Edit tour

Windows Analysis Report
Halkbank_Ekstre_20230426_075819_154085.exe

Overview

General Information

Sample name:	Halkbank_Ekstre_20230426_075819_154085.exe
Analysis ID:	1539976
MD5:	c5f2f6abd7eec8c18df5ee086799e1e4
SHA1:	94af18757c5f3b56ac72d1a58097752e56554e21
SHA256:	a8ddfaf817218e3b0118156b2f66878b95771df5b236088b24d1f834253941f7
Tags:	AgentTeslaexeuser-lowmal3
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Halkbank_Ekstre_20230426_075819_154085.exe (PID: 6484 cmdline: "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe" MD5: C5F2F6ABD7EEC8C18DF5EE086799E1E4)

jsc.exe (PID: 5172 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)

jsc.exe (PID: 4596 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)

WerFault.exe (PID: 5896 cmdline: C:\Windows\system32\WerFault.exe -u -p 6484 -s 1008 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alhoneycomb.com", "Username": "blog@alhoneycomb.com", "Password": "          WORTHwill3611!           "}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.4625900767.000000000285F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4625900767.0000000002811000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4625900767.0000000002811000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2214230680.000001C6D5113000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2214230680.000001C6D5113000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4625900767.0000000002867000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4610361547.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4610361547.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2214230680.000001C6D375F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2214230680.000001C6D375F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Halkbank_Ekstre_20230426_075819_154085.exe PID: 6484	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Halkbank_Ekstre_20230426_075819_154085.exe PID: 6484	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Halkbank_Ekstre_20230426_075819_154085.exe PID: 6484	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Halkbank_Ekstre_20230426_075819_154085.exe PID: 6484	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: jsc.exe PID: 5172	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jsc.exe PID: 5172	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x357aa:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3581c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x358a6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35938:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x359a2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35a14:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35aaa:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35b3a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.jsc.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.jsc.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.jsc.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x357aa:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3581c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x358a6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35938:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x359a2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35a14:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35aaa:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35b3a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339aa:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a1c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33aa6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b38:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33ba2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c14:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33caa:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d3a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339aa:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a1c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33aa6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b38:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33ba2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c14:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33caa:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d3a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x357aa:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3581c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x358a6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35938:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x359a2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35a14:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35aaa:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35b3a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d375f160.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d375f160.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d375f160.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x103e2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x103e9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x103f26:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x103fb8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x104022:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x104094:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x10412a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1041ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 74.119.238.7, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe, Initiated: true, ProcessId: 5172, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49716

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-23T09:34:52.440583+0200	2030171	1	A Network Trojan was detected	192.168.2.6	49716	74.119.238.7	587	TCP
2024-10-23T09:34:54.420807+0200	2030171	1	A Network Trojan was detected	192.168.2.6	49733	74.119.238.7	587	TCP
2024-10-23T09:36:29.625975+0200	2030171	1	A Network Trojan was detected	192.168.2.6	55993	74.119.238.7	587	TCP
2024-10-23T09:36:31.829699+0200	2030171	1	A Network Trojan was detected	192.168.2.6	55994	74.119.238.7	587	TCP
2024-10-23T09:36:46.078521+0200	2030171	1	A Network Trojan was detected	192.168.2.6	55995	74.119.238.7	587	TCP
2024-10-23T09:36:53.202396+0200	2030171	1	A Network Trojan was detected	192.168.2.6	55997	74.119.238.7	587	TCP
2024-10-23T09:38:13.676395+0200	2030171	1	A Network Trojan was detected	192.168.2.6	55999	74.119.238.7	587	TCP
2024-10-23T09:38:39.731473+0200	2030171	1	A Network Trojan was detected	192.168.2.6	56000	74.119.238.7	587	TCP
2024-10-23T09:38:42.744044+0200	2030171	1	A Network Trojan was detected	192.168.2.6	56001	74.119.238.7	587	TCP

ETPRO MALWARE Win32/Agent Tesla SMTP Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-23T09:34:52.440583+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.6	49716	74.119.238.7	587	TCP
2024-10-23T09:34:54.420807+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.6	49733	74.119.238.7	587	TCP
2024-10-23T09:36:29.625975+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.6	55993	74.119.238.7	587	TCP
2024-10-23T09:36:31.829699+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.6	55994	74.119.238.7	587	TCP
2024-10-23T09:36:46.078521+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.6	55995	74.119.238.7	587	TCP
2024-10-23T09:36:53.202396+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.6	55997	74.119.238.7	587	TCP
2024-10-23T09:38:13.676395+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.6	55999	74.119.238.7	587	TCP
2024-10-23T09:38:39.731473+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.6	56000	74.119.238.7	587	TCP
2024-10-23T09:38:42.744044+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.6	56001	74.119.238.7	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-23T09:36:29.625975+0200	2840032	1	A Network Trojan was detected	192.168.2.6	55993	74.119.238.7	587	TCP
2024-10-23T09:36:31.829699+0200	2840032	1	A Network Trojan was detected	192.168.2.6	55994	74.119.238.7	587	TCP
2024-10-23T09:36:46.078521+0200	2840032	1	A Network Trojan was detected	192.168.2.6	55995	74.119.238.7	587	TCP
2024-10-23T09:36:53.202396+0200	2840032	1	A Network Trojan was detected	192.168.2.6	55997	74.119.238.7	587	TCP
2024-10-23T09:38:13.676395+0200	2840032	1	A Network Trojan was detected	192.168.2.6	55999	74.119.238.7	587	TCP
2024-10-23T09:38:39.731473+0200	2840032	1	A Network Trojan was detected	192.168.2.6	56000	74.119.238.7	587	TCP
2024-10-23T09:38:42.744044+0200	2840032	1	A Network Trojan was detected	192.168.2.6	56001	74.119.238.7	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Halkbank_Ekstre_20230426_075819_154085.exe

Avira: detected

Found malware configuration

Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alhoneycomb.com", "Username": "blog@alhoneycomb.com", "Password": " WORTHwill3611! "}

Multi AV Scanner detection for submitted file

Source: Halkbank_Ekstre_20230426_075819_154085.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Halkbank_Ekstre_20230426_075819_154085.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154085.exe PID: 6484, type: MEMORYSTR

Source: Halkbank_Ekstre_20230426_075819_154085.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9852.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9852.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdbH source: WER9852.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9852.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb " source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9852.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER9852.tmp.dmp.6.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49716 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.6:49716 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49733 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.6:49733 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:55999 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:56000 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.6:56000 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.6:56000 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:56001 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.6:56001 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.6:56001 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:55994 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.6:55994 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.6:55994 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.6:55999 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.6:55999 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:55993 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.6:55993 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.6:55993 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:55995 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.6:55995 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.6:55995 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:55997 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.6:55997 -> 74.119.238.7:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.6:55997 -> 74.119.238.7:587

Source: global traffic

TCP traffic: 192.168.2.6:49716 -> 74.119.238.7:587

Source: Joe Sandbox View

ASN Name: VPLSNETUS VPLSNETUS

Source: global traffic

TCP traffic: 192.168.2.6:49716 -> 74.119.238.7:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: mail.alhoneycomb.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: jsc.exe, 00000002.00000002.4625900767.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002C73000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002919000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002867000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002A7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.alhoneycomb.com
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2214230680.000001C6D375F000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2214230680.000001C6D5113000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4610361547.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, SKTzxzsJw.cs	.Net Code: GhwkGV1Ll50
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.raw.unpack, SKTzxzsJw.cs	.Net Code: GhwkGV1Ll50

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Code function: 2_2_05EFDB08 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,05EFE9B0,00000000,00000000

2_2_05EFDB08

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d375f160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_00CC4330	2_2_00CC4330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_00CC4C00	2_2_00CC4C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_00CC3FE8	2_2_00CC3FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_00CCBF12	2_2_00CCBF12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_00CCBF20	2_2_00CCBF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_05EFB530	2_2_05EFB530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_05EF4700	2_2_05EF4700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_05EF26F0	2_2_05EF26F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_05EF7C08	2_2_05EF7C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_061293D0	2_2_061293D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_061244A0	2_2_061244A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_0612F658	2_2_0612F658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_0612F64A	2_2_0612F64A

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6484 -s 1008

Source: Halkbank_Ekstre_20230426_075819_154085.exe

Static PE information: No import functions for PE file found

Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000000.2145915917.000001C6C17F6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNewcastle.exe4 vs Halkbank_Ekstre_20230426_075819_154085.exe
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2214230680.000001C6D375F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIkavihukixeyokibihoyF vs Halkbank_Ekstre_20230426_075819_154085.exe
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2214230680.000001C6D375F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb17b300f-3107-4f0e-bd36-73672dc506a5.exe4 vs Halkbank_Ekstre_20230426_075819_154085.exe
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2214230680.000001C6D5113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb17b300f-3107-4f0e-bd36-73672dc506a5.exe4 vs Halkbank_Ekstre_20230426_075819_154085.exe
Source: Halkbank_Ekstre_20230426_075819_154085.exe	Binary or memory string: OriginalFilenameNewcastle.exe4 vs Halkbank_Ekstre_20230426_075819_154085.exe

Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d375f160.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Halkbank_Ekstre_20230426_075819_154085.exe, .cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@6/5@3/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6484

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\efa6dc6c-ca37-4ef1-93a9-1a86fff6ac01

Jump to behavior

Source: Halkbank_Ekstre_20230426_075819_154085.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Halkbank_Ekstre_20230426_075819_154085.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe

File read: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6484 -s 1008
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Halkbank_Ekstre_20230426_075819_154085.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Halkbank_Ekstre_20230426_075819_154085.exe

Static file information: File size 1857125 > 1048576

Source: Halkbank_Ekstre_20230426_075819_154085.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9852.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9852.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdbH source: WER9852.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9852.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb " source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9852.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9852.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER9852.tmp.dmp.6.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_00CC0BDD pushfd ; ret		2_2_00CC0BF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 2_2_00CC0BBA pushfd ; ret		2_2_00CC0BF1

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154085.exe PID: 6484, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Memory allocated: 1C6C1B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Memory allocated: 1C6DB590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Memory allocated: 1C6E3DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 4810000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199188	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 3287			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 6522			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99413s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -97488s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -97157s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -96719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -96594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -96465s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -96250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99872s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99326s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98450s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98340s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -98158s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -1199953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -1199844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -1199734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -1199625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -1199514s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -1199406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -1199297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 828	Thread sleep time: -1199188s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99413	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97488	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 96922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 96594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 96465	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99872	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98450	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98340	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98158	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 1199188	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: jsc.exe, 00000002.00000002.4654840415.0000000005A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Halkbank_Ekstre_20230426_075819_154085.exe, .cs	Reference to suspicious API methods: GetProcAddress(, )
Source: Halkbank_Ekstre_20230426_075819_154085.exe, .cs	Reference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, 64u, out var )
Source: Halkbank_Ekstre_20230426_075819_154085.exe, .cs	Reference to suspicious API methods: LoadLibrary([.ToInt32()])
Source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, zOS.cs	Reference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 442000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 6BC008	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe	Queries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d375f160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4625900767.000000000285F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4625900767.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214230680.000001C6D5113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4625900767.0000000002867000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4610361547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214230680.000001C6D375F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154085.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 5172, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d375f160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4625900767.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214230680.000001C6D5113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4610361547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214230680.000001C6D375F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154085.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 5172, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d51134d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d382d7e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154085.exe.1c6d375f160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4625900767.000000000285F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4625900767.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214230680.000001C6D5113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4625900767.0000000002867000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4610361547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214230680.000001C6D375F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154085.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 5172, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	151 Virtualization/Sandbox Evasion	31 Input Capture	1 Process Discovery	Remote Desktop Protocol	31 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	1 Credentials in Registry	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Halkbank_Ekstre_20230426_075819_154085.exe	53%	ReversingLabs	Win32.Trojan.AgentTesla
Halkbank_Ekstre_20230426_075819_154085.exe	100%	Avira	HEUR/AGEN.1313324
Halkbank_Ekstre_20230426_075819_154085.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.alhoneycomb.com	74.119.238.7	true	true		unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://account.dyn.com/	Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2214230680.000001C6D375F000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154085.exe, 00000000.00000002.2214230680.000001C6D5113000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4610361547.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.alhoneycomb.com	jsc.exe, 00000002.00000002.4625900767.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002C73000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002919000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002867000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.4625900767.0000000002A7B000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
74.119.238.7	mail.alhoneycomb.com	United States		35908	VPLSNETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1539976
Start date and time:	2024-10-23 09:33:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Halkbank_Ekstre_20230426_075819_154085.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@6/5@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 46 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Halkbank_Ekstre_20230426_075819_154085.exe

Simulations

Behavior and APIs

Time	Type	Description
03:34:46	API Interceptor	1x Sleep call for process: WerFault.exe modified
03:34:46	API Interceptor	11605933x Sleep call for process: jsc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
74.119.238.7	hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse
	New Purchase Order.exe	Get hash	malicious	AgentTesla	Browse
	rPO_CW00402902400415.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.alhoneycomb.com	hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.7
	New Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.7
	rPO_CW00402902400415.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VPLSNETUS	hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.7
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	174.139.218.86
	na.elf	Get hash	malicious	Mirai	Browse	98.126.6.38
	New Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.7
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	110.34.178.120
	SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf	Get hash	malicious	Mirai	Browse	96.62.177.176
	http://www.telegremapp.me/	Get hash	malicious	Unknown	Browse	74.119.238.102
	rPO_CW00402902400415.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.7
	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	67.198.129.29
	SecuriteInfo.com.FileRepMalware.25505.20211.exe	Get hash	malicious	Unknown	Browse	66.186.50.50

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Halkbank_Ekstre__63ff1da9e574e0f28ee4519f715b44d13f4dc8c_42281be4_c13959ba-c1c8-489b-8f14-c06a6f76dd39\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.013367888706515
Encrypted:	false
SSDEEP:	192:ypn1nC667n0UnUlaWhZJEzuiF0Z24lO8r:y5Q6+0UnUlauXEzuiF0Y4lO8r
MD5:	B4BB3A88C0852F7DF33C8BFEBAC114A8
SHA1:	B14942A07B61A5CA8C0050A7052A4DB737D559B2
SHA-256:	DEDE22094D011A87811CEEE81FF34560BBBC030C3E76927B0B54160A8ED89A26
SHA-512:	89DA92D34021C6AB9A74705EB0200F2DDC351683BCE1AFC66E3C65F1309A7A2D1EA720C31772E17A861652984EFB9671CB6FE9E3FFEB567F57D25FBFBAC1CF63
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.1.4.2.4.8.3.4.7.2.6.6.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.1.4.2.4.8.3.9.8.8.2.9.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.3.9.5.9.b.a.-.c.1.c.8.-.4.8.9.b.-.8.f.1.4.-.c.0.6.a.6.f.7.6.d.d.3.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.1.8.7.8.2.4.-.3.5.0.a.-.4.b.c.8.-.8.c.c.e.-.0.4.9.c.8.b.f.5.7.1.d.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.H.a.l.k.b.a.n.k._.E.k.s.t.r.e._.2.0.2.3.0.4.2.6._.0.7.5.8.1.9._.1.5.4.0.8.5...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.N.e.w.c.a.s.t.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.4.-.0.0.0.1.-.0.0.1.5.-.d.b.5.b.-.f.e.0.4.1.e.2.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.6.7.9.a.4.9.b.f.0.2.9.4.6.1.8.7.d.d.7.5.f.4.d.4.0.1.7.4.2.e.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.4.a.f.1.8.7.5.7.c.5.f.3.b.5.6.a.c.7.2.d.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9852.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Oct 23 07:34:43 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	376503
Entropy (8bit):	3.3360529140982145
Encrypted:	false
SSDEEP:	3072:8k+Q9s4eM02Czthr4zxlBDJO7cSlsdeR1fMxb1CCqlzE3+vNPcY4v0:8k+Q9sf2CxhrQavXk5q+3QxcY
MD5:	AF9FA5D53111E25F951EE8598BA50499
SHA1:	414ACFF68A0B698A0B7CE6A27A027A6B612BFD97
SHA-256:	B2279CCA8A6472E2498104616E1937071E01CA4AC8D26943F9FA53CF56710C85
SHA-512:	87CD9B9A33651A11A632B63DDB278D6BDC8CF25D88E4A672F86643E5DC9E24C4A2E8989F64006D912213EB15C830E1A861061990C6B075A04904BCCA7B6D6E0F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g....................................$...h.......\|...........$E..ln..........l.......8...........T...........8(...............6...........7..............................................................................eJ.......8......Lw......................T.......T......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER999B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8724
Entropy (8bit):	3.7175979314273557
Encrypted:	false
SSDEEP:	192:R6l7wVeJleMX6Y2DfaXgmfZL1prB89bpyMfMDm:R6lXJsk6YiaXgmfZLmpxf1
MD5:	BE73B8D13CF95C38CFFF1A99E79CF89E
SHA1:	D534E16168F2D3B2E077E81207A50CFCA566305F
SHA-256:	A00E4522B9DB63A97F8DFFB4B642C416E7EBD5D6D2C6E1AE41DA7DA8FEFE25DD
SHA-512:	AD9EE27BFDF9BB21C759F46440B086DFF77D61572CD6B271D74C4CEB589E4C1BD0C9CF8518936B7B4B18372A2015120821993A27464A1225D22B0ED375247203
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99CB.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4897
Entropy (8bit):	4.569744491719452
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg771I9XxjCWpW8VYhNYm8M4JmjCDF4zyq85ilaHn8QAQekd:uIjfaI76xjD7V0MJy2p9hd
MD5:	9041F83CBB72155088E85DC4C6FA9D8C
SHA1:	E56A00ACC3068B5F31146450D1BA9C249D6D5E67
SHA-256:	4B2350D9F923C8330A1EF35703D1AA9129DDBA080C0ADFF073CC9AFBF147ED11
SHA-512:	38E2DD324F723D61C7ADF5DABACC585F01E515FAFFA49BBC7B8FED34FA3C3A9F9CC6DFFAD567A62E2FA2CF15D6F0CAED564E11DC97AE2C6FA5F00F62CC63472D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="555757" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468969820086887
Encrypted:	false
SSDEEP:	6144:nzZfpi6ceLPx9skLmb0fTZWSP3aJG8nAgeiJRMMhA2zX4WABluuNEjDH5S:zZHtTZWOKnMM6bFpej4
MD5:	CF3C1C3B2F2724073BABF8C812631890
SHA1:	3ACD31F0AE0669CAC9A11F7B32D3829FCC8A8E68
SHA-256:	BDB8D424764E693ABF77C47D2F1721AC83BCE97AC05AB6818992FD3C58EABB44
SHA-512:	79B490C1718A31274C988E4B5B8B466F2F568A52B0EF7E4C5265A5BF8409BFA9381DFBAF6B9FE4F1943300B1ABA05E93A75437A8A28213B6863570837872A2D1
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.>...%..............................................................................................................................................................................................................................................................................................................................................Rq.2........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.299556155132872
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Halkbank_Ekstre_20230426_075819_154085.exe
File size:	1'857'125 bytes
MD5:	c5f2f6abd7eec8c18df5ee086799e1e4
SHA1:	94af18757c5f3b56ac72d1a58097752e56554e21
SHA256:	a8ddfaf817218e3b0118156b2f66878b95771df5b236088b24d1f834253941f7
SHA512:	2d97b7bd18f1e514be0138d660fc99cedd38c343652be72f48f75edae30c67184967834ad00c16a3923e7259683aaf1e51f6e23537d13dd6dc903b2f5db11efd
SSDEEP:	12288:m9yO+7eNjgDgLHtPo8EHPfVw1GI/2PiGEXbzQdFRM9Bz34Acjc:m4OCeRHtlEddiG4n9BzIAcY
TLSH:	8385124235571D6BFE2AA9BACCC2B4F56DFC9D4776F6142FDF909C2618020BC41248B4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...w..g.........."...0..$............... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6717F777 [Tue Oct 22 19:05:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x4d6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x24a6	0x2600	1408a5d00f9bfa1e79593e4da46e9a22	False	0.5680509868421053	data	5.586864766001203	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x4d6	0x600	d00c518c8aafea247960e1f782645af5	False	0.3743489583333333	data	3.718432686235799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x60a0	0x24c	data			0.46598639455782315
RT_MANIFEST	0x62ec	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-23T09:34:52.440583+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.6	49716	74.119.238.7	587	TCP
2024-10-23T09:34:52.440583+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.6	49716	74.119.238.7	587	TCP
2024-10-23T09:34:54.420807+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.6	49733	74.119.238.7	587	TCP
2024-10-23T09:34:54.420807+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.6	49733	74.119.238.7	587	TCP
2024-10-23T09:36:29.625975+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.6	55993	74.119.238.7	587	TCP
2024-10-23T09:36:29.625975+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.6	55993	74.119.238.7	587	TCP
2024-10-23T09:36:29.625975+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.6	55993	74.119.238.7	587	TCP
2024-10-23T09:36:31.829699+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.6	55994	74.119.238.7	587	TCP
2024-10-23T09:36:31.829699+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.6	55994	74.119.238.7	587	TCP
2024-10-23T09:36:31.829699+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.6	55994	74.119.238.7	587	TCP
2024-10-23T09:36:46.078521+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.6	55995	74.119.238.7	587	TCP
2024-10-23T09:36:46.078521+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.6	55995	74.119.238.7	587	TCP
2024-10-23T09:36:46.078521+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.6	55995	74.119.238.7	587	TCP
2024-10-23T09:36:53.202396+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.6	55997	74.119.238.7	587	TCP
2024-10-23T09:36:53.202396+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.6	55997	74.119.238.7	587	TCP
2024-10-23T09:36:53.202396+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.6	55997	74.119.238.7	587	TCP
2024-10-23T09:38:13.676395+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.6	55999	74.119.238.7	587	TCP
2024-10-23T09:38:13.676395+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.6	55999	74.119.238.7	587	TCP
2024-10-23T09:38:13.676395+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.6	55999	74.119.238.7	587	TCP
2024-10-23T09:38:39.731473+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.6	56000	74.119.238.7	587	TCP
2024-10-23T09:38:39.731473+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.6	56000	74.119.238.7	587	TCP
2024-10-23T09:38:39.731473+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.6	56000	74.119.238.7	587	TCP
2024-10-23T09:38:42.744044+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.6	56001	74.119.238.7	587	TCP
2024-10-23T09:38:42.744044+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.6	56001	74.119.238.7	587	TCP
2024-10-23T09:38:42.744044+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.6	56001	74.119.238.7	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 09:34:48.837810040 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:49.842765093 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:49.856193066 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:49.856271982 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:49.856295109 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:49.856322050 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:50.664674997 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:50.665560007 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:50.670871973 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:50.832675934 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:50.833610058 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:50.839075089 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:50.995043039 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:50.996041059 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:51.001440048 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:51.214087009 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:51.218091011 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:51.223671913 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:51.466455936 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:51.501578093 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:51.507131100 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:51.696908951 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:51.697120905 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:51.702510118 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:51.854585886 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:51.855077982 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:51.855176926 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:51.855178118 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:51.855178118 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:51.860384941 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:51.860449076 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:51.860618114 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:51.860626936 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:52.030633926 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:52.077047110 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:52.077249050 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:52.082546949 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:52.439352989 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:52.440582991 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:52.441374063 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:52.446330070 CEST	587	49716	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:52.446703911 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:52.446774960 CEST	49716	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:52.446793079 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:53.122579098 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:53.122786999 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:53.128493071 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:53.293791056 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:53.294028997 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:53.300241947 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:53.470329046 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:53.470580101 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:53.475893021 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:53.646017075 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:53.646497011 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:53.651798964 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:53.817094088 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:53.837891102 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:53.843477011 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:54.040395975 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:54.044706106 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:54.050184965 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:54.209640026 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:54.214323044 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:54.214374065 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:54.214401007 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:54.214423895 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:54.214473963 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:54.214504957 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:54.214531898 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:54.214551926 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:54.214565992 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:54.214585066 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:34:54.220149994 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:54.220160961 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:54.220170021 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:54.220530033 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:54.220540047 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:54.220549107 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:54.378796101 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:34:54.420806885 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:27.145580053 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:27.151031017 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:27.505106926 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:27.510484934 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:27.516309023 CEST	587	49733	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:27.516485929 CEST	49733	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:27.801795959 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:27.807964087 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:27.808712006 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:28.467101097 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:28.467272043 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:28.473525047 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:28.631742954 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:28.631973982 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:28.637559891 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:28.798243999 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:28.798563957 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:28.803975105 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.088635921 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.088840008 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.094388962 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.252393007 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.252583027 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.259032011 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.440741062 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.440953970 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.446332932 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.614624023 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.616925955 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.617007971 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.617053032 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.617136002 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.620460987 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.622364044 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.622380972 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.622394085 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.622503996 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.622539043 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.625849009 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.625864983 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.625901937 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.625915051 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.625927925 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.625940084 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.625974894 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.626019955 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.626065969 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.626395941 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.627839088 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.627963066 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.631387949 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.631484032 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.631597042 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.631705046 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.631830931 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.631934881 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.633389950 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.633512974 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:29.637053967 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.637067080 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.637078047 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.637362957 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.637384892 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.637398958 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.637412071 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.637424946 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.637439966 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.638565063 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.638578892 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.638602018 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.638614893 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.638648033 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.638670921 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.638684988 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.638696909 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.638802052 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.642138958 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.642152071 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.642246008 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.642258883 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.642302990 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:29.642364979 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:30.015037060 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:30.021030903 CEST	587	55993	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:30.021145105 CEST	55993	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:30.070221901 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:30.075606108 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:30.078454971 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:30.822942972 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:30.823061943 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:30.828438997 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:30.980664968 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:30.980825901 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:30.986150026 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.146948099 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.147164106 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.152523994 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.315697908 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.315876961 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.321360111 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.474538088 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.474908113 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.480279922 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.659137964 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.662075043 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.667414904 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.822236061 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.822622061 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.822679996 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.822679996 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.822746992 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.823858023 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.828027964 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.828105927 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.828119993 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.828135967 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.828249931 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.829390049 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.829560041 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.829576015 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.829699039 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.833616018 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.833770990 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.835295916 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.835443020 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.835483074 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.835580111 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.839539051 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.839693069 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.841161966 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.841260910 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.841275930 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.841288090 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.841304064 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.841315985 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.845403910 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.845489025 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.845503092 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.845515966 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:31.846478939 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:31.851906061 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:32.254528046 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:32.296034098 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:43.948760033 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:43.954046965 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:44.308825970 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:44.342024088 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:44.344470024 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:44.344790936 CEST	55994	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:44.348697901 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:44.350089073 CEST	587	55994	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:44.354212046 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:44.354342937 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:45.055084944 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:45.055463076 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:45.060878038 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:45.213294029 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:45.213589907 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:45.219166994 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:45.374181032 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:45.374454021 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:45.379853010 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:45.539664984 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:45.540694952 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:45.546952963 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:45.709001064 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:45.709322929 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:45.714864016 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:45.889579058 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:45.892833948 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:45.898272038 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.059427023 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.062638998 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:46.062679052 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:46.062679052 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:46.063458920 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:46.065445900 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:46.068125963 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.068145037 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.068157911 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.068806887 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:46.068831921 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.074297905 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.078521013 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:46.083996058 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.084014893 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.084151030 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:46.084175110 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.084188938 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.084485054 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.084501982 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:46.084743977 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:46.089694023 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.089730978 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.089745045 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.089776039 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.089802980 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:46.089874029 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.089971066 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.089994907 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090076923 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090090036 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090126038 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090137959 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090148926 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090173960 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090184927 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090306044 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090320110 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090380907 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090393066 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090743065 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.090756893 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.091371059 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.095226049 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.095369101 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.491482019 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:46.546040058 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:51.052896976 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:51.158761978 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:51.523443937 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:51.523580074 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:51.524669886 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:51.529623985 CEST	587	55995	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:51.529706001 CEST	55995	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:51.530170918 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:51.530262947 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:52.202752113 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:52.202919006 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:52.208357096 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:52.359030962 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:52.359246016 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:52.364705086 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:52.515794039 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:52.516072989 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:52.521533012 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:52.690432072 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:52.690643072 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:52.696088076 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:52.846632957 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:52.846966982 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:52.852327108 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.020541906 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.020791054 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.026302099 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.187532902 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.187832117 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.187832117 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.187946081 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.187984943 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.189116001 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.193464994 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.193490982 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.193501949 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.193593979 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.193599939 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.194603920 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.194663048 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.194715023 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.198688030 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.198877096 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.202395916 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.208033085 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.208125114 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.208164930 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.208178043 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.208206892 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.208256006 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.208256960 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.208285093 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.208328009 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.208369017 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:36:53.213757038 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.213917017 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.213944912 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.213978052 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214059114 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214090109 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214145899 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214174986 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214226007 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214256048 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214284897 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214313030 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214365005 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214391947 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214421988 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214448929 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214478016 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214504004 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214531898 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214581966 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214608908 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214637041 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.214665890 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.606861115 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:36:53.717966080 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:07.171387911 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:07.176748991 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:07.537468910 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:07.537622929 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:07.543571949 CEST	587	55997	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:07.543627024 CEST	55997	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:11.534753084 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:11.540342093 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:11.540412903 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:12.542751074 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:12.553690910 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:12.559546947 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:12.726495981 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:12.730195045 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:12.737612963 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:12.908417940 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:12.908835888 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:12.914668083 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.163093090 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.163268089 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.169234991 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.325546026 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.325719118 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.331679106 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.510472059 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.510618925 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.516093969 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.668811083 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.669219017 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.669333935 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.669333935 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.669397116 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.670813084 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.674861908 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.674911976 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.674952030 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.674999952 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.675677061 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.676335096 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.676373005 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.676394939 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.676413059 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.676444054 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.676448107 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.676470995 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.676485062 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.676493883 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.676513910 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.676527977 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.676547050 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.676553965 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.676600933 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.681303978 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.681368113 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.683470964 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.683506012 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.683535099 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.683547020 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.683578968 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.683605909 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.683610916 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.683633089 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.683672905 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.687875032 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.687925100 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:13.688433886 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.690232992 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.690303087 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.690335035 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.690385103 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.690444946 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.690474033 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.690510035 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.690536976 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.690866947 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.690903902 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.690936089 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.691051960 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.691080093 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.691107988 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.691134930 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.691170931 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.691196918 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.691224098 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.693191051 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.693217993 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:13.693737030 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:14.080749989 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:14.126609087 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:37.674104929 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:37.679694891 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:38.035000086 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:38.037113905 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:38.039428949 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:38.042886972 CEST	587	55999	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:38.044856071 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:38.044977903 CEST	55999	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:38.044977903 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:38.722461939 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:38.722821951 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:38.728296995 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:38.878746033 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:38.878977060 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:38.884381056 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.043225050 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.043505907 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.049019098 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.203700066 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.203840971 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.211611986 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.373205900 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.373373985 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.378737926 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.552675962 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.552823067 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.558109045 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.724376917 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.724600077 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.724726915 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.724823952 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.724890947 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.726030111 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.729870081 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.730024099 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.730036974 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.730103970 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.730185032 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.731411934 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.731472969 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.731528044 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.731581926 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.735302925 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.735368967 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.735378027 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.735421896 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.736812115 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.736859083 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.736891031 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.736934900 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.736934900 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.737010002 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.737020016 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.737035990 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.737036943 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.737052917 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.737070084 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.737097025 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.740787029 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.740834951 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.740886927 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.740896940 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.740912914 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.740940094 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:39.742173910 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.742296934 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.742357016 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.742409945 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.742475986 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.742551088 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.742582083 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.742592096 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.746328115 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.746370077 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.746380091 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.746413946 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.746424913 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.746433973 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.746493101 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.746534109 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:39.746543884 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:40.135756969 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:40.186877966 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:40.572648048 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:40.578141928 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:40.936165094 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:40.936273098 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:40.937558889 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:40.941957951 CEST	587	56000	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:40.942012072 CEST	56000	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:40.942934990 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:40.942995071 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:41.729005098 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:41.729188919 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:41.734816074 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:41.885580063 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:41.887034893 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:41.892431974 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.047859907 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.063683033 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.069319010 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.232436895 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.233834982 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.239415884 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.389841080 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.402275085 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.407763004 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.572793961 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.572969913 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.578489065 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.728801966 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.732986927 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.733043909 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.733043909 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.733135939 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.737754107 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.738466024 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.738501072 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.738532066 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.738595009 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.738595963 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.743347883 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.743653059 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.743895054 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.744044065 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.749479055 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.749567032 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.749684095 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.749739885 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.749756098 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.749808073 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.749823093 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.749838114 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.749888897 CEST	56001	587	192.168.2.6	74.119.238.7
Oct 23, 2024 09:38:42.755235910 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:42.755906105 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:43.146905899 CEST	587	56001	74.119.238.7	192.168.2.6
Oct 23, 2024 09:38:43.343111038 CEST	56001	587	192.168.2.6	74.119.238.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 09:34:48.270061970 CEST	61097	53	192.168.2.6	1.1.1.1
Oct 23, 2024 09:34:48.579580069 CEST	53	61097	1.1.1.1	192.168.2.6
Oct 23, 2024 09:35:11.897332907 CEST	53	60284	162.159.36.2	192.168.2.6
Oct 23, 2024 09:35:12.579189062 CEST	49174	53	192.168.2.6	1.1.1.1
Oct 23, 2024 09:35:12.587115049 CEST	53	49174	1.1.1.1	192.168.2.6
Oct 23, 2024 09:36:27.513391972 CEST	53476	53	192.168.2.6	1.1.1.1
Oct 23, 2024 09:36:27.799129009 CEST	53	53476	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 23, 2024 09:34:48.270061970 CEST	192.168.2.6	1.1.1.1	0x8e14	Standard query (0)	mail.alhoneycomb.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 09:35:12.579189062 CEST	192.168.2.6	1.1.1.1	0xb807	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 23, 2024 09:36:27.513391972 CEST	192.168.2.6	1.1.1.1	0x8156	Standard query (0)	mail.alhoneycomb.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 23, 2024 09:34:48.579580069 CEST	1.1.1.1	192.168.2.6	0x8e14	No error (0)	mail.alhoneycomb.com		74.119.238.7	A (IP address)	IN (0x0001)	false
Oct 23, 2024 09:35:12.587115049 CEST	1.1.1.1	192.168.2.6	0xb807	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 23, 2024 09:36:27.799129009 CEST	1.1.1.1	192.168.2.6	0x8156	No error (0)	mail.alhoneycomb.com		74.119.238.7	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 23, 2024 09:34:50.664674997 CEST	587	49716	74.119.238.7	192.168.2.6	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 23 Oct 2024 13:04:50 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 23, 2024 09:34:50.665560007 CEST	49716	587	192.168.2.6	74.119.238.7	EHLO 609290
Oct 23, 2024 09:34:50.832675934 CEST	587	49716	74.119.238.7	192.168.2.6	250-md-la-5.webhostbox.net Hello 609290 [173.254.250.90] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 23, 2024 09:34:50.833610058 CEST	49716	587	192.168.2.6	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Oct 23, 2024 09:34:50.995043039 CEST	587	49716	74.119.238.7	192.168.2.6	334 UGFzc3dvcmQ6
Oct 23, 2024 09:34:51.214087009 CEST	587	49716	74.119.238.7	192.168.2.6	235 Authentication succeeded
Oct 23, 2024 09:34:51.218091011 CEST	49716	587	192.168.2.6	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Oct 23, 2024 09:34:51.466455936 CEST	587	49716	74.119.238.7	192.168.2.6	250 OK
Oct 23, 2024 09:34:51.501578093 CEST	49716	587	192.168.2.6	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Oct 23, 2024 09:34:51.696908951 CEST	587	49716	74.119.238.7	192.168.2.6	250 Accepted
Oct 23, 2024 09:34:51.697120905 CEST	49716	587	192.168.2.6	74.119.238.7	DATA
Oct 23, 2024 09:34:51.854585886 CEST	587	49716	74.119.238.7	192.168.2.6	354 Enter message, ending with "." on a line by itself
Oct 23, 2024 09:34:51.855178118 CEST	49716	587	192.168.2.6	74.119.238.7	.
Oct 23, 2024 09:34:52.030633926 CEST	587	49716	74.119.238.7	192.168.2.6	250 OK id=1t3VtL-001KCJ-2U
Oct 23, 2024 09:34:52.077249050 CEST	49716	587	192.168.2.6	74.119.238.7	QUIT
Oct 23, 2024 09:34:52.439352989 CEST	587	49716	74.119.238.7	192.168.2.6	221 md-la-5.webhostbox.net closing connection
Oct 23, 2024 09:34:53.122579098 CEST	587	49733	74.119.238.7	192.168.2.6	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 23 Oct 2024 13:04:53 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 23, 2024 09:34:53.122786999 CEST	49733	587	192.168.2.6	74.119.238.7	EHLO 609290
Oct 23, 2024 09:34:53.293791056 CEST	587	49733	74.119.238.7	192.168.2.6	250-md-la-5.webhostbox.net Hello 609290 [173.254.250.90] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 23, 2024 09:34:53.294028997 CEST	49733	587	192.168.2.6	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Oct 23, 2024 09:34:53.470329046 CEST	587	49733	74.119.238.7	192.168.2.6	334 UGFzc3dvcmQ6
Oct 23, 2024 09:34:53.646017075 CEST	587	49733	74.119.238.7	192.168.2.6	235 Authentication succeeded
Oct 23, 2024 09:34:53.646497011 CEST	49733	587	192.168.2.6	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Oct 23, 2024 09:34:53.817094088 CEST	587	49733	74.119.238.7	192.168.2.6	250 OK
Oct 23, 2024 09:34:53.837891102 CEST	49733	587	192.168.2.6	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Oct 23, 2024 09:34:54.040395975 CEST	587	49733	74.119.238.7	192.168.2.6	250 Accepted
Oct 23, 2024 09:34:54.044706106 CEST	49733	587	192.168.2.6	74.119.238.7	DATA
Oct 23, 2024 09:34:54.209640026 CEST	587	49733	74.119.238.7	192.168.2.6	354 Enter message, ending with "." on a line by itself
Oct 23, 2024 09:34:54.214585066 CEST	49733	587	192.168.2.6	74.119.238.7	.
Oct 23, 2024 09:34:54.378796101 CEST	587	49733	74.119.238.7	192.168.2.6	250 OK id=1t3VtO-001KDl-0P
Oct 23, 2024 09:36:27.145580053 CEST	49733	587	192.168.2.6	74.119.238.7	QUIT
Oct 23, 2024 09:36:27.505106926 CEST	587	49733	74.119.238.7	192.168.2.6	221 md-la-5.webhostbox.net closing connection
Oct 23, 2024 09:36:28.467101097 CEST	587	55993	74.119.238.7	192.168.2.6	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 23 Oct 2024 13:06:28 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 23, 2024 09:36:28.467272043 CEST	55993	587	192.168.2.6	74.119.238.7	EHLO 609290
Oct 23, 2024 09:36:28.631742954 CEST	587	55993	74.119.238.7	192.168.2.6	250-md-la-5.webhostbox.net Hello 609290 [173.254.250.90] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 23, 2024 09:36:28.631973982 CEST	55993	587	192.168.2.6	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Oct 23, 2024 09:36:28.798243999 CEST	587	55993	74.119.238.7	192.168.2.6	334 UGFzc3dvcmQ6
Oct 23, 2024 09:36:29.088635921 CEST	587	55993	74.119.238.7	192.168.2.6	235 Authentication succeeded
Oct 23, 2024 09:36:29.088840008 CEST	55993	587	192.168.2.6	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Oct 23, 2024 09:36:29.252393007 CEST	587	55993	74.119.238.7	192.168.2.6	250 OK
Oct 23, 2024 09:36:29.252583027 CEST	55993	587	192.168.2.6	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Oct 23, 2024 09:36:29.440741062 CEST	587	55993	74.119.238.7	192.168.2.6	250 Accepted
Oct 23, 2024 09:36:29.440953970 CEST	55993	587	192.168.2.6	74.119.238.7	DATA
Oct 23, 2024 09:36:29.614624023 CEST	587	55993	74.119.238.7	192.168.2.6	354 Enter message, ending with "." on a line by itself
Oct 23, 2024 09:36:30.822942972 CEST	587	55994	74.119.238.7	192.168.2.6	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 23 Oct 2024 13:06:30 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 23, 2024 09:36:30.823061943 CEST	55994	587	192.168.2.6	74.119.238.7	EHLO 609290
Oct 23, 2024 09:36:30.980664968 CEST	587	55994	74.119.238.7	192.168.2.6	250-md-la-5.webhostbox.net Hello 609290 [173.254.250.90] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 23, 2024 09:36:30.980825901 CEST	55994	587	192.168.2.6	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Oct 23, 2024 09:36:31.146948099 CEST	587	55994	74.119.238.7	192.168.2.6	334 UGFzc3dvcmQ6
Oct 23, 2024 09:36:31.315697908 CEST	587	55994	74.119.238.7	192.168.2.6	235 Authentication succeeded
Oct 23, 2024 09:36:31.315876961 CEST	55994	587	192.168.2.6	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Oct 23, 2024 09:36:31.474538088 CEST	587	55994	74.119.238.7	192.168.2.6	250 OK
Oct 23, 2024 09:36:31.474908113 CEST	55994	587	192.168.2.6	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Oct 23, 2024 09:36:31.659137964 CEST	587	55994	74.119.238.7	192.168.2.6	250 Accepted
Oct 23, 2024 09:36:31.662075043 CEST	55994	587	192.168.2.6	74.119.238.7	DATA
Oct 23, 2024 09:36:31.822236061 CEST	587	55994	74.119.238.7	192.168.2.6	354 Enter message, ending with "." on a line by itself
Oct 23, 2024 09:36:31.846478939 CEST	55994	587	192.168.2.6	74.119.238.7	.
Oct 23, 2024 09:36:32.254528046 CEST	587	55994	74.119.238.7	192.168.2.6	250 OK id=1t3Vux-001LUq-2N
Oct 23, 2024 09:36:43.948760033 CEST	55994	587	192.168.2.6	74.119.238.7	QUIT
Oct 23, 2024 09:36:44.308825970 CEST	587	55994	74.119.238.7	192.168.2.6	221 md-la-5.webhostbox.net closing connection
Oct 23, 2024 09:36:45.055084944 CEST	587	55995	74.119.238.7	192.168.2.6	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 23 Oct 2024 13:06:44 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 23, 2024 09:36:45.055463076 CEST	55995	587	192.168.2.6	74.119.238.7	EHLO 609290
Oct 23, 2024 09:36:45.213294029 CEST	587	55995	74.119.238.7	192.168.2.6	250-md-la-5.webhostbox.net Hello 609290 [173.254.250.90] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 23, 2024 09:36:45.213589907 CEST	55995	587	192.168.2.6	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Oct 23, 2024 09:36:45.374181032 CEST	587	55995	74.119.238.7	192.168.2.6	334 UGFzc3dvcmQ6
Oct 23, 2024 09:36:45.539664984 CEST	587	55995	74.119.238.7	192.168.2.6	235 Authentication succeeded
Oct 23, 2024 09:36:45.540694952 CEST	55995	587	192.168.2.6	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Oct 23, 2024 09:36:45.709001064 CEST	587	55995	74.119.238.7	192.168.2.6	250 OK
Oct 23, 2024 09:36:45.709322929 CEST	55995	587	192.168.2.6	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Oct 23, 2024 09:36:45.889579058 CEST	587	55995	74.119.238.7	192.168.2.6	250 Accepted
Oct 23, 2024 09:36:45.892833948 CEST	55995	587	192.168.2.6	74.119.238.7	DATA
Oct 23, 2024 09:36:46.059427023 CEST	587	55995	74.119.238.7	192.168.2.6	354 Enter message, ending with "." on a line by itself
Oct 23, 2024 09:36:46.491482019 CEST	587	55995	74.119.238.7	192.168.2.6	250 OK id=1t3VvB-001LgD-38
Oct 23, 2024 09:36:51.052896976 CEST	55995	587	192.168.2.6	74.119.238.7	QUIT
Oct 23, 2024 09:36:51.523443937 CEST	587	55995	74.119.238.7	192.168.2.6	221 md-la-5.webhostbox.net closing connection
Oct 23, 2024 09:36:52.202752113 CEST	587	55997	74.119.238.7	192.168.2.6	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 23 Oct 2024 13:06:52 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 23, 2024 09:36:52.202919006 CEST	55997	587	192.168.2.6	74.119.238.7	EHLO 609290
Oct 23, 2024 09:36:52.359030962 CEST	587	55997	74.119.238.7	192.168.2.6	250-md-la-5.webhostbox.net Hello 609290 [173.254.250.90] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 23, 2024 09:36:52.359246016 CEST	55997	587	192.168.2.6	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Oct 23, 2024 09:36:52.515794039 CEST	587	55997	74.119.238.7	192.168.2.6	334 UGFzc3dvcmQ6
Oct 23, 2024 09:36:52.690432072 CEST	587	55997	74.119.238.7	192.168.2.6	235 Authentication succeeded
Oct 23, 2024 09:36:52.690643072 CEST	55997	587	192.168.2.6	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Oct 23, 2024 09:36:52.846632957 CEST	587	55997	74.119.238.7	192.168.2.6	250 OK
Oct 23, 2024 09:36:52.846966982 CEST	55997	587	192.168.2.6	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Oct 23, 2024 09:36:53.020541906 CEST	587	55997	74.119.238.7	192.168.2.6	250 Accepted
Oct 23, 2024 09:36:53.020791054 CEST	55997	587	192.168.2.6	74.119.238.7	DATA
Oct 23, 2024 09:36:53.187532902 CEST	587	55997	74.119.238.7	192.168.2.6	354 Enter message, ending with "." on a line by itself
Oct 23, 2024 09:36:53.606861115 CEST	587	55997	74.119.238.7	192.168.2.6	250 OK id=1t3VvJ-001Lk0-0I
Oct 23, 2024 09:38:07.171387911 CEST	55997	587	192.168.2.6	74.119.238.7	QUIT
Oct 23, 2024 09:38:07.537468910 CEST	587	55997	74.119.238.7	192.168.2.6	221 md-la-5.webhostbox.net closing connection
Oct 23, 2024 09:38:12.542751074 CEST	587	55999	74.119.238.7	192.168.2.6	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 23 Oct 2024 13:08:12 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 23, 2024 09:38:12.553690910 CEST	55999	587	192.168.2.6	74.119.238.7	EHLO 609290
Oct 23, 2024 09:38:12.726495981 CEST	587	55999	74.119.238.7	192.168.2.6	250-md-la-5.webhostbox.net Hello 609290 [173.254.250.90] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 23, 2024 09:38:12.730195045 CEST	55999	587	192.168.2.6	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Oct 23, 2024 09:38:12.908417940 CEST	587	55999	74.119.238.7	192.168.2.6	334 UGFzc3dvcmQ6
Oct 23, 2024 09:38:13.163093090 CEST	587	55999	74.119.238.7	192.168.2.6	235 Authentication succeeded
Oct 23, 2024 09:38:13.163268089 CEST	55999	587	192.168.2.6	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Oct 23, 2024 09:38:13.325546026 CEST	587	55999	74.119.238.7	192.168.2.6	250 OK
Oct 23, 2024 09:38:13.325719118 CEST	55999	587	192.168.2.6	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Oct 23, 2024 09:38:13.510472059 CEST	587	55999	74.119.238.7	192.168.2.6	250 Accepted
Oct 23, 2024 09:38:13.510618925 CEST	55999	587	192.168.2.6	74.119.238.7	DATA
Oct 23, 2024 09:38:13.668811083 CEST	587	55999	74.119.238.7	192.168.2.6	354 Enter message, ending with "." on a line by itself
Oct 23, 2024 09:38:14.080749989 CEST	587	55999	74.119.238.7	192.168.2.6	250 OK id=1t3Vwb-001MIQ-1s
Oct 23, 2024 09:38:37.674104929 CEST	55999	587	192.168.2.6	74.119.238.7	QUIT
Oct 23, 2024 09:38:38.035000086 CEST	587	55999	74.119.238.7	192.168.2.6	221 md-la-5.webhostbox.net closing connection
Oct 23, 2024 09:38:38.722461939 CEST	587	56000	74.119.238.7	192.168.2.6	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 23 Oct 2024 13:08:38 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 23, 2024 09:38:38.722821951 CEST	56000	587	192.168.2.6	74.119.238.7	EHLO 609290
Oct 23, 2024 09:38:38.878746033 CEST	587	56000	74.119.238.7	192.168.2.6	250-md-la-5.webhostbox.net Hello 609290 [173.254.250.90] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 23, 2024 09:38:38.878977060 CEST	56000	587	192.168.2.6	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Oct 23, 2024 09:38:39.043225050 CEST	587	56000	74.119.238.7	192.168.2.6	334 UGFzc3dvcmQ6
Oct 23, 2024 09:38:39.203700066 CEST	587	56000	74.119.238.7	192.168.2.6	235 Authentication succeeded
Oct 23, 2024 09:38:39.203840971 CEST	56000	587	192.168.2.6	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Oct 23, 2024 09:38:39.373205900 CEST	587	56000	74.119.238.7	192.168.2.6	250 OK
Oct 23, 2024 09:38:39.373373985 CEST	56000	587	192.168.2.6	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Oct 23, 2024 09:38:39.552675962 CEST	587	56000	74.119.238.7	192.168.2.6	250 Accepted
Oct 23, 2024 09:38:39.552823067 CEST	56000	587	192.168.2.6	74.119.238.7	DATA
Oct 23, 2024 09:38:39.724376917 CEST	587	56000	74.119.238.7	192.168.2.6	354 Enter message, ending with "." on a line by itself
Oct 23, 2024 09:38:40.135756969 CEST	587	56000	74.119.238.7	192.168.2.6	250 OK id=1t3Vx1-001MWG-22
Oct 23, 2024 09:38:40.572648048 CEST	56000	587	192.168.2.6	74.119.238.7	QUIT
Oct 23, 2024 09:38:40.936165094 CEST	587	56000	74.119.238.7	192.168.2.6	221 md-la-5.webhostbox.net closing connection
Oct 23, 2024 09:38:41.729005098 CEST	587	56001	74.119.238.7	192.168.2.6	220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 23 Oct 2024 13:08:41 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 23, 2024 09:38:41.729188919 CEST	56001	587	192.168.2.6	74.119.238.7	EHLO 609290
Oct 23, 2024 09:38:41.885580063 CEST	587	56001	74.119.238.7	192.168.2.6	250-md-la-5.webhostbox.net Hello 609290 [173.254.250.90] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 23, 2024 09:38:41.887034893 CEST	56001	587	192.168.2.6	74.119.238.7	AUTH login YmxvZ0BhbGhvbmV5Y29tYi5jb20=
Oct 23, 2024 09:38:42.047859907 CEST	587	56001	74.119.238.7	192.168.2.6	334 UGFzc3dvcmQ6
Oct 23, 2024 09:38:42.232436895 CEST	587	56001	74.119.238.7	192.168.2.6	235 Authentication succeeded
Oct 23, 2024 09:38:42.233834982 CEST	56001	587	192.168.2.6	74.119.238.7	MAIL FROM:<blog@alhoneycomb.com>
Oct 23, 2024 09:38:42.389841080 CEST	587	56001	74.119.238.7	192.168.2.6	250 OK
Oct 23, 2024 09:38:42.402275085 CEST	56001	587	192.168.2.6	74.119.238.7	RCPT TO:<blog@alhoneycomb.com>
Oct 23, 2024 09:38:42.572793961 CEST	587	56001	74.119.238.7	192.168.2.6	250 Accepted
Oct 23, 2024 09:38:42.572969913 CEST	56001	587	192.168.2.6	74.119.238.7	DATA
Oct 23, 2024 09:38:42.728801966 CEST	587	56001	74.119.238.7	192.168.2.6	354 Enter message, ending with "." on a line by itself
Oct 23, 2024 09:38:43.146905899 CEST	587	56001	74.119.238.7	192.168.2.6	250 OK id=1t3Vx4-001MXT-25

Target ID:	0
Start time:	03:34:40
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154085.exe"
Imagebase:	0x1c6c17f0000
File size:	1'857'125 bytes
MD5 hash:	C5F2F6ABD7EEC8C18DF5EE086799E1E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2214230680.000001C6D5113000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2214230680.000001C6D5113000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2213530683.000001C6C38EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2214230680.000001C6D375F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2214230680.000001C6D375F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:34:43
Start date:	23/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Imagebase:	0x480000
File size:	47'584 bytes
MD5 hash:	94C8E57A80DFCA2482DEDB87B93D4FD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4625900767.000000000285F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4625900767.0000000002811000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4625900767.0000000002811000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4625900767.0000000002867000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4610361547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4610361547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:34:43
Start date:	23/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Imagebase:	0x730000
File size:	47'584 bytes
MD5 hash:	94C8E57A80DFCA2482DEDB87B93D4FD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:34:43
Start date:	23/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6484 -s 1008
Imagebase:	0x7ff65a070000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.2%
Total number of Nodes:	317
Total number of Limit Nodes:	37

Executed Functions

Function 061293D0 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4662311392.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6120000_jsc.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 7e2156a243b6a66faca43043106e13b7dad108b2962b25c6d0563adbd4b095a6
Instruction ID: f0c1baf8e194b18893c79c469a35cd0d3feeb4be252ac7d53c1c0cc0ab026688
Opcode Fuzzy Hash: 7e2156a243b6a66faca43043106e13b7dad108b2962b25c6d0563adbd4b095a6
Instruction Fuzzy Hash: 48F15C30E0021ACFEB54DFAAC984B9DBBF1BF88314F158969D405AB265DB70E955CB80

Function 05EFDB08 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,05EFE9B0,00000000,00000000), ref: 05EFEBC3

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: ed7cf1c1235f83fd811607dfa4755469d8100249e277272b4fa6eacc2f523f25
Instruction ID: 7409b94acaab82c9150dc6995db17cba578ba5a8a638d0143cc16a0e469ff548
Opcode Fuzzy Hash: ed7cf1c1235f83fd811607dfa4755469d8100249e277272b4fa6eacc2f523f25
Instruction Fuzzy Hash: 062138759042099FDB64CF99C844BEEFBF9FB88310F108429E559A7250CBB4A944CFA1

Function 00CC4330 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V4m, xrefs: 00CC45E7

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID:
String ID: \V4m
API String ID: 0-1082643222
Opcode ID: 5b1a4cb071c59e7708c55eb82b988cd8d4bb3390e8eef674bba70b095b538f88
Instruction ID: 7c30f6aa0468c912724e60c33bb9dbc6a51545636f9eb4a595da22ae22b2442f
Opcode Fuzzy Hash: 5b1a4cb071c59e7708c55eb82b988cd8d4bb3390e8eef674bba70b095b538f88
Instruction Fuzzy Hash: 8FB13C70E00219CFDB18CFA9D995BADBBF2AF88714F24C12DE415A7294EB749941CF81

Function 00CC3FE8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\V4m, xrefs: 00CC4233

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID:
String ID: \V4m
API String ID: 0-1082643222
Opcode ID: db7dad486784258061d14cdf0e1196b14ef357fd8c1757153415423f02acd850
Instruction ID: 469e15cbda597fb6223956711a17a3ffd7667ec798dfaf73459c20a08d2ab23c
Opcode Fuzzy Hash: db7dad486784258061d14cdf0e1196b14ef357fd8c1757153415423f02acd850
Instruction Fuzzy Hash: 54914971E00209CFDF18CFA9C991BADBBF2AF88314F14C12DE455A7294EB749985CB81

Function 05EF4700 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cefbfe4feef132a386fb615a1696664bb84048704f7850e49cb66132c0d23c
Instruction ID: de8e93e113ca48cd1a466577008ac74525eaf06c31587f4f98ed52d871847535
Opcode Fuzzy Hash: d4cefbfe4feef132a386fb615a1696664bb84048704f7850e49cb66132c0d23c
Instruction Fuzzy Hash: FFB1C031B002588BDF18EB78985477F7AA7BFC8710B18846EE157D7388EE349C068795

Function 00CC4C00 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde8fa3bd2d13c404b0cabf1b1f5e6104f0af5ee85343b818bc7af2e77d79ad8
Instruction ID: 9d4047ee573125bd4bdc575394369f3b5ac2f62d8bc88af2722a76b67415fbd5
Opcode Fuzzy Hash: bde8fa3bd2d13c404b0cabf1b1f5e6104f0af5ee85343b818bc7af2e77d79ad8
Instruction Fuzzy Hash: 23B14C70E00209CFDB18DFA9D8A1B9DBBF2BF88714F14C52DD815A7294EB749941CB81

Function 05EFB530 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e2639fddc43694a05fa8ac86ca548a4346a34cbe65a685281ad6adc94de739
Instruction ID: 760ed0f8b4b610f24f6735b9602f61e5200e57f4067fbc3cd0f31974e97e2c0f
Opcode Fuzzy Hash: f7e2639fddc43694a05fa8ac86ca548a4346a34cbe65a685281ad6adc94de739
Instruction Fuzzy Hash: 60819235E0035A8FCB04DFA0DC949DDBBBAFF89310F258619E516AB2A4DF30A945CB50

Function 00CC9D92 Relevance: 1.8, APIs: 1, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00CC9F2F

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID: ActiveWindow
String ID:
API String ID: 2558294473-0
Opcode ID: 13f8d0a6f1528a458778e9629064e3b59d0218369d5ea78dd9b04b373e971596
Instruction ID: d64ff6b3f553e6dcc4f2e5777b6f86f744a8aa7bb211cffd9ab3ad818cbbb497
Opcode Fuzzy Hash: 13f8d0a6f1528a458778e9629064e3b59d0218369d5ea78dd9b04b373e971596
Instruction Fuzzy Hash: 4AC1AF30B402099FDB18AFA5D858BAE7AA2EFC8300F24846CE506EB381DF349D45CB55

Function 05EF4B98 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37de89e63778abf7bfd6f541ddb3d9ab68aed001cfd93345e186c8ee4cffd22
Instruction ID: 2a196e161c431041a02068c5d40ee67e0d136dda8af6339ab15aa8615abc2b96
Opcode Fuzzy Hash: f37de89e63778abf7bfd6f541ddb3d9ab68aed001cfd93345e186c8ee4cffd22
Instruction Fuzzy Hash: 01412632E043598FDB14DFAAD84479EBBF5BF89214F14856AD544A7281DF78A840CBD0

Function 05EFB185 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05EFB2A2

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 52171e3ebd00743b8f0b85ff6d2a9957af30bbf8bafbc018294d01bee5dfd592
Instruction ID: 2c5a15ad1c2a4bc470ed2b909b8d703035bcd147a15936c1ea82dcab578222ac
Opcode Fuzzy Hash: 52171e3ebd00743b8f0b85ff6d2a9957af30bbf8bafbc018294d01bee5dfd592
Instruction Fuzzy Hash: C751D0B5D003499FEB14CF99C884ADEBBB5BF88314F24912AE919AB210DB759845CF90

Function 05EFB190 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05EFB2A2

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d52ad9251d8c195ebd3dfbedc3909d50ce24171f8ca41bb63279b557864cf493
Instruction ID: 13ff7153b9f6640fde51aac368d0b1531732e70dc970649c704007ce516efc07
Opcode Fuzzy Hash: d52ad9251d8c195ebd3dfbedc3909d50ce24171f8ca41bb63279b557864cf493
Instruction Fuzzy Hash: B141C1B5D003499FEB14CF9AC984ADEBFB5BF48314F24912AE919AB210DB719845CF90

Function 05EF9CD4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05EFC369

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f2da1f3c811313148b3314cf7209b2fd2d66a90fd3898541b9901f6449dbcb62
Instruction ID: 912f8e1539c3715f0930ca7fee49d0abfaf89c9c44a384686e7c22adebc66a5b
Opcode Fuzzy Hash: f2da1f3c811313148b3314cf7209b2fd2d66a90fd3898541b9901f6449dbcb62
Instruction Fuzzy Hash: B74129B5A04309CFDB14CF99C488AAEBBF5FF88314F24C499D559A7361D774A841CBA0

Function 05EFCEF4 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 05EFCF88

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 2c72d81314f447a7c1e11aeb8fcb0f6ce2a7aca738fd8a01c9e5d7bfc3551660
Instruction ID: f01f196c8884fe264135338ae1dad068026a3577d35da12e8ce0df200465db0f
Opcode Fuzzy Hash: 2c72d81314f447a7c1e11aeb8fcb0f6ce2a7aca738fd8a01c9e5d7bfc3551660
Instruction Fuzzy Hash: 0F3110B190521CEFEB10CF99C984BCEBBF5BB48714F209059E508AB290DBB4A844CB90

Function 05EFC8EC Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 05EFCF88

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: f4d2582d3d5d7c7d276cb3099c0bf74d55d846be8c8afe9dc60baa6fe147d670
Instruction ID: c41eff6a198121954038017b3e18f577b12a3435e044a0785119c12e107932f0
Opcode Fuzzy Hash: f4d2582d3d5d7c7d276cb3099c0bf74d55d846be8c8afe9dc60baa6fe147d670
Instruction Fuzzy Hash: 783111B190521CEFDB10CF99C984BCEBBF1BB48714F209059E509AB390DBB46844CB90

Function 00CCB04B Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CCB0D7

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 23ae858dbe1968dfa70bbd9ec5fcadb0e6849db3e8cb668057deff72a6de5e46
Instruction ID: 9058d2fc9c2b1d5d8f879b9071e71286c0799c22552ace1df86a6b5aea0c0e24
Opcode Fuzzy Hash: 23ae858dbe1968dfa70bbd9ec5fcadb0e6849db3e8cb668057deff72a6de5e46
Instruction Fuzzy Hash: DC21E3B59002599FDB10CFAAD985ADEFBF4EB48320F14801AE954A3350D375A950CFA4

Function 00CCCD28 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,00CCCD10,038160D8,0283614C), ref: 00CCCDA1

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 2f254d785de7d0faa943a721a82962255e23e7f4f48a83d9de819da4fd33aa6f
Instruction ID: faf8a2d96259a1e9bd0baac06b52ee82eaa74267855ea88e19c826699f3a92f6
Opcode Fuzzy Hash: 2f254d785de7d0faa943a721a82962255e23e7f4f48a83d9de819da4fd33aa6f
Instruction Fuzzy Hash: 63213E75D002098FDB14CF9AC884BEEFBF5FB88320F14842AD459A7250D778A945CF61

Function 00CCB050 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CCB0D7

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 383e360db4a169e9c9bf22311713723f2a08886fc0e9b669c443cfb27171bbbe
Instruction ID: d137f520810c37122dec5b928c25971b3f09afe4030ac5c17a34ef5b8c750a84
Opcode Fuzzy Hash: 383e360db4a169e9c9bf22311713723f2a08886fc0e9b669c443cfb27171bbbe
Instruction Fuzzy Hash: C421E3B59002499FDB10CFAAD984ADEFBF4EB48320F14801AE954A3250D375A950CFA0

Function 00CCB98C Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,00CCCD10,038160D8,0283614C), ref: 00CCCDA1

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: d15709ecf92d11013586151f1c9d158a0ffefe52f2169abbc8fea28d9ffacf27
Instruction ID: a6d78d9f780c770215ab3b3864de1037b857008e91f9beceae914941e55c35c2
Opcode Fuzzy Hash: d15709ecf92d11013586151f1c9d158a0ffefe52f2169abbc8fea28d9ffacf27
Instruction Fuzzy Hash: 56213BB1D0021A8FDB14CF9AC884BEEFBF5FB88320F14842AD459A7250D774A944CFA5

Function 00CCD4B9 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 00CCD53D

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 57df263cfc61c299171615cbd1aeb2bee0278c729a9fc8d8c896f62a4b24fdd1
Instruction ID: b1115ec21f202db4ec9a6174be451f6b099d680897b4bdd0ff6c6fd5b2aa4720
Opcode Fuzzy Hash: 57df263cfc61c299171615cbd1aeb2bee0278c729a9fc8d8c896f62a4b24fdd1
Instruction Fuzzy Hash: 942102B68003099FDB14CF9AD884BDEFBB4FB48314F10852EE819A7200C375AA45CFA0

Function 05EFEB41 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,05EFE9B0,00000000,00000000), ref: 05EFEBC3

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 163ed643e8ef7c31b81fd6af7b7eb50d7af73636ba09d819007c2389cecdeb60
Instruction ID: bb34234e4ae8fd9576660eaf912763f40349c42056af8b5f9058793aa1370c37
Opcode Fuzzy Hash: 163ed643e8ef7c31b81fd6af7b7eb50d7af73636ba09d819007c2389cecdeb60
Instruction Fuzzy Hash: 702134B59042099FDB54CF9AC844BDEFBF5BB88320F108429E459A7250CBB4A944CFA1

Function 00CCD4C0 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 00CCD53D

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 39fa97cc55f9b44e876cc3b0e635725e2381a5b3d4a7ac4f22806a6f72bc3d49
Instruction ID: 13015c75222607d0c7d95feb544b8363b35af09bbfeb7e68dd33276e09a59f94
Opcode Fuzzy Hash: 39fa97cc55f9b44e876cc3b0e635725e2381a5b3d4a7ac4f22806a6f72bc3d49
Instruction Fuzzy Hash: DF21E2B69003499FDB14CF9AD884BDEFBB5FB48314F10852ED519A7200D375AA44CBA0

Function 05EF3F7C Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05EF4BEA), ref: 05EF4CD7

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 2678f35350bb21974e4764e66f0f047e5f55ab02c7e0d4a105db43e7385facc5
Instruction ID: 3172f7614501ff568156704ab60c3e8a9fdf043dc232339ad3fcf6777c9f327a
Opcode Fuzzy Hash: 2678f35350bb21974e4764e66f0f047e5f55ab02c7e0d4a105db43e7385facc5
Instruction Fuzzy Hash: 351133B6C0065A9BDB10CF9AC544BDEFBF4BF48224F10816AE918A7240D778A950CFA1

Function 05EFAA58 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05EFAAC6

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 90faf49aa59c8ab2cbdfdddfbd325306003833bae286764c4725da118067f7ae
Instruction ID: 1f30ebe27f85b4fbce3cad47400191ca16071a3a1192169e1259a1f71feee699
Opcode Fuzzy Hash: 90faf49aa59c8ab2cbdfdddfbd325306003833bae286764c4725da118067f7ae
Instruction Fuzzy Hash: 941120B6C007098FDB10CF9AC544BCEFBF4EB88224F10846AD969A7200C779A509CFA1

Function 05EFAA60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05EFAAC6

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9620bd0a6199ae305e8571da487ad970d03190518e8116fe5cd992badfedf092
Instruction ID: 4f9df795c74ea920782af6679c5e2ef0d9cc8daf025a72d7da96c6ad42e18af2
Opcode Fuzzy Hash: 9620bd0a6199ae305e8571da487ad970d03190518e8116fe5cd992badfedf092
Instruction Fuzzy Hash: 1B110FB6C006498FDB10CF9AD544BDEFBF4AB88224F10846AD569A7200C779A545CFA1

Function 00CCB920 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00CCBED5

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 010ae0cc38ad4190326130aadade462a5dad59c218f9fdf7730e688c5f129948
Instruction ID: 7579e579c4fefe223c61a835f9d48eab37df7a59ce42acde09a52d70c3023c9a
Opcode Fuzzy Hash: 010ae0cc38ad4190326130aadade462a5dad59c218f9fdf7730e688c5f129948
Instruction Fuzzy Hash: 9C1133B58003498FCB20DF9AC485BDEFBF4EB48724F208459E618A7200C3B5A940CFA5

Function 00CCBE78 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00CCBED5

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 914b20395cb634b5305440ffe630208c2e4512f6b808d96b349f7e771af38615
Instruction ID: abe306a9a0c5eb092b78958bea0d4dee96bf8e340b2602f0a448f39b996dd018
Opcode Fuzzy Hash: 914b20395cb634b5305440ffe630208c2e4512f6b808d96b349f7e771af38615
Instruction Fuzzy Hash: 6F1103B58002498FDB20DF9AD585BDEBBF4EB48324F248459D659A7200C379A944CFA5

Function 0612889C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,061296F7), ref: 0612A19D

Memory Dump Source

Source File: 00000002.00000002.4662311392.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6120000_jsc.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: dc381ff9f7004a422a580d8358cb5582784d583cb652c09840af1d44c303a8c2
Instruction ID: 2a06dd50a5dfac70fe2ebc3a2e911926a4193c40d5815c5358fc69b5ddef8b00
Opcode Fuzzy Hash: dc381ff9f7004a422a580d8358cb5582784d583cb652c09840af1d44c303a8c2
Instruction Fuzzy Hash: 69112EB5C0465A8FCB20DF9AD944BDEFBF4EF48320F10846AE818A3200D378A544CFA5

Function 05EF9D2C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,05EFC5B5), ref: 05EFC63F

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 90f3c4c633b3e5bd3ee6c5dbda6edbdb563feec02d000bce78bcb94f30fddc39
Instruction ID: b56dee5f53a9cb0b6f017ced0b6a5801d2869bd5662f8852dae461dc9f8ad7a2
Opcode Fuzzy Hash: 90f3c4c633b3e5bd3ee6c5dbda6edbdb563feec02d000bce78bcb94f30fddc39
Instruction Fuzzy Hash: 411148B5804349CFCB10CF99C484BDEFBF4EB48724F209459D659A7200D774A944CFA5

Function 00CCB048 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CCB0D7

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a82b0fa2401de8f96095b3b2c6bc0d5908c439caf3d779b3c70c7ff5625b4369
Instruction ID: 7bf4bfc528c036c1838dd0354b059977a542b77dcecd533628e1606b9249cb74
Opcode Fuzzy Hash: a82b0fa2401de8f96095b3b2c6bc0d5908c439caf3d779b3c70c7ff5625b4369
Instruction Fuzzy Hash: 751105B6900209DFDB10CFAAD845BEEBBF4EF48314F14800AE954A7250C3799A50DF61

Function 05EFC5D9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,05EFC5B5), ref: 05EFC63F

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 451f5aa932f958813b75f85982d923a249b1d9243888facc850ee66e79e66684
Instruction ID: 0fe060dfaf7e76e11248b91ba7c8eecbf040c43f6045fab592423892485c7cfb
Opcode Fuzzy Hash: 451f5aa932f958813b75f85982d923a249b1d9243888facc850ee66e79e66684
Instruction Fuzzy Hash: 2D1133B98043498FCB10CF9AD444BDEFBF8FB48724F20841AD658A7200C778A940CFA5

Function 05EFC66C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,05EFC5B5), ref: 05EFC63F

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 5297ce735fdf12d297fe585378c37045786c7d0e11c9612bbbc89ae026a7d43a
Instruction ID: 4eb939a4c3326af74a8ddb05e0dfdfd0737b8832c81f1fafa8245ec1a059594f
Opcode Fuzzy Hash: 5297ce735fdf12d297fe585378c37045786c7d0e11c9612bbbc89ae026a7d43a
Instruction Fuzzy Hash: 16F0F0B280C3888EEB108B99C4593DABFF0EF40218F34948AC29E9B251D7BD5505CB51

Function 085D2908 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4663986139.00000000085D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_85d0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bfd6bd5db2f3f5cf71feefc7e867887e26d8d1d602415b173b80ac62ce3d6c6
Instruction ID: 9c1535f103ff248737bb7a0180b5f0355095f1a36681e6e4943c63f06b045870
Opcode Fuzzy Hash: 1bfd6bd5db2f3f5cf71feefc7e867887e26d8d1d602415b173b80ac62ce3d6c6
Instruction Fuzzy Hash: 8BD17C70E003499FDB24DFA9C8546AEBBF2FF88310F148569E805AB351DB74A985CB91

Function 085D0458 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4663986139.00000000085D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_85d0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f479f8f0afbac044d2b352ace3580f60446b0a9d6856778bffc52a67c44dea96
Instruction ID: 21485e28d787f28c5c2d0c3e51725be5be1f252371bff0dc1dd8a1bb1588b762
Opcode Fuzzy Hash: f479f8f0afbac044d2b352ace3580f60446b0a9d6856778bffc52a67c44dea96
Instruction Fuzzy Hash: 3441E221B043455FDB59AB78982066FBFF6AFC5200B1484AED80ADB382EE34CD06C791

Function 085D28F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4663986139.00000000085D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_85d0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2e911fb32f82ede84a89c790595af0b088cda7b6bc72957dccedf25a153030
Instruction ID: 5ad0d1298fc496f4cd30f5767db098bb650f12967d43fdea4d7f1b1382ca1d9f
Opcode Fuzzy Hash: ba2e911fb32f82ede84a89c790595af0b088cda7b6bc72957dccedf25a153030
Instruction Fuzzy Hash: D8415E31E007099FCB24DFA9C45469DFBB1FF88311F14C669E849BB264EB70A981CB90

Function 085D3152 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4663986139.00000000085D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_85d0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0ecf2be9cf07e073ff2e0c0513ab597d56ef2850458723d81e744351cf6d2b
Instruction ID: 3d7564e097fd3c3a27b0213918f3f7291b25df06ff537d84c4f328954e5d38a8
Opcode Fuzzy Hash: 0e0ecf2be9cf07e073ff2e0c0513ab597d56ef2850458723d81e744351cf6d2b
Instruction Fuzzy Hash: 2B319070A00206CFCF11EB68D890AAEBBB5EF89300F50856DD505EB355EB35AD06CB91

Function 085D3160 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4663986139.00000000085D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_85d0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809b0092cc11f05756770eb74b744e516afd56576ae15ec85366ce03e4c43099
Instruction ID: a2bd6f99baf0f0a0160c93b225cafa8b038b1f44ab17ba6d9e794c1340c0f0e8
Opcode Fuzzy Hash: 809b0092cc11f05756770eb74b744e516afd56576ae15ec85366ce03e4c43099
Instruction Fuzzy Hash: A2318D70A00206CFDF10EB68D890AAEBBB5FF89300F50956CD505EB354EB35AD06CB91

Function 085D2C7C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4663986139.00000000085D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_85d0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2f5b939732d3d2c4863539521fda4b2f098bab57b20ddaae05d911ca7c0f47
Instruction ID: 1e4bb5d8fe67fa15d85386124d6f0770f22c43799933b543f8c214210cf5cc9b
Opcode Fuzzy Hash: 8c2f5b939732d3d2c4863539521fda4b2f098bab57b20ddaae05d911ca7c0f47
Instruction Fuzzy Hash: 1331DEB5C01318DFDB20DF99C985BCEBBF4BF48710F24805AE804AB250C7B56885CBA1

Function 085D14E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4663986139.00000000085D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_85d0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f8963eb6e722a1703bcb495b4d7a295b89d629f714f9e66565a5dfc742b2e4
Instruction ID: d4ca7a380cd44a9b9df030eaca2e3cca5006c24c4fb5a958c5a9ed3330dfe744
Opcode Fuzzy Hash: 60f8963eb6e722a1703bcb495b4d7a295b89d629f714f9e66565a5dfc742b2e4
Instruction Fuzzy Hash: 8231FEB1C00318DFDB20DF99C988BDEBFF4BB48310F24845AE805AB250C7B5A845CBA0

Function 00C7D468 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4622268639.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c7d000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b6a70a8dc28dee8615a2b028bb40e9ea9d3ebe021fa25b0a9414ab53310fe1
Instruction ID: c044a60d9cecffc5cb378bf78552d627550f97af506cbf41c0d9d110314172d2
Opcode Fuzzy Hash: 73b6a70a8dc28dee8615a2b028bb40e9ea9d3ebe021fa25b0a9414ab53310fe1
Instruction Fuzzy Hash: 1621F2B5504204EFDB04DF24D5C0B26BB75FF84318F24C56DE90E4B256C37AE846CA61

Function 00C7D0F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4622268639.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c7d000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051eed398ca852d8ccb59f1703d4e365de8014b3fbe2ecd6e8fea7557dfa741c
Instruction ID: 2d473c4a2315872a5100a9eaacbfff2f316eba8e6bca22c7ecc2cb300cbffb3d
Opcode Fuzzy Hash: 051eed398ca852d8ccb59f1703d4e365de8014b3fbe2ecd6e8fea7557dfa741c
Instruction Fuzzy Hash: 6621F2B5604244EFDB04DF24D9C0B2ABB75FF84324F64C56DE90E4B256C376D846CA61

Function 00C7D2B8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4622268639.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c7d000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b161141f1c86b6c974aa38c1413ceaacd1b915c3402ca8207e557227ad852c89
Instruction ID: adca0fdd534d00ec297b0fc7c5bac8c021d3cc599122c19b68bc01946e58b8b3
Opcode Fuzzy Hash: b161141f1c86b6c974aa38c1413ceaacd1b915c3402ca8207e557227ad852c89
Instruction Fuzzy Hash: 662126B2504244DFDB04DF15D9C4B2ABB75FF84324F24C56DD90E0B262C37AD846CA62

Function 085D14EC Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4663986139.00000000085D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_85d0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d38dca9fc7f0acb69ae3d3e04e5ad983322b18125683c1706bbb47d3f12feb
Instruction ID: 99f5ddcdf054c8530111b89c57b8419d8187cc70b9d7a98d855790436c2132b3
Opcode Fuzzy Hash: f8d38dca9fc7f0acb69ae3d3e04e5ad983322b18125683c1706bbb47d3f12feb
Instruction Fuzzy Hash: C431DFB1D01318DFDB24DF9AC588BDEBBF4BB48710F24845AE805BB250C7B5A845CBA1

Function 00C7D463 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4622268639.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c7d000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: f6673d4c543522e119a297a48a7013dad0c848ac8121b77fba75af09e47dc6a4
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 40118BB6504284DFCB15CF24D5C4B15BBB1FB84318F28C6AAD84A4B656C33AD94ACB62

Function 00C7D0EB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4622268639.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c7d000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 2a6011f44ad9f681ad3dd4557b07befc4e3183c3a186edaa37270be823c7a8f3
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: F2118E75504284DFDB15CF10D9C4B19BF71FB84324F24C6A9D84E4B656C33AD94ACB61

Function 00C7D2B3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4622268639.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c7d000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf76333c4857edb0cae155a2ed822a1bfe38db2c40391184a4fb299c42cee64
Instruction ID: 2cdbd338ea4352ed0d16639ac86461d014194d58292f453666cc640f5c5cd7d2
Opcode Fuzzy Hash: ecf76333c4857edb0cae155a2ed822a1bfe38db2c40391184a4fb299c42cee64
Instruction Fuzzy Hash: C811B276504284CFCB11CF14D5C4B19FB71FB84324F28C6AAD84E4B666C33AD946CBA2

Function 085D04E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4663986139.00000000085D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_85d0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77aec62879bb75120cdc3446f8668efcccdbe89b6bbcf6b1d9d999fbacf110e9
Instruction ID: 33353baed3ff72e8d75df5f3c760a31d621629a00cd27143710a5249f2fe98f3
Opcode Fuzzy Hash: 77aec62879bb75120cdc3446f8668efcccdbe89b6bbcf6b1d9d999fbacf110e9
Instruction Fuzzy Hash: D0F0FC69F006156BDB54D6AE9C1069FAFBF8FC5511B14806F9C19D3384DB74CD024791

Non-executed Functions

Function 00CCBF12 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

\, xrefs: 00CCBF19

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: d3cc6a231c11158204839edfde6edb053ee47a89525d63679f22d339f1b6f313
Instruction ID: 1cb14d28903d0d8991d5cda64aa8641f85eb94f51a494e52b693f4982682ea1a
Opcode Fuzzy Hash: d3cc6a231c11158204839edfde6edb053ee47a89525d63679f22d339f1b6f313
Instruction Fuzzy Hash: E2C1FBB0CD17468BD710CF66EC881897BB1BB85314FB2CB09DA616B2D1EBB4146ACF54

Function 05EF26F0 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b126621e727e64272b7736f98d5dbaaf86298ef28b1ec48281a7f7e318b8c105
Instruction ID: 74053fa94a4b2da763eb5c1d19cca99a2ef3a3faaf3dd7de7c543da975456257
Opcode Fuzzy Hash: b126621e727e64272b7736f98d5dbaaf86298ef28b1ec48281a7f7e318b8c105
Instruction Fuzzy Hash: 6822DF34B001058FEB24DB68D894AADBBB2FF89314F2495A9D646DB3A1DF35DC418B90

Function 00CCBF20 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4623132733.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cc0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d8fd6e22d48aef6f6253ec63b9fe0353e4bb2468dcc440c6050f27ec51bcee
Instruction ID: d4a0dfcfc1e9ef15ea0bf22fb6129e1ceea64819125bad6b0e5a34870438a830
Opcode Fuzzy Hash: e9d8fd6e22d48aef6f6253ec63b9fe0353e4bb2468dcc440c6050f27ec51bcee
Instruction Fuzzy Hash: 961296B4CC27468AD710CF66EC8C1897BB1B741314BF2CB09DA616B2E1E7B4156ACF54

Function 0612F64A Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4662311392.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6120000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c0625e4441f70f01ff7bf390e695cc24c971a04396e817030c62fd74197cd7
Instruction ID: 7728e0dd4d5c45f80bc0f1beb0892ea0798b981d679b33cd80ebf6185c486f7f
Opcode Fuzzy Hash: a7c0625e4441f70f01ff7bf390e695cc24c971a04396e817030c62fd74197cd7
Instruction Fuzzy Hash: E2D1F831C20B6ACACB11EB64D990AA9B7B5FFD5300F10979AD14A37211EF706AC5CF91

Function 061244A0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4662311392.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6120000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a99ceb260f0972d633b3dd30bf597d3122daf870288eb92f2f540d14401627c
Instruction ID: e2894adea9e9b8fa69e40f5b6cae8fd5cd22b371e408a8ba32e13e0d4251c4c9
Opcode Fuzzy Hash: 9a99ceb260f0972d633b3dd30bf597d3122daf870288eb92f2f540d14401627c
Instruction Fuzzy Hash: 5CA16B36E102168FCF49DFA4D8804EEBBF2FF84300B15456AE915AB225EB31D925CF80

Function 0612F658 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4662311392.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6120000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c05f1035d6c46e52ce2c9953c997d807cdf47b60889a5533181f024f478d58
Instruction ID: 9ecc0b7afac8277ccbeebbe265959852b1837a1c0d417586f78216a3c9509b22
Opcode Fuzzy Hash: e2c05f1035d6c46e52ce2c9953c997d807cdf47b60889a5533181f024f478d58
Instruction Fuzzy Hash: FCD1E731C20B6ACACB10EB64D990AA9B7B5FFD5300F10979AD14A37215EF706AC5CF91

Function 05EF7C08 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4661269198.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ef0000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9989f1ecbd28e6979cb4d674290b5aed0b358659470f44ba7ed7f285f2ca9573
Instruction ID: 4de6215dcf88e5894a25c2bd0cdb118e29521f11f4a62808cfc296c2853f79d2
Opcode Fuzzy Hash: 9989f1ecbd28e6979cb4d674290b5aed0b358659470f44ba7ed7f285f2ca9573
Instruction Fuzzy Hash: 62815F71E002098FEF24CF99C880AEEBBF2FB49318F54952AE659E7210D735D941CB51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Halkbank_Ekstre_20230426_075819_154085.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Halkbank_Ekstre__63ff1da9e574e0f28ee4519f715b44d13f4dc8c_42281be4_c13959ba-c1c8-489b-8f14-c06a6f76dd39\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9852.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER999B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99CB.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Halkbank_Ekstre_20230426_075819_154085.exe

Function 061293D0 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Function 00CC9D92 Relevance: 1.8, APIs: 1, Instructions: 331
COMMON

Function 05EF4B98 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Function 05EFB185 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 05EFB190 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 05EF9CD4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 05EFCEF4 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Function 05EFC8EC Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Function 00CCB04B Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 00CCCD28 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Function 00CCB050 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 00CCB98C Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre