browse	104.26.13.205
	Luciana Alvarez CV.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Acal BFi UK - Products List 020240704.exe	Get hash	malicious	AgentTesla, RedLine, StormKitty, XWorm	Browse	172.67.74.152
	z4XlS0wTQM.exe	Get hash	malicious	Quasar	Browse	104.26.12.205
	Zz3h8cOX1E.exe	Get hash	malicious	Quasar	Browse	104.26.13.205
	5gO02Ijl9V.exe	Get hash	malicious	GuLoader	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	6xmBUtHylU.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	XX(1).exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	OVER DUE INVOICE PAYMENT.docx	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	https://m.exactag.com/ai.aspx?tc=d9912543bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253AW0S.sdscondo.com/index.xml%23?email=cGV0ZXIuYnJvd24yM0Bxci5jb20uYXU=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	Ship Docs_CI PL HBL COO_.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://rb.gy/zsqpja	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://singingfiles.com/show.php?l=0&u=2156442&id=64574	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	http://services.business-manange.com/	Get hash	malicious	HTMLPhisher	Browse	172.67.138.117
	http://pub-2e7429ed1f544f43a4684eeceb978dbb.r2.dev/home.html	Get hash	malicious	HTMLPhisher	Browse	104.18.2.35
DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	https://scm.ci/cgi-bin/redirect.php	Get hash	malicious	Unknown	Browse	27.123.25.1
	0NJYTCJYLo.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	122.201.84.5
	https://scm.ci/cgi-bin/redirect.php	Get hash	malicious	Unknown	Browse	27.123.25.1
	https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2flodgesonvashon.us11.list%2dmanage.com%2ftrack%2fclick%3fu%3d7bd9671a0b3250a7fef40b908%26id%3d9037f6334e%26e%3d176d192631&umid=c3b5e576-eabb-43b1-b355-8b3314499765&auth=f59947c46ffdca8529044338828c8694fe545b0c-470863c8cfe4c44d03e20bf02e2ceab308b9cbff	Get hash	malicious	Unknown	Browse	203.170.87.17
	B24E33 ENQUIRY.vbe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	122.201.84.5
	https://scm.ci/cgi-bin/redirect.php	Get hash	malicious	Unknown	Browse	27.123.25.1
	https://www.thaicreate.com/outlink.php?l=https://p6f.org/mI1AchQ3EllQ3Ez01lavallQ3EQ3E2APchD5QD5Q4DCz01oTx4RAW4G	Get hash	malicious	HTMLPhisher	Browse	203.170.87.81
	https://is.gd/Drz8uT	Get hash	malicious	Unknown	Browse	103.254.137.2
	malware.html	Get hash	malicious	HTMLPhisher	Browse	185.184.154.145
	tXwY81Gv84.elf	Get hash	malicious	Mirai	Browse	116.0.24.106

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	XX(1).exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Ship Docs_CI PL HBL COO_.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://singingfiles.com/show.php?l=0&u=2156442&id=64574	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://sula.starladeroff.com/	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.html	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://pub-9445ce0d74714d1c934c51ffcf83c3f2.r2.dev/slnt.html?nycsbs	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://pradeeprunner.com/auth.html	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://iwahadxi.hosted.phplist.com/lists/lt.php/?tid=eU1SAFEEUlZTABhUAVAGGAZWVFsfXVQLWkkDBQIAUAwCAgcAAldPWwdaBlNRVAgYVwEEXh9QClxcSQcAUlcbWgQGAAJVVwRXBAoBSQcBAVALVA8LHwIEXVtJUg8GVxsAVVMHGA5SB1EBC1YDAQQBDA	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://multichaindappsx.pages.dev/	Get hash	malicious	Unknown	Browse	104.26.12.205

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.537140181080374
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
File size:	266'752 bytes
MD5:	e96cdfd7c641b4fea03541b97f6342a1
SHA1:	535e5952f7fa869edae1296ba904632207c44aef
SHA256:	1131e8baca9159531db856b4f814c52fd05e7dc32a5412d7e52a41e731e55be9
SHA512:	dca000cf7cfea99b4a79e27489b098c9a07fef6dad19ed3fffeaa3a5696e69a07737449758f68179568222563c9c66cc09609b6189d66a0c414b9ae288736463
SSDEEP:	3072:gDKW1LgppLRHMY0TBfJvjcTp5XnN4f28uuQbz588HwmGahgFR9dBkdXQ8ythtzt/:gDKW1Lgbdl0TBBvjc/nKlYa8HJGLdVCq
TLSH:	CF44DF207580C1B3C477153544EACB799A36303607B996D7BB9D2BBA6F213E1A3352CE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~..................:f....PE..L...t..P..........#........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40cd2f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	bf5a4aa99e5b160f8521cadd6bfe73b8

Entrypoint Preview

Instruction
call 00007F9248B96596h
jmp 00007F9248B90759h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0041F058h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F9248B908BEh
test byte ptr [eax], 00000008h
je 00007F9248B908B9h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0041B000h]
leave
retn 0008h
ret
mov eax, 00413563h
mov dword ptr [004228E4h], eax
mov dword ptr [004228E8h], 00412C4Ah
mov dword ptr [004228ECh], 00412BFEh
mov dword ptr [004228F0h], 00412C37h
mov dword ptr [004228F4h], 00412BA0h
mov dword ptr [004228F8h], eax
mov dword ptr [004228FCh], 004134DBh
mov dword ptr [00422900h], 00412BBCh
mov dword ptr [00422904h], 00412B1Eh
mov dword ptr [00422908h], 00412AABh
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007F9248B9084Bh
call 00007F9248B970D0h
cmp dword ptr [ebp+00h], 00000000h

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ C ] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x215b4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x1f1bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1b1c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x20da0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19718	0x19800	5e0f3421531e3d473f13824d067273fb	False	0.5789483762254902	data	6.748552727161787	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x6db4	0x6e00	5826801f33fc1b607aa8e942aa92e9fa	False	0.5467329545454546	data	6.442956247632331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x30c0	0x1600	2fe51a72ede820cd7cf55a77ba59b1f4	False	0.3126775568181818	data	3.2625868398009703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26000	0x1f1bc	0x1f200	79f9ec68b11758f8d217adc07088cec8	False	0.9952230798192772	data	7.994924071112424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x26124	0x1ebcf	data	1.0003653606347744
RT_RCDATA	0x44cf4	0x20	data	1.28125
RT_VERSION	0x44d14	0x2bc	data	0.44
RT_MANIFEST	0x44fd0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
KERNEL32.dll	RaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
ole32.dll	OleInitialize
OLEAUT32.dll	SafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 06:00:55.838167906 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 5, 2024 06:00:55.838196039 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 5, 2024 06:00:55.838304043 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 5, 2024 06:00:55.851339102 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 5, 2024 06:00:55.851355076 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 5, 2024 06:00:56.330765963 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 5, 2024 06:00:56.330854893 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 5, 2024 06:00:56.334939957 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 5, 2024 06:00:56.334949017 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 5, 2024 06:00:56.335238934 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 5, 2024 06:00:56.386421919 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 5, 2024 06:00:56.399410963 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 5, 2024 06:00:56.440541029 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 5, 2024 06:00:56.538403988 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 5, 2024 06:00:56.538489103 CEST	443	49730	104.26.12.205	192.168.2.4
Jul 5, 2024 06:00:56.538564920 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 5, 2024 06:00:56.568008900 CEST	49730	443	192.168.2.4	104.26.12.205
Jul 5, 2024 06:02:34.534404993 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:34.539282084 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:34.539380074 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:35.787312031 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:35.787545919 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:35.792417049 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:36.100128889 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:36.100398064 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:36.105269909 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:36.418004990 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:36.418442965 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:36.429444075 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:36.758630037 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:36.758647919 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:36.758661985 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:36.758744955 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:36.773044109 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:36.777906895 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:37.085483074 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:37.091497898 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:37.096352100 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:37.403538942 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:37.407494068 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:37.412389994 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:37.719795942 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:37.720166922 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:37.725112915 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:38.321947098 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:38.352866888 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:38.358455896 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:38.665534973 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:38.676564932 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:38.682722092 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:38.998826027 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.002723932 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.010135889 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.317107916 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.328274965 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.328772068 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.328843117 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.328918934 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.330152988 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.333265066 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.333329916 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.333576918 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.333607912 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.333760977 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.333810091 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.335051060 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.335061073 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.335083961 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.335093021 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.335100889 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.335109949 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.335143089 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.335148096 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.335169077 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.335185051 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.338170052 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.338180065 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.338226080 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.338464975 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.338474989 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.338522911 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.338603020 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.338651896 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.339988947 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.340059042 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.340100050 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.340168953 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.340209961 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.340224028 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.340260983 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.340281010 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.343081951 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.343133926 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.343210936 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.343264103 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.343281984 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.343331099 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.343368053 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.343416929 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.344713926 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.344790936 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.344934940 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.344996929 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.345036983 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.345113039 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.345242977 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.345253944 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.345304966 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:02:39.345305920 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.345426083 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.345531940 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.345541954 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.345550060 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.345560074 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.348067045 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.348076105 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.348150969 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.348160982 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.348169088 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.348189116 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.348197937 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.348206997 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.349509001 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.349519968 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.349536896 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.349545956 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.349587917 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.349596977 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.349605083 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.349613905 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.349914074 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.349988937 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.349998951 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.350074053 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.350136042 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.350176096 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.350224018 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.350275040 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.350366116 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.350419998 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.350491047 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.350500107 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.350549936 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:39.350560904 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:40.310030937 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:02:40.355317116 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:14.394565105 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:14.400458097 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:14.708101988 CEST	587	49738	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:14.708858967 CEST	49738	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:14.714570999 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:14.720582962 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:14.720664978 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:15.856456041 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:15.866574049 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:15.871689081 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:16.175806046 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:16.182564974 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:16.187480927 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:16.493336916 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:16.493791103 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:16.498548985 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:16.816564083 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:16.816577911 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:16.816584110 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:16.816591024 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:16.816718102 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:16.820688963 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:16.825432062 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:17.129883051 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:17.130825996 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:17.135680914 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:17.439744949 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:17.439999104 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:17.445209980 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:17.750021935 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:17.750344038 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:17.755194902 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:18.080255032 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:18.080596924 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:18.085504055 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:18.390178919 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:18.390454054 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:18.395319939 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:18.708074093 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:18.708810091 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:18.713757992 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.018107891 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.032655954 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.032747984 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.032778978 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.037714005 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.037725925 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.037735939 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.072176933 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.076983929 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.084233046 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.090367079 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.090389013 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.090418100 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.090440035 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.090447903 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.090491056 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.090627909 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.090663910 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.090672970 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.090682983 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.090693951 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.090719938 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.090737104 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.091672897 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.091726065 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.091763973 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.091778040 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.091790915 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.091801882 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.091815948 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.091829062 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.097168922 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.097203970 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.097223997 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.097244978 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.097793102 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.097832918 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.097866058 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.097878933 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.097910881 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.097918987 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.097940922 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.097963095 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.097979069 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.099539042 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.099600077 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.099634886 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.099674940 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.099679947 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.099709034 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.103962898 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.104007006 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.104506969 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.104526043 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.104568005 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.104635954 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.104648113 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.104743004 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.104968071 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.104978085 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.104988098 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.104998112 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.105010986 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.106336117 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.106345892 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.106358051 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.106596947 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.106606960 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.106640100 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.106650114 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.106697083 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.106707096 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.106718063 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.106801033 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.120309114 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.120337963 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.120337963 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.120413065 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.120434046 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:19.126672029 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126681089 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126786947 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126796961 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126806021 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126815081 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126832962 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126842022 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126904011 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126914024 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126965046 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126975060 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.126991987 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.127001047 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.127010107 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.127063990 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.127074003 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.127427101 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.127454996 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.127558947 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:19.127568960 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:20.058800936 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:20.129220963 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:22.729159117 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:22.734040022 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:23.038222075 CEST	587	49739	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:23.077553988 CEST	49739	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:23.085810900 CEST	49740	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:23.090678930 CEST	587	49740	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:23.092063904 CEST	49740	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:24.172553062 CEST	587	49740	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:24.172703981 CEST	49740	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:24.177632093 CEST	587	49740	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:24.475943089 CEST	587	49740	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:24.476109982 CEST	49740	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:24.480926037 CEST	587	49740	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:24.780406952 CEST	587	49740	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:24.780786991 CEST	49740	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:24.785824060 CEST	587	49740	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:25.036639929 CEST	49740	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:25.042898893 CEST	587	49740	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:25.044828892 CEST	49740	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:25.082401991 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:25.088449001 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:25.089070082 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:26.162312984 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:26.162451029 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:26.167274952 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:26.466238022 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:26.466522932 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:26.471393108 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:26.772327900 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:26.772701979 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:26.777770996 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:27.087920904 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:27.087946892 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:27.087960958 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:27.090807915 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:27.094573975 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:27.101196051 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:27.399401903 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:27.409666061 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:27.416062117 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:27.876384974 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:27.878899097 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:27.885049105 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:28.185787916 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:28.186155081 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:28.205131054 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:28.465368032 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:28.470691919 CEST	587	49741	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:28.470750093 CEST	49741	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:28.532288074 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:28.537158966 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:28.537239075 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:29.349941969 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:29.350181103 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:29.355046988 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:30.462814093 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:30.462949038 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:30.463052034 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:30.463063002 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:30.463093996 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:30.463109016 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:30.467777014 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:30.773812056 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:30.774605989 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:30.779434919 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:31.092952967 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:31.092968941 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:31.092987061 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:31.093147993 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:31.094696999 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:31.099586964 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:31.404402971 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:31.406577110 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:31.411451101 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:31.716495037 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:31.718903065 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:31.724843025 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:32.032566071 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:32.032861948 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:32.040227890 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:32.357786894 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:32.357983112 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:32.362888098 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:32.667737961 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:32.668159962 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:32.673054934 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.047766924 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.054575920 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.059401035 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.494015932 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.494427919 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.494427919 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.494460106 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.494645119 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.495980978 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.499306917 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.499317884 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.499325991 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.499382973 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.499416113 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.499581099 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.501285076 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.501293898 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.501302004 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.501312017 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.501395941 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.501395941 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.501494884 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.501503944 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.501512051 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.501547098 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.501605988 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.503972054 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.503981113 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.504045010 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.504156113 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.504204988 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.504296064 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.504398108 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.506325006 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.506395102 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.506582975 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.506753922 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.506876945 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.508846998 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.508898020 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.508935928 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.508970022 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.509023905 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.509254932 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.509413004 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.509522915 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.511331081 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.511532068 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.511753082 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.511862993 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.511921883 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.511949062 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.511976004 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512047052 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512123108 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512183905 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512185097 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:33.512248993 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512307882 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512316942 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512413979 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512423992 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512458086 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512466908 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512515068 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.512523890 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.513746977 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.513972044 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.514027119 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.514072895 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.514081955 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.514134884 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.514143944 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.514173985 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516244888 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516335011 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516345024 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516577005 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516699076 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516707897 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516761065 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516769886 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516844988 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516854048 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516911030 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516920090 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516963959 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.516973972 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.517066956 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.517076969 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.517129898 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:33.517222881 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:34.455773115 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:34.496025085 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:36.585995913 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:36.590960026 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:36.931713104 CEST	587	49742	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:36.933686018 CEST	49742	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:36.936606884 CEST	49743	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:36.945136070 CEST	587	49743	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:36.952593088 CEST	49743	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:38.082988977 CEST	587	49743	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:38.083126068 CEST	49743	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:38.087954998 CEST	587	49743	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:38.389360905 CEST	587	49743	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:38.389523029 CEST	49743	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:38.394398928 CEST	587	49743	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:38.402570963 CEST	49743	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:38.407994986 CEST	587	49743	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:38.408057928 CEST	49743	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:38.470411062 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:38.475346088 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:38.475419044 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:39.267546892 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:39.267739058 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:39.272573948 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:39.572573900 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:39.572855949 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:39.577828884 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:39.877355099 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:39.877733946 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:39.882591963 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:40.189887047 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:40.189910889 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:40.189925909 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:40.189961910 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:40.192882061 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:40.197698116 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:40.496296883 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:40.498123884 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:40.503082037 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:40.801944017 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:40.802822113 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:40.807832956 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:41.109982014 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:41.110848904 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:41.116456985 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:41.720702887 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:41.721223116 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:41.726749897 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.025026083 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.025254011 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.030100107 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.351095915 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.357750893 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.363078117 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.661526918 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.663407087 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.663501978 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.663572073 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.663667917 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.668625116 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.668658018 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.668669939 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.668679953 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.700177908 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.705123901 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.705136061 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.705179930 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.705189943 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.705197096 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.705229998 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.705240011 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.705255985 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.705259085 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.705270052 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.705303907 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.705311060 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.705329895 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.705338001 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.705349922 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.705382109 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.709677935 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.709727049 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.709990025 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.710052967 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.710150003 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.710202932 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.710216045 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.710268021 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.710300922 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.710345030 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.710391045 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.710443974 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.710468054 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.710522890 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.710555077 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.710608006 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.710632086 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.710680008 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.710697889 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.710747004 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.710767984 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.712301016 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.714551926 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.714616060 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.714776039 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.714828014 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.715007067 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715018034 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715063095 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.715095043 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:42.715157986 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715190887 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715240002 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715298891 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715323925 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715393066 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715445042 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715456009 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715506077 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715514898 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715554953 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715564966 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715611935 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715621948 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715670109 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715678930 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715739012 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715749025 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715759039 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715835094 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715848923 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.715867996 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.717051029 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.717138052 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.717148066 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.717315912 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.717325926 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.719433069 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.719861031 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.719872952 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.719983101 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.719993114 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.720010996 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.720020056 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.720077991 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.720088005 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.720133066 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.720223904 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.720233917 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:42.720242977 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:43.636904955 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:43.839776039 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:54.798336983 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:54.803169966 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:55.101679087 CEST	587	49744	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:55.102195024 CEST	49744	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:55.106597900 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:55.111432076 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:55.111500025 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:55.909920931 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:55.910726070 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:55.916560888 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:56.219146967 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:56.219301939 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:56.224138975 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:56.528192043 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:56.528676987 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:56.533550978 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:56.885138988 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:56.885199070 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:56.885255098 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:56.885257006 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:56.887139082 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:56.892251968 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:57.195138931 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:57.200496912 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:57.205396891 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:57.508078098 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:57.508356094 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:57.514121056 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:57.817122936 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:57.818800926 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:57.823645115 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:58.147583008 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:58.147818089 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:58.152743101 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:58.455553055 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:58.455735922 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:58.460721016 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:58.770806074 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:58.770971060 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:58.776087046 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.078527927 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.078836918 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.078895092 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.078895092 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.080226898 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.080226898 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.084078074 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.084089041 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.084098101 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.084209919 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.085325003 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.085483074 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.085493088 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.085503101 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.085513115 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.085603952 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.085603952 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.085640907 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.085650921 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.085659027 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.085793972 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.088632107 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.088643074 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.088848114 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.089041948 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.089131117 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.090502024 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.090557098 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.090600014 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.090611935 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.090615034 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.090682983 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.090785980 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.090814114 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.090816021 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.090847015 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.090874910 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.090904951 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.090985060 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.093698025 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.093863010 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.093997955 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.095247984 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.095383883 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.095427036 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.095484972 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.095588923 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.095845938 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.095916033 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.095941067 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.095956087 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.095988989 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.096025944 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.096051931 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.096054077 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.096124887 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.096134901 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.096183062 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.096220970 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.096230984 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.096317053 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.096327066 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.096430063 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.096441031 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.096915960 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.098851919 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100001097 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100011110 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100254059 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100265026 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100272894 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100285053 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100292921 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100375891 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100389957 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100516081 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100526094 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100589037 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100617886 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100672007 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100691080 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100742102 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100750923 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100853920 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100862980 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100939989 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.100949049 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.101011038 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.101021051 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.101094007 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.101103067 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.101111889 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.480963945 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.486121893 CEST	587	49745	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.486242056 CEST	49745	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.548114061 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:03:59.552922964 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:03:59.556813002 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:00.363586903 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:00.363732100 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:00.368685961 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:00.675371885 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:00.675542116 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:00.680380106 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:00.988118887 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:00.992711067 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:00.997608900 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:01.319009066 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:01.319025993 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:01.319035053 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:01.319152117 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:01.320605993 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:01.325474977 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:01.632024050 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:01.640718937 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:01.645570040 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:01.951411009 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:01.954550028 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:01.959572077 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:02.265934944 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:02.267112017 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:02.272010088 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:02.594713926 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:02.594943047 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:02.599812984 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:02.905704021 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:02.905911922 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:02.910768032 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.227157116 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.228660107 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.233449936 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.539623022 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.539982080 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.540090084 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.540105104 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.540158033 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.543209076 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.544913054 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.544953108 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.544962883 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.544970989 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.545022964 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.545094967 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.548067093 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.548075914 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.548118114 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.548127890 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.548171043 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.548175097 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.548175097 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.548182011 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.548199892 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.548222065 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.548291922 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.549666882 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.549726009 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.549787045 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.549787045 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.549788952 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.549952030 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.549952984 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.550074100 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.553035021 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.553075075 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.553090096 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.553131104 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.553173065 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.553209066 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.553212881 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.553224087 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.553232908 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.553309917 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.553354979 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.553472042 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.554574013 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.554583073 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.554686069 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.554764986 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.554862022 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.554897070 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.555064917 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.557930946 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.557987928 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.558024883 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.558034897 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.558079004 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.558099985 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.558116913 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.558128119 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.558155060 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.558232069 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.558306932 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.558343887 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.558396101 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.558406115 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.558413982 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.558423996 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559441090 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559489012 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559499025 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559691906 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559703112 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559784889 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559796095 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559813023 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559823036 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559875011 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559885025 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559894085 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.559994936 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.560003996 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.560015917 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.560060978 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.562832117 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.562889099 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.562899113 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.562975883 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.562985897 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.562994957 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.563074112 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.563091040 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.563188076 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.563196898 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.563205004 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.563214064 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.715512037 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.720662117 CEST	587	49746	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.721358061 CEST	49746	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.789777040 CEST	49747	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:03.794681072 CEST	587	49747	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:03.794766903 CEST	49747	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:04.011831999 CEST	49747	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:04.016769886 CEST	587	49747	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:04.016836882 CEST	49747	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:04.070225000 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:04.075073957 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:04.075138092 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:05.038444996 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:05.038660049 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:05.043554068 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:05.343961000 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:05.350456953 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:05.356071949 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:05.657335997 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:05.713669062 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:05.718683958 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:06.027543068 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:06.027565956 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:06.027580023 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:06.027627945 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:06.033094883 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:06.037908077 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:06.338150024 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:06.386704922 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:06.412089109 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:06.416965961 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:06.716949940 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:06.717134953 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:06.722217083 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:07.022422075 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:07.026618004 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:07.031461000 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:07.354018927 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:07.354253054 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:07.359181881 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:07.658824921 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:07.659017086 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:07.664103985 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:07.973980904 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:07.974195004 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:07.979204893 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.278995991 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.286437988 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.286750078 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.286789894 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.286838055 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.290738106 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.291294098 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.291349888 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.291552067 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.291589975 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.291870117 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.291909933 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.295922041 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.295933008 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.295941114 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.295954943 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.295964003 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.295973063 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.295969963 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.295999050 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.295999050 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.296017885 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.296022892 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.296027899 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.296061039 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.296077013 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.296288967 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.296298027 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.296340942 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.296669006 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.296716928 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.300954103 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.301008940 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.301063061 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.301073074 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.301142931 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.301183939 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.301194906 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.301206112 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.301249027 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.301274061 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.301295042 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.301306009 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.301311970 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.301359892 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.301619053 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.301691055 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.305852890 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.305917978 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.305974007 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306024075 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306034088 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306036949 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:08.306108952 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306138992 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306157112 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306361914 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306548119 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306586027 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306633949 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306672096 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306716919 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306725979 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306759119 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306773901 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306845903 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306854963 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306864977 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306874037 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306916952 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306926012 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.306936026 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.310709953 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.310720921 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.310779095 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.310795069 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.311044931 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.311053991 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.311062098 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.311072111 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:08.311079979 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:09.239799976 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:09.373826981 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:38.041385889 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:38.046338081 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:38.346441031 CEST	587	49748	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:38.346822977 CEST	49748	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:38.347881079 CEST	49749	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:38.352710962 CEST	587	49749	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:38.352783918 CEST	49749	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:38.418958902 CEST	49749	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:38.423852921 CEST	587	49749	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:38.423913956 CEST	49749	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:38.497751951 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:38.502619982 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:38.502681971 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:39.313868999 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:39.314026117 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:39.318921089 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:39.625488997 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:39.625688076 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:39.630599022 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:39.937892914 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:39.942151070 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:39.946899891 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:40.261420965 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:40.261442900 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:40.261456966 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:40.261507988 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:40.264518023 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:40.269270897 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:40.576159954 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:40.578530073 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:40.583528996 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:40.892282963 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:40.892503023 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:40.897301912 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:41.205238104 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:41.206892967 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:41.211743116 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:41.535388947 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:41.535650015 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:41.540451050 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:41.846666098 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:41.846951008 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:41.851773024 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.168654919 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.168816090 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.173599005 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.479424953 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.479810953 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.479895115 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.479940891 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.480026007 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.481539965 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.486978054 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.487030029 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.487134933 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.487293005 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.487303972 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.487349987 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.488430023 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.488440990 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.488492012 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.488553047 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.488562107 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.488569975 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.488579035 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.488609076 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.488637924 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.488682985 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.488729954 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.494689941 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.494700909 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.494752884 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.494815111 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.494859934 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.495130062 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.495182991 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.495704889 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.495753050 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.495846033 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.495898962 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.495973110 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.495981932 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.495990992 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.496016979 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.496054888 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.496129990 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.496180058 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.496309042 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.496356010 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.499742031 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.499797106 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.499844074 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.499908924 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.500276089 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.500319958 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.500575066 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.500618935 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.500967979 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501029968 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:42.501077890 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501106977 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501153946 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501163960 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501214027 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501223087 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501280069 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501317024 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501326084 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501369953 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501379967 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.501386881 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.504687071 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.504698038 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.504705906 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.504942894 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.504952908 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.504983902 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.504992008 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505024910 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505043030 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505095959 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505300045 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505309105 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505316973 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505599022 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505706072 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505716085 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505726099 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505738020 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505810022 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.505992889 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.506036043 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.506045103 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.506170034 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:42.506181002 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:43.440004110 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:43.498651981 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:51.958663940 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:51.968332052 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:52.270585060 CEST	587	49750	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:52.271195889 CEST	49750	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:52.272490978 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:52.283152103 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:52.283207893 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:53.089324951 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:53.096985102 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:53.101917028 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:53.404478073 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:53.405091047 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:53.409934998 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:53.713761091 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:53.714169979 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:53.718976974 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:54.034720898 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:54.034739017 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:54.034754038 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:54.034960032 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:54.036736012 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:54.041611910 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:54.344789028 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:54.347138882 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:54.351958990 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:54.654172897 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:54.654439926 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:54.659229040 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:54.962609053 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:54.962852001 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:54.967731953 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:55.575474024 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:55.577375889 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:55.584849119 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:55.887474060 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:55.889446020 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:55.895410061 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.206409931 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.206589937 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.212798119 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.515594959 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.515858889 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.515886068 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.515933037 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.515969038 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.517194986 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.520761013 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.520771980 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.520783901 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.520817995 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.520818949 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.520862103 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.522171021 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.522217989 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.522236109 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.522244930 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.522254944 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.522264004 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.522274971 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.522283077 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.522294998 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.522315979 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.522319078 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.522353888 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.525571108 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.525579929 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.525614977 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.525616884 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.525614977 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.525631905 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.525660038 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.525702953 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.525748014 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.527072906 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.527112007 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.527120113 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.527162075 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.527172089 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.527239084 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.527314901 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.527357101 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.527367115 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.527394056 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.527416945 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.530472040 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.530510902 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.530529976 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.530565977 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.532730103 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.532800913 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.532880068 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.532888889 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.532903910 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.532932997 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.532933950 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.532982111 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.533010006 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.533016920 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:04:56.533916950 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.535348892 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537436962 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537447929 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537467957 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537477970 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537484884 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537496090 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537522078 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537571907 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537580967 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537632942 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537642956 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537743092 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537751913 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537760019 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537767887 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537789106 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537797928 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537806034 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537820101 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537837982 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537847996 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537858009 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537873983 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537910938 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.537964106 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:56.538001060 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:57.469861984 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:04:57.511863947 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:05:01.324862003 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:05:01.329792023 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:05:01.632396936 CEST	587	49751	122.201.84.5	192.168.2.4
Jul 5, 2024 06:05:01.633034945 CEST	49751	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:05:01.636882067 CEST	49752	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:05:01.642252922 CEST	587	49752	122.201.84.5	192.168.2.4
Jul 5, 2024 06:05:01.644871950 CEST	49752	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:05:02.731417894 CEST	587	49752	122.201.84.5	192.168.2.4
Jul 5, 2024 06:05:02.731472969 CEST	587	49752	122.201.84.5	192.168.2.4
Jul 5, 2024 06:05:02.731560946 CEST	49752	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:05:02.731606007 CEST	49752	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:05:02.736377001 CEST	587	49752	122.201.84.5	192.168.2.4
Jul 5, 2024 06:05:03.039385080 CEST	587	49752	122.201.84.5	192.168.2.4
Jul 5, 2024 06:05:03.039542913 CEST	49752	587	192.168.2.4	122.201.84.5
Jul 5, 2024 06:05:03.044405937 CEST	587	49752	122.201.84.5	192.168.2.4
Jul 5, 2024 06:05:03.348575115 CEST	587	49752	122.201.84.5	192.168.2.4
Jul 5, 2024 06:05:03.402390957 CEST	49752	587	192.168.2.4	122.201.84.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 06:00:55.826935053 CEST	53902	53	192.168.2.4	1.1.1.1
Jul 5, 2024 06:00:55.834028959 CEST	53	53902	1.1.1.1	192.168.2.4
Jul 5, 2024 06:02:34.176769972 CEST	63700	53	192.168.2.4	1.1.1.1
Jul 5, 2024 06:02:34.533390045 CEST	53	63700	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 5, 2024 06:00:55.826935053 CEST	192.168.2.4	1.1.1.1	0x45e9	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 06:02:34.176769972 CEST	192.168.2.4	1.1.1.1	0x44d2	Standard query (0)	mail.technique.net.au	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 5, 2024 06:00:55.834028959 CEST	1.1.1.1	192.168.2.4	0x45e9	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 5, 2024 06:00:55.834028959 CEST	1.1.1.1	192.168.2.4	0x45e9	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 5, 2024 06:00:55.834028959 CEST	1.1.1.1	192.168.2.4	0x45e9	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 5, 2024 06:02:34.533390045 CEST	1.1.1.1	192.168.2.4	0x44d2	No error (0)	mail.technique.net.au	122.201.84.5	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.26.12.205	443	6668	C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-05 04:00:56 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-05 04:00:56 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 05 Jul 2024 04:00:56 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89e47370dccd7c88-EWR
2024-07-05 04:00:56 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 5, 2024 06:02:35.787312031 CEST	587	49738	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:09:43 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:02:35.787545919 CEST	49738	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:02:36.100128889 CEST	587	49738	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:02:36.100398064 CEST	49738	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:02:36.418004990 CEST	587	49738	122.201.84.5	192.168.2.4	220 TLS go ahead
Jul 5, 2024 06:03:15.856456041 CEST	587	49739	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:10:23 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:03:15.866574049 CEST	49739	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:03:16.175806046 CEST	587	49739	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:03:16.182564974 CEST	49739	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:03:16.493336916 CEST	587	49739	122.201.84.5	192.168.2.4	220 TLS go ahead
Jul 5, 2024 06:03:24.172553062 CEST	587	49740	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:10:31 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:03:24.172703981 CEST	49740	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:03:24.475943089 CEST	587	49740	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:03:24.476109982 CEST	49740	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:03:24.780406952 CEST	587	49740	122.201.84.5	192.168.2.4	220 TLS go ahead
Jul 5, 2024 06:03:26.162312984 CEST	587	49741	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:10:33 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:03:26.162451029 CEST	49741	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:03:26.466238022 CEST	587	49741	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:03:26.466522932 CEST	49741	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:03:26.772327900 CEST	587	49741	122.201.84.5	192.168.2.4	220 TLS go ahead
Jul 5, 2024 06:03:29.349941969 CEST	587	49742	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:10:36 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:03:29.350181103 CEST	49742	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:03:30.462814093 CEST	587	49742	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:03:30.462949038 CEST	49742	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:03:30.463052034 CEST	587	49742	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:03:30.463063002 CEST	587	49742	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:03:30.773812056 CEST	587	49742	122.201.84.5	192.168.2.4	220 TLS go ahead
Jul 5, 2024 06:03:38.082988977 CEST	587	49743	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:10:45 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:03:38.083126068 CEST	49743	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:03:38.389360905 CEST	587	49743	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:03:38.389523029 CEST	49743	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:03:39.267546892 CEST	587	49744	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:10:46 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:03:39.267739058 CEST	49744	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:03:39.572573900 CEST	587	49744	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:03:39.572855949 CEST	49744	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:03:39.877355099 CEST	587	49744	122.201.84.5	192.168.2.4	220 TLS go ahead
Jul 5, 2024 06:03:55.909920931 CEST	587	49745	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:11:03 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:03:55.910726070 CEST	49745	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:03:56.219146967 CEST	587	49745	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:03:56.219301939 CEST	49745	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:03:56.528192043 CEST	587	49745	122.201.84.5	192.168.2.4	220 TLS go ahead
Jul 5, 2024 06:04:00.363586903 CEST	587	49746	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:11:07 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:04:00.363732100 CEST	49746	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:04:00.675371885 CEST	587	49746	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:04:00.675542116 CEST	49746	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:04:00.988118887 CEST	587	49746	122.201.84.5	192.168.2.4	220 TLS go ahead
Jul 5, 2024 06:04:05.038444996 CEST	587	49748	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:11:12 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:04:05.038660049 CEST	49748	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:04:05.343961000 CEST	587	49748	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:04:05.350456953 CEST	49748	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:04:05.657335997 CEST	587	49748	122.201.84.5	192.168.2.4	220 TLS go ahead
Jul 5, 2024 06:04:39.313868999 CEST	587	49750	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:11:46 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:04:39.314026117 CEST	49750	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:04:39.625488997 CEST	587	49750	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:04:39.625688076 CEST	49750	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:04:39.937892914 CEST	587	49750	122.201.84.5	192.168.2.4	220 TLS go ahead
Jul 5, 2024 06:04:53.089324951 CEST	587	49751	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:12:00 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:04:53.096985102 CEST	49751	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:04:53.404478073 CEST	587	49751	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:04:53.405091047 CEST	49751	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:04:53.713761091 CEST	587	49751	122.201.84.5	192.168.2.4	220 TLS go ahead
Jul 5, 2024 06:05:02.731417894 CEST	587	49752	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:12:09 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:05:02.731472969 CEST	587	49752	122.201.84.5	192.168.2.4	220-biz204.vodien.com.au ESMTP Exim 4.96.1 #2 Fri, 05 Jul 2024 14:12:09 +1000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 06:05:02.731606007 CEST	49752	587	192.168.2.4	122.201.84.5	EHLO 841675
Jul 5, 2024 06:05:03.039385080 CEST	587	49752	122.201.84.5	192.168.2.4	250-biz204.vodien.com.au Hello 841675 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 5, 2024 06:05:03.039542913 CEST	49752	587	192.168.2.4	122.201.84.5	STARTTLS
Jul 5, 2024 06:05:03.348575115 CEST	587	49752	122.201.84.5	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	00:00:54
Start date:	05/07/2024
Path:	C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe"
Imagebase:	0x400000
File size:	266'752 bytes
MD5 hash:	E96CDFD7C641B4FEA03541B97F6342A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4093598949.000000000270C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exePID: 6668, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	60.8%
Signature Coverage:	11.8%
Total number of Nodes:	416
Total number of Limit Nodes:	49

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
FindCloseChangeNotification.KERNEL32(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

D, xrefs: 00401DFB
U, xrefs: 004020F5
E, xrefs: 00401E0F
., xrefs: 00401B0A
x, xrefs: 00401E69
o, xrefs: 00402159
v, xrefs: 00401E4B
', xrefs: 00401AF6
W, xrefs: 00401B23
6, xrefs: 004020C5
V, xrefs: 00402038
[, xrefs: 00401B37
x, xrefs: 00401B78
_._, xrefs: 00402257
8, xrefs: 00401BA9
h, xrefs: 00401A6F
W, xrefs: 004020E6
4, xrefs: 00401B64
o, xrefs: 00401B8D
___, xrefs: 0040227D
[, xrefs: 00402047
V, xrefs: 00401E19
{, xrefs: 0040205B
0, xrefs: 00401BBD
:, xrefs: 00401B28
4, xrefs: 00402136
v, xrefs: 0040212C
W, xrefs: 00401B14
v, xrefs: 0040206A
", xrefs: 00401B0F
), xrefs: 0040202E
x, xrefs: 0040214A
*, xrefs: 00401A1F
*, xrefs: 004020E1
4, xrefs: 00402074
v, xrefs: 00401B5A
{, xrefs: 0040211D
., xrefs: 0040201F
x, xrefs: 00402088
{, xrefs: 00401E3C
!, xrefs: 00401B1E
{, xrefs: 00401B4B
5, xrefs: 00402109
!, xrefs: 004020CF
', xrefs: 00402006
W, xrefs: 00402033
o, xrefs: 00402097
%, xrefs: 004020FA
!, xrefs: 0040201A

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 2366190142-2962942730
Opcode ID: f33ec6517a8e462eea4e7ce496cce69d106849ef0d44fd50fc6c48668fb332a6
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: f33ec6517a8e462eea4e7ce496cce69d106849ef0d44fd50fc6c48668fb332a6
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 05B3B7C8 Relevance: 8.0, Strings: 6, Instructions: 547
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 05B3BEFC
$kq, xrefs: 05B3BF20
$kq, xrefs: 05B3BEC7
$kq, xrefs: 05B3BF14
$kq, xrefs: 05B3BED3
$kq, xrefs: 05B3BEF0

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: a3bd415bcf555a4f5900033a928227d4c305ff6968803e52b273318766378063
Instruction ID: d52b072087ebb88d23aec132843ae19e0f378d224102bca0ef34276fd233e63d
Opcode Fuzzy Hash: a3bd415bcf555a4f5900033a928227d4c305ff6968803e52b273318766378063
Instruction Fuzzy Hash: D9322E35E107198FCB14EF65D8955ADB7B2FF89300F60C6AAD409B7268EF30A985CB50

Function 05B3DD90 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 05B3E31E
$kq, xrefs: 05B3E312

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 0252dd1d5baae552fe9d01ae3be3c5847d8bd18f33f346c05d203a829883332e
Instruction ID: 65d7363562229d128c00431b113fc789e6a2778ac0d2fca103d0534689e99a2a
Opcode Fuzzy Hash: 0252dd1d5baae552fe9d01ae3be3c5847d8bd18f33f346c05d203a829883332e
Instruction Fuzzy Hash: 0C027B30B102158FDB14DB64D5956AEB7F6FB88300F6484A9E806EB399DF35EC46CB90

Function 05800500 Relevance: 2.8, Strings: 2, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 058005FE
Xoq, xrefs: 05800617

Memory Dump Source

Source File: 00000000.00000002.4095415937.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: Xoq$$kq
API String ID: 0-227003152
Opcode ID: 9f0dac7c9576b77486bfb22742d4f548f33fdf5fb709f754baa163767cff5fee
Instruction ID: 4158fe93cad748478a03c04b0fab2303280139e567f54b9e06286af7aee78e10
Opcode Fuzzy Hash: 9f0dac7c9576b77486bfb22742d4f548f33fdf5fb709f754baa163767cff5fee
Instruction Fuzzy Hash: 66B18331B05318CBCB48AFB9985977E7BA7BFC5700B58896DD406EB398DE349C028791

Function 05B38358 Relevance: 2.2, Instructions: 2227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbd1faad080521507f5d9d62f2808bde13914ba6610b71ab835e6240eefa572
Instruction ID: 49b89aa9c305f54fa9bca71bab8dd77f7abccd997a94ee08e12f012486c40a63
Opcode Fuzzy Hash: 5bbd1faad080521507f5d9d62f2808bde13914ba6610b71ab835e6240eefa572
Instruction Fuzzy Hash: CB331D31D10B198ECB15DF68C884AADF7B1FF99300F15D69AE448B7225EB70AAC5CB41

Function 05B3C5A0 Relevance: .8, Instructions: 837COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970e1be9868a52b650c4f4aeb071e6bef944f236c7ce1f66fc7aa63961d48a0f
Instruction ID: f4ef24f96fb75124a53c2f63acb1bf47e3bb2deafcc99692d4acadc2f9ca88c0
Opcode Fuzzy Hash: 970e1be9868a52b650c4f4aeb071e6bef944f236c7ce1f66fc7aa63961d48a0f
Instruction Fuzzy Hash: 57625B35B102048FDB14DBA4D555AADBBB2FF88350F6484A9E806FB395DB35EC42CB90

Function 0222CD50 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093196854.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9554e81eacd6f653074bef886b08dd41b7b7580800a50e4f86e998cf0a232411
Instruction ID: d53f75269cfbd0bf5a4a874a955356971e8d3d7a01e54564aa7cf734f973ea17
Opcode Fuzzy Hash: 9554e81eacd6f653074bef886b08dd41b7b7580800a50e4f86e998cf0a232411
Instruction Fuzzy Hash: 32B17070E10219DFDB10CFE9C9817DDBBF2AF88314F15812AD815A7268EB759949CF81

Function 0222D620 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093196854.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4706fc1bcf91d80f34853d3038bdf0c1c1b611ddafab78151c6a88411f188f1
Instruction ID: 247b7cb0e011ce1925d9fa38a8b133bf70179af3ad5100e0342ca3460e73fd25
Opcode Fuzzy Hash: e4706fc1bcf91d80f34853d3038bdf0c1c1b611ddafab78151c6a88411f188f1
Instruction Fuzzy Hash: DEB18070E1021ADFDB10CFE9D9817EDBBF2AF48314F148129E414EB298EB759849CB81

Function 061C3154 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568726de02b851dec8aa976e10d653b12deab13d36546431f235909a41f6f980
Instruction ID: df99be156406d1baf96b7362c141b88adbf63b4e57b0bab2e29396f526447e66
Opcode Fuzzy Hash: 568726de02b851dec8aa976e10d653b12deab13d36546431f235909a41f6f980
Instruction Fuzzy Hash: 3BA19335E103198FCB44DFA4C8949EDFBBAFF99310F558619E416AB2A4EB30E845CB50

Function 0222CA08 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093196854.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981385d0dd17f505183a3d791791abd504fbd9b1b2e9be12c07eaa86a05a990f
Instruction ID: 290466345302560ac0174822275dbcdaa6daa4bb2ff207ee070bb1c173f53220
Opcode Fuzzy Hash: 981385d0dd17f505183a3d791791abd504fbd9b1b2e9be12c07eaa86a05a990f
Instruction Fuzzy Hash: 32917070E10219EFDF10CFE8C9857DDBBF2AF88314F15812AD405A7268DB759949CB81

Function 061C3A10 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f74010679295119689d6c231b0cf0c6de4f716a5353f179f30079702f84c0a
Instruction ID: 580cbd412a8a1ca075fc07a8efecebb114bb5412b01084257aaf4d6851a038ca
Opcode Fuzzy Hash: 90f74010679295119689d6c231b0cf0c6de4f716a5353f179f30079702f84c0a
Instruction Fuzzy Hash: 1391A235E1031A9FCB44DFA0D8549DDFBBAFF99310F658219E416AB2A4EB30E845CB50

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 0040CC41
__mtinit.LIBCMT ref: 0040CC47
_fast_error_exit.LIBCMT ref: 0040CC52
__RTC_Initialize.LIBCMT ref: 0040CC58
__ioinit.LIBCMT ref: 0040CC61
__amsg_exit.LIBCMT ref: 0040CC6C
GetCommandLineA.KERNEL32 ref: 0040CC72
___crtGetEnvironmentStringsA.LIBCMT ref: 0040CC7D
__setargv.LIBCMT ref: 0040CC87
__amsg_exit.LIBCMT ref: 0040CC92
__setenvp.LIBCMT ref: 0040CC98
__amsg_exit.LIBCMT ref: 0040CCA3
__cinit.LIBCMT ref: 0040CCAB
__amsg_exit.LIBCMT ref: 0040CCB6

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
String ID:
API String ID: 2598563909-0
Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 061C7100 Relevance: 6.1, APIs: 4, Instructions: 137
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 061C718E
GetCurrentThread.KERNEL32 ref: 061C71CB
GetCurrentProcess.KERNEL32 ref: 061C7208
GetCurrentThreadId.KERNEL32 ref: 061C7261

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1b95392a7d43e56c4ceb7ad5ce126cc3f4443b02aa25c2dc9852b2b3a460a09e
Instruction ID: 743e886cff5ef991e7dcfa9c2318ea2942afc8f67f5b8e0d0033286e1030c414
Opcode Fuzzy Hash: 1b95392a7d43e56c4ceb7ad5ce126cc3f4443b02aa25c2dc9852b2b3a460a09e
Instruction Fuzzy Hash: 525154B09013498FDB54DFA9DA48BDEBBF1AF48324F208059E409A72A0DB749984CF65

Function 061C7110 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 061C718E
GetCurrentThread.KERNEL32 ref: 061C71CB
GetCurrentProcess.KERNEL32 ref: 061C7208
GetCurrentThreadId.KERNEL32 ref: 061C7261

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8138b60cceb529078013045d2e4ad57681123d95957538614288195708dbfd81
Instruction ID: 74373bed1dc00915c1e10ee93004381c3dc513d90c423f82bd996e33ea6ae8e5
Opcode Fuzzy Hash: 8138b60cceb529078013045d2e4ad57681123d95957538614288195708dbfd81
Instruction Fuzzy Hash: 095145B09013498FDB54DFAADA48BDEBBF1AF48314F20C059E419A73A0DB749984CF65

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 05B3F1B8 Relevance: 5.2, Strings: 4, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 05B3F20B
$kq, xrefs: 05B3F23A
$kq, xrefs: 05B3F1FF
$kq, xrefs: 05B3F246

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 32adefe74d74fdbfb2564d9f2263677db3e3ca0ade268d5f0bf3faeb769e4f89
Instruction ID: f36fd04bf4cff5cd2c4255aaa7c52aaafdb44151b5a55df518ecb4c2aa3e66f6
Opcode Fuzzy Hash: 32adefe74d74fdbfb2564d9f2263677db3e3ca0ade268d5f0bf3faeb769e4f89
Instruction Fuzzy Hash: 9C915074F102098FCF64DF25D991BAEB7B6FB88300F5085A9D809A7359EB34AD418F91

Function 05B3F19E Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 05B3F23A
$kq, xrefs: 05B3F1FF

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: c79544015b258157afa9b6a44a954fdd873c6be59eb0dc21e6c84ebbbc72d7a7
Instruction ID: 2a2bd15342f36221e9b1ddd34fd217be8a2f67a06bfd48fc8b085d1b051b05f1
Opcode Fuzzy Hash: c79544015b258157afa9b6a44a954fdd873c6be59eb0dc21e6c84ebbbc72d7a7
Instruction Fuzzy Hash: 47514D74F102098FCF54DF64D9917AEB7B6FB88340F5084A9C909A7359EB34AC518F91

Function 061C370E Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 061C382A

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 42b27623e43368cce81811f7583757d5234e78876898fdccb0fc73b66384d6d1
Instruction ID: 730b4d5f06da2a1dbe97d38310a1c4e4632d753ea835b0b9d00cc8174a0c53f1
Opcode Fuzzy Hash: 42b27623e43368cce81811f7583757d5234e78876898fdccb0fc73b66384d6d1
Instruction Fuzzy Hash: A551B1B5D00309DFDB14CF99C984ADEBBB5BF48310F24862AE419AB210D770A845CF90

Function 061C3718 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 061C382A

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e3f7995db4dfd34c9bbaf6921914c92f7946a03c1d2c01bf12fe4807b41034d5
Instruction ID: e1a92c3d6968d15979f3a4bc4be283151c7ca7e58c090ae71f939cc6803cd3c3
Opcode Fuzzy Hash: e3f7995db4dfd34c9bbaf6921914c92f7946a03c1d2c01bf12fe4807b41034d5
Instruction Fuzzy Hash: 1741AFB1D00309DFDB14CF9AC984ADEBBB5BF48310F24862EE419AB210D771A985CF90

Function 061C6ED4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 061C82A9

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a8f744ad1b019772ce2d040099cea13295c775aa1a5f98e5211d689785226366
Instruction ID: 112126150d36272a90ad2c045b206b6b55c4118ca4b2d9365f7ce25e98d06bab
Opcode Fuzzy Hash: a8f744ad1b019772ce2d040099cea13295c775aa1a5f98e5211d689785226366
Instruction Fuzzy Hash: 824138B5900745CFCB94CF99C488AAEBFF5FB98324F14C459D519AB320C770A840CBA4

Function 061C8F2E Relevance: 1.6, APIs: 1, Instructions: 73comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 061C8FC0

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 1483b977fe935a28b90433db85e9e76362be7e223122fb51a2eba2dce94ce1e9
Instruction ID: 15c788d3134dffd89c0a689bf6e2124616a99f6ceed44b8fae42169dc7267325
Opcode Fuzzy Hash: 1483b977fe935a28b90433db85e9e76362be7e223122fb51a2eba2dce94ce1e9
Instruction Fuzzy Hash: BE31F2B0E01248DFDB54CFA9C984BDEBBF5AF48314F248459E004BB2A4D7B46945CF65

Function 061C8F38 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 061C8FC0

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 15851628a7f0f6f338968a69e23b65a31a36d98fb767a2c49ddeae4398705b9b
Instruction ID: 4bf1e0599a8429048cb0a00920143770ed24a03cd84bde797adb6db7d83fcdee
Opcode Fuzzy Hash: 15851628a7f0f6f338968a69e23b65a31a36d98fb767a2c49ddeae4398705b9b
Instruction Fuzzy Hash: 6E3123B0E01208DFDB14CF99C984BCEBBF5AF48314F248459E004BB294D7B4A885CFA5

Function 061C7350 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061C73DF

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5adae027f2310e261340c8a4d5a1eb77b2d1df51764bcda0ec04b33dad633698
Instruction ID: 327d7b92bdcd06c72fc09fb9eec01dfd2c1feaad57f172f7848419cd8efc3489
Opcode Fuzzy Hash: 5adae027f2310e261340c8a4d5a1eb77b2d1df51764bcda0ec04b33dad633698
Instruction Fuzzy Hash: E52105B5D00219DFDB10CFA9D984AEEBBF4EB48320F14841AE958A3250C3749951CFA4

Function 061C7358 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061C73DF

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6ba793e33da9c4b70188e7e51eaa0bbf37473913ab75ef25206317f60e9caf9f
Instruction ID: 9485a3a978cf6a658d3e06e265fe7fb7d9f0d4a39f99b9e72d42cf9ca77f84c6
Opcode Fuzzy Hash: 6ba793e33da9c4b70188e7e51eaa0bbf37473913ab75ef25206317f60e9caf9f
Instruction Fuzzy Hash: B021C4B5D002599FDB10CFAAD984ADEBBF4EB48320F14841AE954A7350D374A944CFA5

Function 061CA931 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 061CA9B3

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 0304a56073f3162e8b68a2c4a1779394d4ad0238d8ac70eb72d5f1777dc69fa8
Instruction ID: 7431ab4e030ed50f234798e059e5adee2a3832c794864ef631bd317dbfa66247
Opcode Fuzzy Hash: 0304a56073f3162e8b68a2c4a1779394d4ad0238d8ac70eb72d5f1777dc69fa8
Instruction Fuzzy Hash: D52130B5D00249CFCB54CFAAC944BEEFBF4AF88320F10842AE459A7250C775A940CFA0

Function 061CA938 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 061CA9B3

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: fe88baebe47594956662dd105c3fda23b3cbd9c84a007826130383cf9d5aa52b
Instruction ID: 44e7296729cf3198f5aad11bbe366852a8f271900512c1fa666bb5f13ae643bf
Opcode Fuzzy Hash: fe88baebe47594956662dd105c3fda23b3cbd9c84a007826130383cf9d5aa52b
Instruction Fuzzy Hash: AF2122B1D00209DFCB14CF9AC945BEEFBF9AF88320F10842AE459A7250C775A940CFA4

Function 06481AB0 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,06481A91,00000800), ref: 06481B22

Memory Dump Source

Source File: 00000000.00000002.4096100395.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6480000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3da1727a0792483ec208b81a328873b3295069d7989f8165dd8b255e9865a900
Instruction ID: 3a3f072470701cf7c570b3ae3c940795ea847a0912eb1655629a77d9bedfb495
Opcode Fuzzy Hash: 3da1727a0792483ec208b81a328873b3295069d7989f8165dd8b255e9865a900
Instruction Fuzzy Hash: A21114B6D00249DFCB24DFAAD944ADEFBF4EB88324F10842AE459A7310C375A545CFA5

Function 064807DC Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,06481A91,00000800), ref: 06481B22

Memory Dump Source

Source File: 00000000.00000002.4096100395.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6480000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 51e04b820f727ea62754687937cc2f96c93f811f3c55239a4f03dfc7bc32616b
Instruction ID: 35d334d344b291ded17ccca8c18afd4f8bff6247c577d5d87d1ef9a1da2122d0
Opcode Fuzzy Hash: 51e04b820f727ea62754687937cc2f96c93f811f3c55239a4f03dfc7bc32616b
Instruction Fuzzy Hash: 2A1126B6D002499FDB10DF9AD444ADEFBF4EB58320F10842AD819A7310C374A545CFA5

Function 05800A80 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05800AE7

Memory Dump Source

Source File: 00000000.00000002.4095415937.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a6055432db7f35c11682fa1f395e00ff337a0354640a6eb0b8abf7a9b8502881
Instruction ID: 54ea275c600971b7d4ab3d067b9990ae39c8b0e97daf09f53a07d145918b890e
Opcode Fuzzy Hash: a6055432db7f35c11682fa1f395e00ff337a0354640a6eb0b8abf7a9b8502881
Instruction Fuzzy Hash: 411123B1D0026ADFCB10CF9AC944BDEFBF4AF48320F10812AD818A7240D378A944CFA5

Function 061C158C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 061C2C46

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ad7527d5989cbeaf649c3a63d21e3516026edb429518ac805e2587cdc72bfcf2
Instruction ID: 576ed36d23e5dbd220be3730ae60354442171df6925d96a529761293065a7121
Opcode Fuzzy Hash: ad7527d5989cbeaf649c3a63d21e3516026edb429518ac805e2587cdc72bfcf2
Instruction Fuzzy Hash: 701102B5D003498FCB10DF9AD944BDEFBF4EB48224F10846AD919B7210C374A645CFA9

Function 061C2BD9 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 061C2C46

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4c3c88b057474fe0c4d28751f0c9ed96eac9a5d8ae8d91c71e2676fdbe66ea45
Instruction ID: 5002743dd086fe8ca05b49b6eb411e12ed7c7a428ede38f1f5dde0182c31d74e
Opcode Fuzzy Hash: 4c3c88b057474fe0c4d28751f0c9ed96eac9a5d8ae8d91c71e2676fdbe66ea45
Instruction Fuzzy Hash: 32113FB1D002498FCB10DF9AC984ADEFBF4AF89324F10846AD469B7210C374A645CFA4

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 061C8551 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,061C84F5), ref: 061C857F

Memory Dump Source

Source File: 00000000.00000002.4095973859.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61c0000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 00eae48e357490e8b789854512b96e4e9ec5605c8852ee1f6038292c0e4ed1b7
Instruction ID: 375dbc5d13b149eba6c907aa8e24ae057ff224e1217f6b4ede6d69d4fd675ec7
Opcode Fuzzy Hash: 00eae48e357490e8b789854512b96e4e9ec5605c8852ee1f6038292c0e4ed1b7
Instruction Fuzzy Hash: 99F067B1800308CFCB10CF89D4887DEFBF0AF88324F24842AD559A7250C378A444CFA0

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 05B31038 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

LRkq, xrefs: 05B3105E

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 18fc0847cd4b7ba3a48b250f4a12c8ac9809ce01c03b293451176f083045525c
Instruction ID: 80a377dda8ad52174bba7cc6df227c2f3a69dc6aaba786c9dedbb0ef29d42beb
Opcode Fuzzy Hash: 18fc0847cd4b7ba3a48b250f4a12c8ac9809ce01c03b293451176f083045525c
Instruction Fuzzy Hash: B1516F34B102148FDB14EB68C959AAD77FAFF89710F2044A9E406EB3A4CB75EC41CB91

Function 05B3A830 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 05B3A96B

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 918ed720acd4349cdd82da5668311ec3979460ef964b630a4ed41e631ecc041b
Instruction ID: d032a8586a4f82336f6fcabe0fca49c72df49a9a45f8b8bb4d24f1f2643118e7
Opcode Fuzzy Hash: 918ed720acd4349cdd82da5668311ec3979460ef964b630a4ed41e631ecc041b
Instruction Fuzzy Hash: 8231AE30B002058FCB149B34951566F7BA7FB88610F2089A8D406FB395EE39EC46CB91

Function 05B3A821 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

PHkq, xrefs: 05B3A96B

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 5d8066afcab8335aabf52c5ad727894d9da1704e4398b53dbd4bb3da3e9b6fa4
Instruction ID: cce31fa628e90789909827a0e38177162aa112758b525078319d50b2da5827e4
Opcode Fuzzy Hash: 5d8066afcab8335aabf52c5ad727894d9da1704e4398b53dbd4bb3da3e9b6fa4
Instruction Fuzzy Hash: F131D031B002018FCB159B34D61566E7BA7FB88210F2489ACD446FB395EF39EC42CB91

Function 05B31B10 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRkq, xrefs: 05B31B94

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 464a672d6c57ee13ef354543df815cf26ded1d7a8321e94ba3218d7ef082276f
Instruction ID: 1731efa18694fa39fefc1dccd29344fc4a985ec4db13a236262916c586c6e87a
Opcode Fuzzy Hash: 464a672d6c57ee13ef354543df815cf26ded1d7a8321e94ba3218d7ef082276f
Instruction Fuzzy Hash: BA314031E102099BDB14CF68D552BAEB7BAFF85310F6089A9E805FB250FB71B941CB50

Function 05B31B00 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LRkq, xrefs: 05B31B94

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: ee52c67ce9b5d47623583b7584ddf778e14f7618b94b637fc287433c312e1afb
Instruction ID: f6ee21bf6a35901af11b819e5294860882f30749e4b1583ad1404f4b376e0453
Opcode Fuzzy Hash: ee52c67ce9b5d47623583b7584ddf778e14f7618b94b637fc287433c312e1afb
Instruction Fuzzy Hash: 08313D71E102059BDB15CF68C592BADB7BAFF85300F6088A5E805FB254FB74A941CB50

Function 05B30D00 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

LRkq, xrefs: 05B30D27

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 5bc28d0c9f45cccaa2fa8aa8e0ed5aeccfc1d7c37674b688340a449b3980ff1f
Instruction ID: 565ff8c50c046c55623a3f96956e25438bc092f63f1511ba0e1e5cc80b8efc34
Opcode Fuzzy Hash: 5bc28d0c9f45cccaa2fa8aa8e0ed5aeccfc1d7c37674b688340a449b3980ff1f
Instruction Fuzzy Hash: A41103717102044FC706AB79E4246AE7BB3EF8A310F1184A9E005CB39CEE34EC018B95

Function 05B30CEB Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

LRkq, xrefs: 05B30D27

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 4989db873cfb8bbe573ab3fcd83b5e1ab7ab49388631e306a74f808356f5accf
Instruction ID: c42b243ae9860f88658290954cfaa466c532e5c05c0494cd99afb12c767b99a8
Opcode Fuzzy Hash: 4989db873cfb8bbe573ab3fcd83b5e1ab7ab49388631e306a74f808356f5accf
Instruction Fuzzy Hash: 6B0124707042149FCB06AF78D0146AE7BF7EFCA310B1080AAD019CB3A4EE35EC418B95

Function 05B3E2ED Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

$kq, xrefs: 05B3E312

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: $kq
API String ID: 0-3037731980
Opcode ID: 919ec7c45821cad571e5db8e2931fc65f92297e463d373448cae08e191c9498d
Instruction ID: 929aef5fdab0a98ac4ef968e08d8e4b5d44ec17377dfd789f9b3c68961d79684
Opcode Fuzzy Hash: 919ec7c45821cad571e5db8e2931fc65f92297e463d373448cae08e191c9498d
Instruction Fuzzy Hash: DAF05835A44204CFDF2A9A44EA866EDB7BAFB40211F1848ABD902B3194C739F981CB50

Function 05B3A9A8 Relevance: 1.1, Instructions: 1094COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cdd419bfbc74b835a57b1ead5aed36a960ece268b8272808148ab28afc84bd5
Instruction ID: abf8725ce1d63736734d7711c4ef180c7a6355924764a2a41d369a37859cb7bd
Opcode Fuzzy Hash: 5cdd419bfbc74b835a57b1ead5aed36a960ece268b8272808148ab28afc84bd5
Instruction Fuzzy Hash: 59A25A34A00304CFCB24DF64C599A6DBBB2FB45355F6489A9E446AB3A5DB35EC81CF80

Function 05B34670 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb90d7ca642a6368b646574d521511e4e15f25bb173483b463255303e69fc54
Instruction ID: 6e1472e3a99bbdadd375d92bc720cc125821391bf81edf54be3ddf98544a4768
Opcode Fuzzy Hash: 4cb90d7ca642a6368b646574d521511e4e15f25bb173483b463255303e69fc54
Instruction Fuzzy Hash: F8D18135B102048FCF14DF68D599A6DBBB2FB89310F2485A9E806E73A5DB35EC45CB84

Function 05B324C9 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8803e0c31a5de2f0d85e37f669fddd7980b0bce535146d86e25ce64e007cd8
Instruction ID: d4463c46bee941c6e93efd2cf2e69ac635f0ca89f6b4d5750ab0a359ab7894c6
Opcode Fuzzy Hash: 7a8803e0c31a5de2f0d85e37f669fddd7980b0bce535146d86e25ce64e007cd8
Instruction Fuzzy Hash: 4EA101757203008BCFA92778B06963C79A3FBC9356BB544ADE506D7380DE35EC429B4A

Function 05B34BC0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd019ac916c8f60f0a2af422a60491731230d7aaade6e4c34d030d9d9e7297e
Instruction ID: 7222d38d68859bebd8380f4bc6d0cf28c715152439aec6300b2d7526c4edf94d
Opcode Fuzzy Hash: ccd019ac916c8f60f0a2af422a60491731230d7aaade6e4c34d030d9d9e7297e
Instruction Fuzzy Hash: C8817E71A002049FDF04DF69D985B9DBBB6FF88310F14C1A9E909AB3A5DB71E844CB90

Function 0222D398 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093196854.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b12303080e827ce1cff4d8ebaf9a1c4761002f8fdf9b1408c1bd9e3dac0b1a
Instruction ID: 76e42605293ef34d963548550b7a1d49d5eb030227b0d013bc4bf4f6ef0ba0ab
Opcode Fuzzy Hash: 33b12303080e827ce1cff4d8ebaf9a1c4761002f8fdf9b1408c1bd9e3dac0b1a
Instruction Fuzzy Hash: A9715EB0E10219EFDF14CFA9C88179EBBF6AF88314F148029E405A7258DBB59845CF91

Function 05B349E0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098103954ce05e4cac757b0548378b178ca8b1d1f232db3e39c2e8076fee80ec
Instruction ID: 1aa5c6a6cb546aa306b7b79cd60f56506a9dc99576517067fafc0b51abb45385
Opcode Fuzzy Hash: 098103954ce05e4cac757b0548378b178ca8b1d1f232db3e39c2e8076fee80ec
Instruction Fuzzy Hash: 73419430B002459FDF20DB68D995B7FB766FB85310F2088AAD40AEB395E635EC858785

Function 05B30E2C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc34bd74e33e33200999539ada3bfee9c54cc761e9641cb0c70d1d67bf1e9be
Instruction ID: b5dd679403f503e81ebd04b0ffba803dc7622bc34c1f68db10c7c9f646157a96
Opcode Fuzzy Hash: 6dc34bd74e33e33200999539ada3bfee9c54cc761e9641cb0c70d1d67bf1e9be
Instruction Fuzzy Hash: 7651F3B1E002188FDB14DFA9C889B9DBBB1FF48310F55815AE819BB254D7B4A944CB94

Function 05B30E38 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ca4f440fb3c174b405b79ccabb4b8107f3c667b679693164a001b27b1a6adb
Instruction ID: b661bdacacd9fd707804520577110e83c96955f9f717afd794461af0f05e7a59
Opcode Fuzzy Hash: 05ca4f440fb3c174b405b79ccabb4b8107f3c667b679693164a001b27b1a6adb
Instruction Fuzzy Hash: BE510370E006188FDB14DFA9C889B9DBBF1FF48310F148159E819BB264D7B4A944CF94

Function 05B3A692 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c8b3f144fc8a0a89844af2977729c3d72b4f7bc24716531283e849203fa665
Instruction ID: dfeac3eb717b4da52d94c97826e5454353a602038f829fdad5a233dea63cb1b3
Opcode Fuzzy Hash: 74c8b3f144fc8a0a89844af2977729c3d72b4f7bc24716531283e849203fa665
Instruction Fuzzy Hash: 0E317031B106058BCF05DFA4D4996AEBBB3BF89310F608569E801FB344EF74A8028B95

Function 05B3A6A0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8be601df5b1bc36ec213786126956b942c028df08f37d2c4410c5add181f96f
Instruction ID: 6cc004e9433c73e72846a26629822d8923f511bf579e9784390b43d5794393c7
Opcode Fuzzy Hash: e8be601df5b1bc36ec213786126956b942c028df08f37d2c4410c5add181f96f
Instruction Fuzzy Hash: 16316F31B106058BCF05DFA4D4956AEBBB3BF89210F208569E805E7354EF70A8428B95

Function 05B3448F Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840da6d04098a6df61cbbb56d1ad9e49617cbf47d02594e324b5b11876e44a78
Instruction ID: 230efbaf8c07f8260d92c1c2ad84a58d235ad0165ab7285940c7b8bb8710b35e
Opcode Fuzzy Hash: 840da6d04098a6df61cbbb56d1ad9e49617cbf47d02594e324b5b11876e44a78
Instruction Fuzzy Hash: 8131C171E102059BCF15CF64D9996AEBBB2FF85300F5184AAE801EB391EF74E8468B50

Function 0222B270 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093196854.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e453547a3e9fadce5a226354a963912cf34fc75d575b55667b668b3ef79d5c9
Instruction ID: c95f6f29848dca6d68492b3559269967da659e5d4853559e3c9221da7203fb14
Opcode Fuzzy Hash: 5e453547a3e9fadce5a226354a963912cf34fc75d575b55667b668b3ef79d5c9
Instruction Fuzzy Hash: A441C0B0D00359EFDB10DF99C584ADEBFF5BF48314F10842AE819AB254DB75A949CB90

Function 0222DC30 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093196854.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8614cf531c4db9ad541fefbfb90978cc1a9c9a0baf6d329d242503088854a478
Instruction ID: af036fe2131f373fa76a2b8ab1f7b9d502a53102fc72b234144b330237dcaa35
Opcode Fuzzy Hash: 8614cf531c4db9ad541fefbfb90978cc1a9c9a0baf6d329d242503088854a478
Instruction Fuzzy Hash: FE3141347102259FDF18EFB4D5546AE77B6AB89304F100468D806AB3ACDF7ADC45CBA1

Function 05B344C0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043f56204144989575c318669658a761257228c5d3ad3ae888007505d85e17b3
Instruction ID: 1ba0bea790afd8659b0e98c5a0ae1f714c73eb72857ac47e1795a22dbc6f528f
Opcode Fuzzy Hash: 043f56204144989575c318669658a761257228c5d3ad3ae888007505d85e17b3
Instruction Fuzzy Hash: 24317F31E102059BCF55CF64D5596AEBBB2FF89300F518569E802FB354EF71E8468B50

Function 05B3C240 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5554303348b5f61218f45e5290877d8c999aa630d0dec834cde3e366fdf4b7c9
Instruction ID: c13b67e53d8d86ae506d76fa8a4e02753d1f5bcad4fa6e5eec02aaf0cf4ff8cf
Opcode Fuzzy Hash: 5554303348b5f61218f45e5290877d8c999aa630d0dec834cde3e366fdf4b7c9
Instruction Fuzzy Hash: DE215A75B102159FDB00DFA9D941AAEBBF1FB48600F108069E905F7354EB34EC418BA4

Function 05B3C232 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bbd10d2afff6c570cbc37048d55dea9a03c5735c854c4c5cc3f0732739106c
Instruction ID: 10d61c48fe1593672733dd1465b56c6c8c8d51ed5d80837ee081ca4dd99fabaa
Opcode Fuzzy Hash: e5bbd10d2afff6c570cbc37048d55dea9a03c5735c854c4c5cc3f0732739106c
Instruction Fuzzy Hash: A62146B5A106159FDB00DFA9D981BAEBBF1FB48710F10806AE905F7395EB35EC018B90

Function 05B3437F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a759153f79cf61c3080789f9f38cce9f18164093078071036eda4935b7b02fbe
Instruction ID: f5c571a9a52d91f623bf4a273f409692ada8b28bf34c9b8b4d140237170b5a44
Opcode Fuzzy Hash: a759153f79cf61c3080789f9f38cce9f18164093078071036eda4935b7b02fbe
Instruction Fuzzy Hash: 4421A131E102099BCF18CF64D5556AEBBB2EF89310F508569EC12B7390EF75A846CB40

Function 020CD5E8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092916460.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20cd000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d92e46098937bb23efd7fa2f5e882f7c1c83b6487a42d1a1770ffef4bf22408
Instruction ID: 19869bbc9e89e9b54b2bd3badb4c0e3edfc8211711f22283c5514b8750630827
Opcode Fuzzy Hash: 8d92e46098937bb23efd7fa2f5e882f7c1c83b6487a42d1a1770ffef4bf22408
Instruction Fuzzy Hash: EB21EDB1500304DFDB05AF14DAC0B2ABBA5EB98314F20857DE80D4A256C336D456EAA1

Function 05B34390 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc255c303b954f86d8d4abcf38d0f0d3c78826c4ce4c1039ec809fe6f3626245
Instruction ID: 3cd2fac4308ce1587cdc62a11a0a22eee06e7e430f9e7614a3eff0da940fe88e
Opcode Fuzzy Hash: bc255c303b954f86d8d4abcf38d0f0d3c78826c4ce4c1039ec809fe6f3626245
Instruction Fuzzy Hash: DB217F31E102059BCF18CFA4D5556AEB7B6FF89310F10856AE816BB390EF75A846CB40

Function 020DD3A8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092963083.00000000020DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20dd000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8da91135ab6e4ca35cc9ec8f0e024985f4cd602f2c192a5906bfe23ce046afe
Instruction ID: cbde883e67c6f839fa36991705d6b1a16f53819a5d085be002114f68569994f6
Opcode Fuzzy Hash: c8da91135ab6e4ca35cc9ec8f0e024985f4cd602f2c192a5906bfe23ce046afe
Instruction Fuzzy Hash: 6D2146B2600300DFDB09DF14D5C0B2ABBA5FB84314F20C56DD9094B256C376F846DB61

Function 020DD1F8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092963083.00000000020DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20dd000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e652b3d8428769cfe9d292ac30bb9957a5a27cd07a24e86a0996b751d56b2d43
Instruction ID: d6ee47371a4fe31b56f65d651336a209c5b2744822ca42631b4222e0e0464c7e
Opcode Fuzzy Hash: e652b3d8428769cfe9d292ac30bb9957a5a27cd07a24e86a0996b751d56b2d43
Instruction Fuzzy Hash: 902138B2545300DFDB11DF14D9C4B3ABBA5FB94324F20C569D8494B245C376D446DAA1

Function 020DD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092963083.00000000020DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20dd000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f907cb9cdbc464d53f07cab31344e1c94da6ba67fbf3da993bc0cabb0805ad4
Instruction ID: 831e03319fe44ef0b8d53dc8884c6bc8d7d59c0388b22a13ccfdd82ab184b605
Opcode Fuzzy Hash: 1f907cb9cdbc464d53f07cab31344e1c94da6ba67fbf3da993bc0cabb0805ad4
Instruction Fuzzy Hash: 91210472504304DFDB15DF14D9C0B2ABFA5EBC4314F64C56ED9094B256C33AD847DA62

Function 020DD006 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092963083.00000000020DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20dd000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfdbcef9eddac502844d6a0fd7fe9cbcbea57bac4caaafe1b93343e9fd106f2
Instruction ID: be5ef81b775e9f35c6794ce73437dababfe53322de917a92757597598dc87ce9
Opcode Fuzzy Hash: ddfdbcef9eddac502844d6a0fd7fe9cbcbea57bac4caaafe1b93343e9fd106f2
Instruction Fuzzy Hash: DA215E755093809FC703CF64D994711BFB1EB46214F29C5DBD8848B2A7C33A984ADB62

Function 0222DB20 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093196854.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc7b66104cfe807a6f61e2ccc452234a39e1dbe4eda016f0196242315de2586
Instruction ID: 3333f2c9383c21e1a965d0e0d1a571eee1ca38b723a26fcfb1283f0ab47888c9
Opcode Fuzzy Hash: 6bc7b66104cfe807a6f61e2ccc452234a39e1dbe4eda016f0196242315de2586
Instruction Fuzzy Hash: BC213934B10215CFDB54EFB8C568AAD77F2AB4D700F100468E806EB3A5DB769C44CB50

Function 05B32098 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19eba32ce6acf555f80318bf5021d81a6fb96ce7f679f13e55b2dfffdaee72b
Instruction ID: b4f43000e1c1e32ee54e50f92555b1fdf42248a67fb35da6b987067d2d297647
Opcode Fuzzy Hash: b19eba32ce6acf555f80318bf5021d81a6fb96ce7f679f13e55b2dfffdaee72b
Instruction Fuzzy Hash: C12128B1C05258AFCB01DF9AC9846CEFFB4FF49320F10816AD558A7251D3746944CBA5

Function 05B3CCE0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3255b5f612481439dc3920058251542aee5b5d879e2b67529ad78ec57d5721f8
Instruction ID: bf7e9f589e320f108a59e085242919210bd9f95fe08488f2cfd6ca8b9dbe9f71
Opcode Fuzzy Hash: 3255b5f612481439dc3920058251542aee5b5d879e2b67529ad78ec57d5721f8
Instruction Fuzzy Hash: E4217531B101149BCF54DB69E552AADBBB7EF84250F108469E805F7354DB31AC018B90

Function 05B3C358 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b774f461ed1d425fcc488847fab7764291eab4768d0681be2324f65493ee67b0
Instruction ID: 411e94d6d0ba6e8b784df51eede3855b152e865438c5d05e744e2a8e76c6d976
Opcode Fuzzy Hash: b774f461ed1d425fcc488847fab7764291eab4768d0681be2324f65493ee67b0
Instruction Fuzzy Hash: 99116536B101254BCF6496A8D8156BE77EBEBC9650B108579D406F7358EE34EC028BD1

Function 020CD5E3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092916460.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20cd000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
Instruction ID: 26fbc040ac6061f83778ee5d3f8372efbb807b4f82e362c8f5655cb31984d2c7
Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
Instruction Fuzzy Hash: 1C11DFB2404340CFCB02DF10D9C4B1ABFA1FB94314F24C5ADD8090B256C336D45ADBA1

Function 05B320B4 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef979c2d5ba0b87780fbb5d13e348ec9d1c88107e3a273226f80ac9ca2090cb1
Instruction ID: 020c0e1ab7a61d7eff503a67f8e49001be7d551cf40da7b5ab4e18aad3dd78ee
Opcode Fuzzy Hash: ef979c2d5ba0b87780fbb5d13e348ec9d1c88107e3a273226f80ac9ca2090cb1
Instruction Fuzzy Hash: 6421EFB1D00259ABCB10DF9AD985A9EFFB4FB49320F10816AE918B7200C374A954CFA4

Function 05B3C008 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140782a87f33d4afba6ac9496201139fe0e181a0200f5e30eaa60fc9d4ce2a37
Instruction ID: e05de56c5e45b92cedfe553ee29379cf4dadce1053c56cb0e68da09811ebc2e2
Opcode Fuzzy Hash: 140782a87f33d4afba6ac9496201139fe0e181a0200f5e30eaa60fc9d4ce2a37
Instruction Fuzzy Hash: 2C21C0B1D01259EBCB10DF9AD985ADEFFB4FB49320F10816AE918B7200D374A944CFA5

Function 05B3C348 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5f7e37f1b0292a58e882c2581c5282904888afea2abf1efc666497aebc4bdc
Instruction ID: 3350a7f27b6a5f38583adb8e622a2c05fce79e36ce1a111a3fe94b2aa8c4fac7
Opcode Fuzzy Hash: ed5f7e37f1b0292a58e882c2581c5282904888afea2abf1efc666497aebc4bdc
Instruction Fuzzy Hash: 7401BC32B100241BCF5495A8C815AFF76BBEBC9650F108579D50AF7754EE24DC0247E1

Function 020DD3A3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092963083.00000000020DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20dd000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
Instruction ID: 272248084e72f3215a4af4bb0fc29f8f323863be380a70254f3b5110e8823303
Opcode Fuzzy Hash: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
Instruction Fuzzy Hash: 83119076504340DFDB06CF14D5C4B15BFA1FB84314F24C6AED9494B656C33AE44ADB52

Function 020DD1F3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092963083.00000000020DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20dd000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e076aa5e16aaa5104c2124104ac01287a50f003186d84f635ef1b786dd729d4
Instruction ID: cf151b40197b80ae36ec4e877c491acee61ad02352a55a6f314712df6f34430c
Opcode Fuzzy Hash: 6e076aa5e16aaa5104c2124104ac01287a50f003186d84f635ef1b786dd729d4
Instruction Fuzzy Hash: 11119D76505380CFDB12CF14D5C4B2ABBA1FB94324F24C6AAD8494B646C33AD40ADBA2

Function 05B34BB0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df85c2a05f324641c87694c5cedaa61f1981baa27549efb5f76d65f103c33e2
Instruction ID: e17af08fca1c3026c0cf4f994f4cfef2d81152680e326bca71a7ac8846c8ab03
Opcode Fuzzy Hash: 8df85c2a05f324641c87694c5cedaa61f1981baa27549efb5f76d65f103c33e2
Instruction Fuzzy Hash: 3411A171A002048FCB04EF55DD45B8ABB76FF80310F95C5A4C8085F2A9DB74E949CBE1

Function 020CD006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092916460.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20cd000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4caa30a8111f9b27042348059648dae97f0c059b0eb7601f3ad9b730978b69ad
Instruction ID: 98a4d75ec21e5862422d71992ec406be931396f562163317e6702eb9bf6f68c9
Opcode Fuzzy Hash: 4caa30a8111f9b27042348059648dae97f0c059b0eb7601f3ad9b730978b69ad
Instruction Fuzzy Hash: 43012DA140D3809ED7124B298D94756BFA4EF53224F29849BD8848F197C2699C45D771

Function 020CD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092916460.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20cd000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752688657424c442b4a84425a40665d1f4bb08733672d81981869f2eb8d2786e
Instruction ID: 4e7a508009c0fbc58d735675e7366d01572a37249be7e068acd7e5c7a8bf82fa
Opcode Fuzzy Hash: 752688657424c442b4a84425a40665d1f4bb08733672d81981869f2eb8d2786e
Instruction Fuzzy Hash: 90017CB15083449AE7218B29C984B6BBFD8EB41234F38C53EED484A286C379D842D6B1

Function 0222FEE0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093196854.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91c7bea42478c94003ff175d1b1ed0d811bd4558213dc99b9d1f9fb31793def
Instruction ID: 83d73cf2950ecaeb49b8e15c3f5f616787a12aea57876bc0b300a843843fc29c
Opcode Fuzzy Hash: b91c7bea42478c94003ff175d1b1ed0d811bd4558213dc99b9d1f9fb31793def
Instruction Fuzzy Hash: B4F04F30360220AFDA58A6789955B6972A69F85B54F010079F901CF7E9DFA3DC42C750

Function 05B328B7 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba76304ba5731389594ccf660b2ab01358e7d36786e5b909e9dd22917bda603e
Instruction ID: 85d77b62529836aa111824859aea05598b99c4cac106593f884eac5c4a7f3de2
Opcode Fuzzy Hash: ba76304ba5731389594ccf660b2ab01358e7d36786e5b909e9dd22917bda603e
Instruction Fuzzy Hash: 3B01A7715201099FCB00FBA8FE845DDBB72EB81310F5057A8C5014F6ADDE75AA458BD1

Function 05B328C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b455913e2ec2eb3d3bfd52e9d17c2d5b7abc918109957056be5fb2df4397fdfd
Instruction ID: eff5d61009d68ff5f7cb8e6a897b8d3e5bb69aa29e80c5eb92787e740851c159
Opcode Fuzzy Hash: b455913e2ec2eb3d3bfd52e9d17c2d5b7abc918109957056be5fb2df4397fdfd
Instruction Fuzzy Hash: E30112309202099FCB00FFB8FE545ADBB72EB81300F5056A8C5059766CEB70AA488FD5

Function 05B33FB0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71e7c7a9d3f063e3db38a484d81d6b72a2f1f5ae66c36ad9d89d54d325c79fb
Instruction ID: 2cfd8c8b88f54fde9a0579176c7f68accaec8873fc378fd7b11e4f1c8ae3720d
Opcode Fuzzy Hash: c71e7c7a9d3f063e3db38a484d81d6b72a2f1f5ae66c36ad9d89d54d325c79fb
Instruction Fuzzy Hash: E0D022F7A216106BCB103BD0FD401DA7B01A748716B1A48D2E008C339BDD3CC8024B80

Function 05B33FC0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fdce74128fcdf382559d1c73bc0b59f254ef7fe4f63a01076b076a8ef087a0
Instruction ID: e23164785af7bd7b66a9882c387624dca1cc3e3b27cedcdb5375ee086937738a
Opcode Fuzzy Hash: 91fdce74128fcdf382559d1c73bc0b59f254ef7fe4f63a01076b076a8ef087a0
Instruction Fuzzy Hash: E1C02B35230334A74D0032D4B8004CBB70EC68C2253508597F8084330BCE7AEC010BD5

Non-executed Functions

Function 05B3D6A0 Relevance: 13.0, Strings: 10, Instructions: 470COMMON

Download Yara Rule

Strings

$kq, xrefs: 05B3D7CD
$kq, xrefs: 05B3DB59
$kq, xrefs: 05B3DB4D
$kq, xrefs: 05B3DBF8
$kq, xrefs: 05B3DC02
$kq, xrefs: 05B3D790
$kq, xrefs: 05B3DBEC
$kq, xrefs: 05B3DC0E
$kq, xrefs: 05B3D7C1
$kq, xrefs: 05B3D79C

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: 9f9fe1c7d2f07ca0beab44f1bd7f0458b739ba283956b9f2f1b8be2c4b1546b1
Instruction ID: 84054d4537c0fa58c8ba6bd8b42909167d06dadaf4e67b90d23813a671b5dc8d
Opcode Fuzzy Hash: 9f9fe1c7d2f07ca0beab44f1bd7f0458b739ba283956b9f2f1b8be2c4b1546b1
Instruction Fuzzy Hash: 02123F30B11219CFDB24DFA5C955AAEB7B2FF84340F2085A9D40AAB364DB35AD85CF40

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON

Download Yara Rule

Strings

@, xrefs: 00409092
@, xrefs: 00408D03
PA, xrefs: 00408E3D

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: @$@$PA
API String ID: 0-3039612711
Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 06485BD1 Relevance: 1.8, APIs: 1, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096100395.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6480000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7d3db99d2639859344e4a7cde70469a082362eb11911fc1aebaea7c2cc481d
Instruction ID: a1f20d785c44edbd481729dd0608c3081fc28832b3ad6a29805b3ef2f28be8a4
Opcode Fuzzy Hash: 8c7d3db99d2639859344e4a7cde70469a082362eb11911fc1aebaea7c2cc481d
Instruction Fuzzy Hash: D6D12A30E00209CFDB95EFA9C948BAEBBF2BF45304F15855AE405AF2A5DB749945CB80

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 02220FD0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

4'kq, xrefs: 022210EA

Memory Dump Source

Source File: 00000000.00000002.4093196854.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 08f7cf5fc29d1174b9e81a44a1acdecd5cdd44968166a6bba2ff9806f5052b83
Instruction ID: 8335268d4d880d4b6e1ebf6695f32878e96f1d2453c3e81d8e5cb78cf4661135
Opcode Fuzzy Hash: 08f7cf5fc29d1174b9e81a44a1acdecd5cdd44968166a6bba2ff9806f5052b83
Instruction Fuzzy Hash: 21717D719242448FD709EF3AE85169EBFE2EF86300B14D1AAD0059B26DDF38580BCF95

Function 02221030 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

4'kq, xrefs: 022210EA

Memory Dump Source

Source File: 00000000.00000002.4093196854.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 22e2b7d53b7997db01087793473c52a16dc264cd6bf5f553c1cfd64c66beef9a
Instruction ID: 95d074fe7906f9051eb75e951bdd0b49c2a6c71657c9d037496e99f01ea7b1b3
Opcode Fuzzy Hash: 22e2b7d53b7997db01087793473c52a16dc264cd6bf5f553c1cfd64c66beef9a
Instruction Fuzzy Hash: 91510971A202048FD708EF6BE9516AEBFE3EBCA300B14D169D1059B26CDF7868078F55

Function 00407C3F Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95

Function 004073A0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA

Function 00406CA0 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55

Function 05B30040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cdf14ac5a6ac82dfa6ec1eb0c7bb7ebe15bd557e5c4ab4a31b6072d8dcad2b
Instruction ID: 40a772695998ed4e2cf5b7335c8d4e4070efce41fe7c758b36aa5a1d668e40f4
Opcode Fuzzy Hash: 75cdf14ac5a6ac82dfa6ec1eb0c7bb7ebe15bd557e5c4ab4a31b6072d8dcad2b
Instruction Fuzzy Hash: FC1264B8422B458ED720CF65ED8E18D3FB1BB56319B504209E2616B2E5DFBC258BCF44

Function 0648BF52 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096100395.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6480000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967d40cea7f4b9671dda8c4b02af5350581e2c2cefd6542cc3c8b90c27784bdf
Instruction ID: bc09160d57357406ef0f90de9000971a03e97bb1baccbe5cb5f3ac31b97decb8
Opcode Fuzzy Hash: 967d40cea7f4b9671dda8c4b02af5350581e2c2cefd6542cc3c8b90c27784bdf
Instruction Fuzzy Hash: 4DD1D831C2075A8ECB11EB64D964ADDB7B2FF95300F60D79AD1493B225EB706AC4CB41

Function 064806A8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096100395.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6480000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30e9acfeb96a2526bf6f5260bc25cb453e2a4b733c0efb5a3a3079bcb3d8872
Instruction ID: 3444f41f833e12114de068365dc17b1a8f5f2671a0cf812a734559139c0f8034
Opcode Fuzzy Hash: e30e9acfeb96a2526bf6f5260bc25cb453e2a4b733c0efb5a3a3079bcb3d8872
Instruction Fuzzy Hash: ABA16E36E102098FCF46EFB5D84459EBBB2FF89300B15416BE816AB251DB31E916CF80

Function 0648BF60 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096100395.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6480000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b620a33d96571fffc1414af8653fadba7def7e7c70045572953db98ded3055da
Instruction ID: 592b36d74b9eea974a5cd38fc4ee0818889b9a8386d1472c4bef875018e202d8
Opcode Fuzzy Hash: b620a33d96571fffc1414af8653fadba7def7e7c70045572953db98ded3055da
Instruction Fuzzy Hash: 4FD1C731C2075A8ECB10EB64D954AD9B7B2FF95300F60D79AD14937225FB70AAC4CB41

Function 05B30006 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7eb43f5c7231a46faedc5021e64e8c53aa15c9d881c6acff5b21ae3855d635d
Instruction ID: 3c243981a69ceb2f1872b07f5a3ff308144714b60c2c9377030e7844af7b7182
Opcode Fuzzy Hash: d7eb43f5c7231a46faedc5021e64e8c53aa15c9d881c6acff5b21ae3855d635d
Instruction Fuzzy Hash: FED116B8822B458ED721CF64ED8A18D3FB1BB96314F554209E1616B2E5DFBC248BCF44

Function 00402B90 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688

Function 004028B0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC

Function 00401650 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77

Function 00402F20 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795

Function 00402F89 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,020F1900), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: 699406c386ffa869d5cdd020c3adf727bae4a7aedc43fc2fcbe963bd6ef1e29e
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: 699406c386ffa869d5cdd020c3adf727bae4a7aedc43fc2fcbe963bd6ef1e29e
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Strings

'B, xrefs: 0040C70F

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID: 'B
API String ID: 2805327698-2787509829
Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 05B3D0A0 Relevance: 7.9, Strings: 6, Instructions: 400COMMON

Download Yara Rule

Strings

$kq, xrefs: 05B3D5A1
$kq, xrefs: 05B3D383
$kq, xrefs: 05B3D5AD
$kq, xrefs: 05B3D537
$kq, xrefs: 05B3D3DB
$kq, xrefs: 05B3D3E7

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 2a8dbc279a05d7de844f658b4fda523d4a0263dfffdb4f0c782b265ed5c0d35b
Instruction ID: 642c1ea3bd53c0398990b81d1ef0a90fcef7efe9d246f26af85ac56c91625059
Opcode Fuzzy Hash: 2a8dbc279a05d7de844f658b4fda523d4a0263dfffdb4f0c782b265ed5c0d35b
Instruction Fuzzy Hash: 32F10C74B10204DFCB18EBA4D595A6EB7B3FF84340F248869D405AB3A9DB35EC86CB50

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(020F1660), ref: 00414050

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0040FA7A
__calloc_crt.LIBCMT ref: 0040FA93

Strings

P$B, xrefs: 0040FAAA
`$B, xrefs: 0040FACC

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: __calloc_crt
String ID: P$B$`$B
API String ID: 3494438863-235554963
Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

IsProcessorFeaturePresent, xrefs: 0041361F
KERNEL32, xrefs: 00413610

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 0041470C

Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A

___removelocaleref.LIBCMT ref: 00414717

Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1

___freetlocinfo.LIBCMT ref: 0041472B

Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575

Strings

@.B, xrefs: 00414722

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: @.B
API String ID: 467427115-470711618
Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: e2021bf9677ac04d29097cd60d098293ca774abcf3d3e4afca42f73e68fb5c2d
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: e2021bf9677ac04d29097cd60d098293ca774abcf3d3e4afca42f73e68fb5c2d
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000000.00000002.4092346754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4092327788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092370776.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4092454067.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Function 05B3E400 Relevance: 5.3, Strings: 4, Instructions: 286COMMON

Download Yara Rule

Strings

$kq, xrefs: 05B3E6CE
$kq, xrefs: 05B3E65B
$kq, xrefs: 05B3E6C2
$kq, xrefs: 05B3E667

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 3b55248b332a49769af22fcdabce141f690ff685bb118cff33810a8ceaf68c60
Instruction ID: 52da2281c50b6933fdac79a4f98c12014edbec131b4231ae2b4c771c6174e0c9
Opcode Fuzzy Hash: 3b55248b332a49769af22fcdabce141f690ff685bb118cff33810a8ceaf68c60
Instruction Fuzzy Hash: CFB11C30A10218DFDB14EB64D5556AEBBB7FF88310F24846AD405EB399DB75EC86CB80

Function 05B3E828 Relevance: 5.2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

Strings

$kq, xrefs: 05B3E8B3
LRkq, xrefs: 05B3E91B
LRkq, xrefs: 05B3E96A
$kq, xrefs: 05B3E8A7

Memory Dump Source

Source File: 00000000.00000002.4095796469.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: 94e59ef6ccd4ae83d1eb88ac5588e8788089e250ae2f58494cca85f137fdcae1
Instruction ID: c221a669ca0411e6576b2a0baf49c31ea01732c516a69a14cb842430d86d123f
Opcode Fuzzy Hash: 94e59ef6ccd4ae83d1eb88ac5588e8788089e250ae2f58494cca85f137fdcae1
Instruction Fuzzy Hash: 8A519130B102019FDB18EB24D555A7EB7F7FB88300B2485AEE406AB399DE35EC41CB54

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Function 05B3B7C8 Relevance: 8.0, Strings: 6, Instructions: 547
COMMON

Function 05B3DD90 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Function 05800500 Relevance: 2.8, Strings: 2, Instructions: 340
COMMON

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78
COMMON

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Function 061C7100 Relevance: 6.1, APIs: 4, Instructions: 137
threadCOMMON

Function 061C7110 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 05B3F1B8 Relevance: 5.2, Strings: 4, Instructions: 233
COMMON

Function 05B3F19E Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Function 061C370E Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre