Edit tour

Windows Analysis Report
Po-AD841.exe

Overview

General Information

Sample name:	Po-AD841.exe
Analysis ID:	1567058
MD5:	3a527332eb27810c3e18462d2d8cc232
SHA1:	8d1e0ff62107ad61e330224e9f61d5a134b5282c
SHA256:	e18fae2e11693afffb6335ebc29bc17bb298c5644c2790c45b88dd9860bf9e3f
Tags:	AgentTeslaexeuser-mamrmu
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Po-AD841.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\Po-AD841.exe" MD5: 3A527332EB27810C3E18462D2D8CC232)

Po-AD841.exe (PID: 2044 cmdline: "C:\Users\user\Desktop\Po-AD841.exe" MD5: 3A527332EB27810C3E18462D2D8CC232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.wapination.net", "Username": "wk@wapination.net", "Password": "Leavemealone@26"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.4113973524.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4113973524.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4115540840.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4115540840.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1652794160.0000000003799000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1652794160.0000000003799000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Po-AD841.exe PID: 6568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Po-AD841.exe PID: 6568	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Po-AD841.exe PID: 2044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Po-AD841.exe PID: 2044	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Po-AD841.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Po-AD841.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Po-AD841.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33801:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33873:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x338fd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3398f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x339f9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33a6b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33b01:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33b91:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Po-AD841.exe.390ec80.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Po-AD841.exe.390ec80.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Po-AD841.exe.390ec80.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31a01:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31a73:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31afd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31b8f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31bf9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31c6b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31d01:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31d91:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Po-AD841.exe.390ec80.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Po-AD841.exe.390ec80.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Po-AD841.exe.390ec80.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33801:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e631:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa9251:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33873:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e6a3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa92c3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x338fd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e72d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa934d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3398f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e7bf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa93df:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x339f9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e829:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9449:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33a6b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e89b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa94bb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33b01:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e931:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9551:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Po-AD841.exe.381c5b0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Po-AD841.exe.381c5b0.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Po-AD841.exe.381c5b0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x125ed1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x160d01:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x19b921:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x125f43:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x160d73:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x19b993:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x125fcd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x160dfd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x19ba1d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x12605f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x160e8f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x19baaf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1260c9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x160ef9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x19bb19:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x12613b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x160f6b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x19bb8b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1261d1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x161001:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x19bc21:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Po-AD841.exe.37dad80.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Po-AD841.exe.37dad80.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Po-AD841.exe.37dad80.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x167701:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1a2531:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1dd151:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x167773:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1a25a3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1dd1c3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1677fd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1a262d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1dd24d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16788f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1a26bf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1dd2df:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1678f9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1a2729:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1dd349:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16796b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1a279b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1dd3bb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x167a01:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1a2831:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1dd451:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 108.179.234.136, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Po-AD841.exe, Initiated: true, ProcessId: 2044, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49734

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Po-AD841.exe

Avira: detected

Found malware configuration

Source: 1.2.Po-AD841.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.wapination.net", "Username": "wk@wapination.net", "Password": "Leavemealone@26"}

Multi AV Scanner detection for submitted file

Source: Po-AD841.exe	ReversingLabs: Detection: 52%
Source: Po-AD841.exe	Virustotal: Detection: 40%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Po-AD841.exe

Joe Sandbox ML: detected

Source: Po-AD841.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Po-AD841.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 108.179.234.136:587

Source: Joe Sandbox View

IP Address: 108.179.234.136 108.179.234.136

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 108.179.234.136:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.wapination.net

Source: Po-AD841.exe, 00000001.00000002.4115540840.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.000000000305A000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000030F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.wapination.net
Source: Po-AD841.exe, 00000001.00000002.4115540840.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120855460.00000000066F9000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4114332988.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.000000000305A000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120772455.00000000066D6000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002D73000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120877769.0000000006701000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120926139.0000000006715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: Po-AD841.exe, 00000001.00000002.4115540840.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120855460.00000000066F9000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4114332988.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.000000000305A000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120772455.00000000066D6000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002D73000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120877769.0000000006701000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120926139.0000000006715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: Po-AD841.exe, 00000000.00000002.1652126638.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000000.00000002.1653939202.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Po-AD841.exe, 00000000.00000002.1653724822.000000000591B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comic
Source: Po-AD841.exe, 00000000.00000002.1652126638.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000000.00000002.1653939202.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000000.00000002.1653724822.000000000591B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Po-AD841.exe, 00000001.00000002.4115540840.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120666762.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120855460.00000000066F9000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.000000000305A000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120978659.0000000006725000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120772455.00000000066D6000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4119640029.00000000056A5000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120720580.00000000066CA000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4114685725.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120877769.0000000006701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Po-AD841.exe, 00000001.00000002.4115540840.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120666762.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120855460.00000000066F9000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.000000000305A000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120978659.0000000006725000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120772455.00000000066D6000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4119640029.00000000056A5000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120720580.00000000066CA000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4114685725.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120877769.0000000006701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Po-AD841.exe, 00000000.00000002.1652794160.0000000003799000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4113973524.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Po-AD841.exe	String found in binary or memory: https://aka.ms/binaryformatter
Source: Po-AD841.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: Po-AD841.exe	String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Po-AD841.exe.390ec80.1.raw.unpack, 5FiJFFLmv5.cs

.Net Code: _3extOpBhn

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Po-AD841.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Po-AD841.exe

Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Po-AD841.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Po-AD841.exe.390ec80.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Po-AD841.exe.390ec80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Po-AD841.exe.381c5b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Po-AD841.exe.37dad80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\Po-AD841.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 0_2_00DCDF0C	0_2_00DCDF0C
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_01494230	1_2_01494230
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_01494B00	1_2_01494B00
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_01493EE8	1_2_01493EE8
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_0149BE10	1_2_0149BE10
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_0149BE20	1_2_0149BE20
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_0638A670	1_2_0638A670
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_06380498	1_2_06380498
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_06389228	1_2_06389228
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_0638F2A8	1_2_0638F2A8
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_06386020	1_2_06386020
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_0638BE00	1_2_0638BE00
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_06383A08	1_2_06383A08
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_0638B720	1_2_0638B720
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_06389970	1_2_06389970
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_063C46E9	1_2_063C46E9
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_063C74DC	1_2_063C74DC
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_063C04D0	1_2_063C04D0
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_063C26E8	1_2_063C26E8
Source: C:\Users\user\Desktop\Po-AD841.exe	Code function: 1_2_063C8071	1_2_063C8071

Source: Po-AD841.exe, 00000000.00000002.1652736475.0000000002791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef4ce6eba-27b2-4f42-807a-59a27e751d9c.exe4 vs Po-AD841.exe
Source: Po-AD841.exe, 00000000.00000002.1650376775.000000000091E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Po-AD841.exe
Source: Po-AD841.exe, 00000000.00000002.1652794160.0000000003799000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSoftwareGame.dll: vs Po-AD841.exe
Source: Po-AD841.exe, 00000000.00000002.1652794160.0000000003799000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef4ce6eba-27b2-4f42-807a-59a27e751d9c.exe4 vs Po-AD841.exe
Source: Po-AD841.exe, 00000000.00000000.1643475825.0000000000362000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameShouldIsee.exe6 vs Po-AD841.exe
Source: Po-AD841.exe, 00000001.00000002.4113973524.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef4ce6eba-27b2-4f42-807a-59a27e751d9c.exe4 vs Po-AD841.exe
Source: Po-AD841.exe, 00000001.00000002.4114133423.0000000000D68000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Po-AD841.exe
Source: Po-AD841.exe	Binary or memory string: OriginalFilenameShouldIsee.exe6 vs Po-AD841.exe

Source: Po-AD841.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.Po-AD841.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Po-AD841.exe.390ec80.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Po-AD841.exe.390ec80.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Po-AD841.exe.381c5b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Po-AD841.exe.37dad80.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Po-AD841.exe, PasswordBasedEncryption.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: Po-AD841.exe, PasswordBasedEncryption.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock', 'TransformBlock'
Source: Po-AD841.exe, PkcsHelpers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Po-AD841.exe.37dad80.2.raw.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Po-AD841.exe.37dad80.2.raw.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Po-AD841.exe.5060000.3.raw.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Po-AD841.exe.5060000.3.raw.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Po-AD841.exe.381c5b0.0.raw.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Po-AD841.exe.381c5b0.0.raw.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\Po-AD841.exe

Mutant created: NULL

Source: Po-AD841.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Po-AD841.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Po-AD841.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Po-AD841.exe	ReversingLabs: Detection: 52%
Source: Po-AD841.exe	Virustotal: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\Po-AD841.exe "C:\Users\user\Desktop\Po-AD841.exe"
Source: C:\Users\user\Desktop\Po-AD841.exe	Process created: C:\Users\user\Desktop\Po-AD841.exe "C:\Users\user\Desktop\Po-AD841.exe"
Source: C:\Users\user\Desktop\Po-AD841.exe	Process created: C:\Users\user\Desktop\Po-AD841.exe "C:\Users\user\Desktop\Po-AD841.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Po-AD841.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Po-AD841.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Po-AD841.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Po-AD841.exe, XPE.cs

.Net Code: Polan System.AppDomain.Load(byte[])

Source: Po-AD841.exe

Static PE information: 0x91C2FBA4 [Sun Jun 30 02:32:04 2047 UTC]

Source: C:\Users\user\Desktop\Po-AD841.exe

Code function: 1_2_063C8BD0 push es; ret

1_2_063C8BE0

Source: Po-AD841.exe

Static PE information: section name: .text entropy: 7.270205838602211

Source: 0.2.Po-AD841.exe.37dad80.2.raw.unpack, Form1.cs	High entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
Source: 0.2.Po-AD841.exe.37dad80.2.raw.unpack, QJDLGErGwGLnDsDTGnUfx.cs	High entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
Source: 0.2.Po-AD841.exe.5060000.3.raw.unpack, Form1.cs	High entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
Source: 0.2.Po-AD841.exe.5060000.3.raw.unpack, QJDLGErGwGLnDsDTGnUfx.cs	High entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
Source: 0.2.Po-AD841.exe.381c5b0.0.raw.unpack, Form1.cs	High entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
Source: 0.2.Po-AD841.exe.381c5b0.0.raw.unpack, QJDLGErGwGLnDsDTGnUfx.cs	High entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'

Source: C:\Users\user\Desktop\Po-AD841.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Po-AD841.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Po-AD841.exe	Memory allocated: C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Memory allocated: 4790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Memory allocated: 1490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Memory allocated: 4CC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe	Window / User API: threadDelayed 2455			Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Window / User API: threadDelayed 7401			Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -99016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -98233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -97856s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -97449s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -97231s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -96797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -96687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -96359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -96250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -96031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -95922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -95703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -95594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -95484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -95266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -95156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -95047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -94937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -94827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -94719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -94609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -94500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe TID: 2004	Thread sleep time: -94390s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Po-AD841.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 99016	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 98233	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 97856	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 97449	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 97231	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 96797	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 96469	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 95922	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 95594	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 95266	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 95156	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 95047	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 94827	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 94719	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 94500	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Thread delayed: delay time: 94390	Jump to behavior

Source: Po-AD841.exe, 00000001.00000002.4114685725.000000000113F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Po-AD841.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe

Process created: C:\Users\user\Desktop\Po-AD841.exe "C:\Users\user\Desktop\Po-AD841.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Users\user\Desktop\Po-AD841.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Users\user\Desktop\Po-AD841.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Po-AD841.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.2.Po-AD841.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.390ec80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.390ec80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.381c5b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.37dad80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4113973524.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4115540840.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652794160.0000000003799000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Po-AD841.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Po-AD841.exe PID: 2044, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Po-AD841.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Po-AD841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Po-AD841.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Po-AD841.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Po-AD841.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 1.2.Po-AD841.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.390ec80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.390ec80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.381c5b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.37dad80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4113973524.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4115540840.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652794160.0000000003799000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Po-AD841.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Po-AD841.exe PID: 2044, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.2.Po-AD841.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.390ec80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.390ec80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.381c5b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Po-AD841.exe.37dad80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4113973524.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4115540840.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652794160.0000000003799000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Po-AD841.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Po-AD841.exe PID: 2044, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	21 Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Po-AD841.exe	53%	ReversingLabs	Win32.Spyware.Negasteal
Po-AD841.exe	40%	Virustotal		Browse
Po-AD841.exe	100%	Avira	HEUR/AGEN.1307361
Po-AD841.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
mail.wapination.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fonts.comic	0%	Avira URL Cloud	safe
http://mail.wapination.net	0%	Avira URL Cloud	safe
http://mail.wapination.net	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.wapination.net	108.179.234.136	true	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/binaryformatter	Po-AD841.exe	false		high
http://r10.o.lencr.org0#	Po-AD841.exe, 00000001.00000002.4115540840.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120855460.00000000066F9000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4114332988.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.000000000305A000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120772455.00000000066D6000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002D73000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120877769.0000000006701000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120926139.0000000006715000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fonts.com	Po-AD841.exe, 00000000.00000002.1652126638.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000000.00000002.1653939202.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.comic	Po-AD841.exe, 00000000.00000002.1653724822.000000000591B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	Po-AD841.exe, 00000000.00000002.1652794160.0000000003799000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4113973524.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://aka.ms/dotnet-warnings/	Po-AD841.exe	false		high
http://mail.wapination.net	Po-AD841.exe, 00000001.00000002.4115540840.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.000000000305A000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000030F9000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Po-AD841.exe, 00000001.00000002.4115540840.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120666762.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120855460.00000000066F9000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.000000000305A000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120978659.0000000006725000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120772455.00000000066D6000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4119640029.00000000056A5000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120720580.00000000066CA000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4114685725.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120877769.0000000006701000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Po-AD841.exe, 00000001.00000002.4115540840.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120666762.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120855460.00000000066F9000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.000000000305A000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120978659.0000000006725000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120772455.00000000066D6000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4119640029.00000000056A5000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120720580.00000000066CA000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4114685725.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120877769.0000000006701000.00000004.00000020.00020000.00000000.sdmp	false		high
http://r10.i.lencr.org/0	Po-AD841.exe, 00000001.00000002.4115540840.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120855460.00000000066F9000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4114332988.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.000000000305A000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120772455.00000000066D6000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002D73000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4115540840.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120877769.0000000006701000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000001.00000002.4120926139.0000000006715000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/serializationformat-binary-obsolete	Po-AD841.exe	false		high
http://www.sajatypeworks.com	Po-AD841.exe, 00000000.00000002.1652126638.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, Po-AD841.exe, 00000000.00000002.1653939202.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp, Po-AD841.exe, 00000000.00000002.1653724822.000000000591B000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.179.234.136	mail.wapination.net	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1567058
Start date and time:	2024-12-03 01:23:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Po-AD841.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 90 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:24:03	API Interceptor	10493990x Sleep call for process: Po-AD841.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
108.179.234.136	DHL Shipping Documents 0016229753_PDF.exe	Get hash	malicious	AgentTesla	Browse
	95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Shipping Documents_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Win32.PWSX-gen.20769.7015.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe	Get hash	malicious	AgentTesla	Browse
	Shipping Documents_pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	Quotation_#432768#_pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Payment Advice Copy-EUR 5500,00 20240419165413-docx.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Payment_Advice-pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	V-Mail.msg	Get hash	malicious	Unknown	Browse	69.49.245.172
	https://protect.checkpoint.com/v2/r01/___https:/vlp6cm34.r.us-east-1.awstrack.me/Q5dmyyux:e7Ke7Kjrfnq.ynintwjuqD.htr7Kh7KjOBJBJLTmXFRFSIYBSOlvWZ1QLgoUfHylhY/JnF_riAUpCWczNA0yO_jaB~oG6AYM23pBoyDNMJ-PJR-NmPFsN~VgZA/PF0HUyICotYzOGFnKvZNBMhC~KfYclayEc_La~ccZq7wY-S_IKBLwx/KWAAv8MVfzRwNM6LCN8Jigf~80C6gkuabRjmLM--7qPAcOAlUFFI__5pCS9Bd6d565556c8b~/hi595-9hb~3gh-a~bg-9bgb-ci5/-b9jf76k5b9g~-555555do29l0Y3hHjFJM3POpxyJsMjDY~5=957___.YzJ1OndhaXRha2VyZXByaW1hcnk6YzpvOmNkMzFiOWRiNjRlNzYwZWExOWZkZjZlZWU4YmI5NjkyOjc6NjQxYjozOTM5M2Y5MjlmZWNkMGUzMGYzMjUxMGFiZDQ0YjU2Mzg5ODdlNDNlNTAyN2VlYjBmMjQxZjc3Mjg5OGNiMWQxOmg6VDpU%3E	Get hash	malicious	Unknown	Browse	69.49.245.172
	[EXTERNAL] Fw_ LVW 1201831..eml	Get hash	malicious	Unknown	Browse	69.49.230.198
	ATT4802.html	Get hash	malicious	Unknown	Browse	69.49.245.172
	http://calcuttaclub.in/images/uanjodgs/florida-access/	Get hash	malicious	Unknown	Browse	162.214.50.135
	https://public-usa.mkt.dynamics.com/api/orgs/010a432a-e2a3-ef11-8a66-6045bd016f25/r/movKLLTpWUCqpRQQ2_8SfQEAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fapp.seesaw.me%252Fpages%252Fshared_item%253Fitem_id%253Ditem.96abdfb3-93cb-482c-822f-f1d275a42e6e%2526share_token%253DDfLCj_YZQZedsrWVvLwerg%2526mode%253Dshare%22%2C%22RedirectOptions%22%3A%7B%225%22%3Anull%2C%221%22%3Anull%7D%7D&digest=kBeCY6h3I2oKWHussXexCqSpSk%2BEhyyLm0j2TqAuyLY%3D&secretVersion=a587597bbd2d4ba3bb4334f6d8be15ee	Get hash	malicious	Unknown	Browse	108.167.188.62
	https://francinecrowley.com/res444.php?4-68747470733a2f2f6a6247772e797a7675666e78632e72752f534e4e6766774f2f-#	Get hash	malicious	Unknown	Browse	69.49.245.172
	ship's particulars-TBN.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	50.87.144.157
	lKvXJ7VVCK.exe	Get hash	malicious	FormBook	Browse	108.179.253.197
	Finalize_Agreement_DocuSign.pdf	Get hash	malicious	Captcha Phish	Browse	192.254.225.121

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.25923195650576
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Po-AD841.exe
File size:	590'336 bytes
MD5:	3a527332eb27810c3e18462d2d8cc232
SHA1:	8d1e0ff62107ad61e330224e9f61d5a134b5282c
SHA256:	e18fae2e11693afffb6335ebc29bc17bb298c5644c2790c45b88dd9860bf9e3f
SHA512:	8b73e19e619fe215f599e753175c65016bd173ddd8b0150e71e0d44c9d9a147d9cb222962d42cac997c085cd5c67c508fe76bae82c0bcdfe4a4b678d534bdfff
SSDEEP:	6144:xBNKlTzsZlVeK6Kr2t2Xnu1+rmnhQ2AI5PtNlgmsBMHb+Hsv4xirrWaB+coKkp+7:DNaGVeGr2td4mnhNPJ3Hfv4xXaBGl
TLSH:	CFC4D0683BF89F2EE6BF4A35E07120598F7AF44AD023FB4D0889956D1452790EA50F37
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x49171e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x91C2FBA4 [Sun Jun 30 02:32:04 2047 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x916d0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0x5b6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8f724	0x8f800	7af1e5a08a00ffffeb6d690a604c0469	False	0.6578441447081882	data	7.270205838602211	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0x5b6	0x600	9f513572db89ca08c2ddf54e496d6d95	False	0.4192708333333333	data	4.088618274686686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94000	0xc	0x200	187df521a028f5ea616f28e74db273d7	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x920a0	0x32c	data			0.4236453201970443
RT_MANIFEST	0x923cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 01:24:04.515337944 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:04.635360956 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:04.635443926 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:05.781774998 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:05.782655954 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:05.902565956 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:06.123326063 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:06.130235910 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:06.250195980 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:06.463572025 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:06.470777988 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:06.590663910 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:06.812618017 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:06.812663078 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:06.812680006 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:06.812711954 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:06.842763901 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:06.962709904 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:07.174700975 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:07.190819979 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:07.310805082 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:07.522597075 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:07.523535013 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:07.643538952 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:07.855701923 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:07.856076002 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:07.976037979 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:08.297349930 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:08.298218966 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:08.418128967 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:08.629730940 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:08.629973888 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:08.749907017 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:08.963659048 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:08.963865042 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:09.083822012 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:09.297333956 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:09.297996044 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:09.298063040 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:09.298096895 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:09.298125982 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:24:09.418015003 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:09.418030977 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:09.418046951 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:09.418088913 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:09.649795055 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:24:09.700193882 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:43.903518915 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:44.023487091 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:44.235225916 CET	587	49734	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:44.240124941 CET	49734	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:55.215745926 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:55.335967064 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:55.336052895 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:56.673012972 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:56.673263073 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:56.793184996 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:57.023602962 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:57.042042017 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:57.161962032 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:57.393353939 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:57.393889904 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:57.513896942 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:57.768552065 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:57.768593073 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:57.768603086 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:57.768738031 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:57.771725893 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:57.891587973 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:58.134063959 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:58.138331890 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:58.258325100 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:58.488466978 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:58.488773108 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:58.609296083 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:58.839237928 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:58.839467049 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:58.913778067 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:58.959438086 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:58.965795994 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:59.033940077 CET	587	49862	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:59.042119026 CET	49862	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:25:59.085814953 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:25:59.089920044 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:00.311870098 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:00.314223051 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:00.434293032 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:00.656080008 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:00.656223059 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:00.776101112 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:00.998073101 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:01.002264977 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:01.180047035 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:01.364919901 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:01.364979982 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:01.364989996 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:01.367746115 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:01.377986908 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:01.497912884 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:01.719125032 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:01.739079952 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:01.859030008 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:02.079981089 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:02.090064049 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:02.210161924 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:02.431731939 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:02.432056904 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:02.552104950 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:02.774533987 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:02.774734020 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:02.894709110 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.122383118 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.122766972 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.242825031 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.465455055 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.465738058 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.585669041 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.812382936 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.813996077 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.814060926 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.814125061 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.814193964 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.815771103 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.934031010 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.934077978 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.934096098 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.934120893 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.934200048 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.934245110 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.935748100 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.935765982 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.935810089 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.935827017 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.935913086 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.935921907 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.935961008 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.935983896 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.936016083 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.936065912 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.936077118 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.936103106 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.936127901 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.936147928 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.936162949 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.936203003 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:03.936208963 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:03.936243057 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.054049015 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.054109097 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.054131985 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.054179907 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.055742979 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.055788994 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.055828094 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.055891037 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.055990934 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.056040049 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.056087017 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.056123972 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.056130886 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.056173086 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.056217909 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.056226969 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.056273937 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.056317091 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.056380987 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.056428909 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.056525946 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.098721027 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.098773956 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.174109936 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.174185991 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.174199104 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.174263954 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:04.175702095 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.175820112 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.175909996 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.175988913 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176063061 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176163912 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176192999 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176275969 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176414967 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176481009 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176537991 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176547050 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176589012 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176623106 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176682949 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176743031 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176841021 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176851034 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176951885 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.176959991 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.177032948 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.177042007 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.177082062 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.177191019 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.218728065 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.218846083 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.294183969 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.294193983 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.294239044 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.294249058 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.294322014 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.643066883 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:04.793858051 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:05.314757109 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:05.434644938 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:05.656873941 CET	587	49873	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:05.657310963 CET	49873	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:05.659729958 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:05.779637098 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:05.779808044 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:07.017122030 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:07.019864082 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:07.139935970 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:07.383230925 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:07.383867025 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:07.504641056 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:07.735744953 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:07.743726969 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:07.863795042 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:08.101445913 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:08.101522923 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:08.101532936 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:08.101571083 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:08.103112936 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:08.222927094 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:08.481458902 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:08.482268095 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:08.602127075 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:08.832392931 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:08.832818031 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:08.952792883 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:09.183125019 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:09.183984995 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:09.303834915 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:09.535087109 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:09.535398960 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:09.655261993 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:09.885361910 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:09.887916088 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.007823944 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.239447117 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.239685059 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.359545946 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.589674950 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.590055943 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.590096951 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.590163946 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.590298891 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.591763020 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.710021019 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.710031986 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.710091114 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.710314989 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.710325003 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.710370064 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.711745977 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.711766005 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.711800098 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.711817980 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.711827040 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.711846113 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.711868048 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.711879015 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.711890936 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.711918116 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.711940050 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.711961031 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.712007999 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.712018013 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.712038040 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.712048054 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.712080956 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.830095053 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.830218077 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.830353975 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.831757069 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.831809998 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.831820965 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.831875086 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.831888914 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.831938028 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.831969023 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.832015038 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.832103968 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.832149982 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.832226992 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.832237005 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.832245111 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.832293034 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.832313061 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.832355976 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.832406044 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.878801107 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.878864050 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.950392008 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.950531960 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.951857090 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.951906919 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:10.952020884 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952054024 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952127934 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952208996 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952277899 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952337027 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952440977 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952476978 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952523947 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952533007 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952636003 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952644110 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952666044 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952672958 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952735901 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952785015 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952863932 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952893019 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952948093 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.952990055 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.953053951 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.953113079 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.998869896 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:10.999167919 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:11.071990967 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:11.072000980 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:11.072052956 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:11.072061062 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:11.072154045 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:11.444514036 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:11.519335032 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:15.642630100 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:15.762557983 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:15.992664099 CET	587	49889	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:15.993134022 CET	49889	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:15.994237900 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:16.114093065 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:16.114151001 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:17.357332945 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:17.358000040 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:17.477994919 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:17.708471060 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:17.708651066 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:17.828511000 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:18.059675932 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:18.060168028 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:18.180032015 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:18.422766924 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:18.422841072 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:18.422852993 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:18.422883987 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:18.427333117 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:18.547528982 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:18.777992010 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:18.778827906 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:18.898693085 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:19.129342079 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:19.130290031 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:19.250158072 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:19.480812073 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:19.482789993 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:19.602746010 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:19.834183931 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:19.837951899 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:19.957914114 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:20.188157082 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:20.188452959 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:20.313586950 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:20.540338039 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:20.540565968 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:20.660589933 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:20.890680075 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:20.891005039 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:20.891093016 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:20.891093016 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:20.891159058 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:20.892205954 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.010961056 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.010999918 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.011063099 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.011157036 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.011158943 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.011725903 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.012187004 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.012197971 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.012250900 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.012312889 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.012373924 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.012432098 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.012442112 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.012501001 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.012545109 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.012590885 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.012613058 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.012653112 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.015304089 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.111362934 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.131073952 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.131717920 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.131763935 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.132386923 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.132436037 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.132482052 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.132533073 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.132596016 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.132885933 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.132987022 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.135220051 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.135381937 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.139739990 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.178917885 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.183422089 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.231544971 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.235826015 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.251823902 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.254065037 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.259426117 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.259485960 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:21.259682894 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.259763002 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.259771109 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.259810925 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.303356886 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.303487062 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.374128103 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.374198914 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.374361038 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.374370098 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.379708052 CET	587	49910	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:21.381937981 CET	49910	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:22.423918962 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:22.424060106 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:22.545608044 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:22.765377045 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:22.765589952 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:22.885513067 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:23.107292891 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:23.115251064 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:23.235215902 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:23.463727951 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:23.463800907 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:23.463810921 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:23.463901997 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:23.464890003 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:23.480947971 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:23.600850105 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:23.822271109 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:23.823148012 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:23.943166971 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:24.164021015 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:24.164309978 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:24.284229040 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:24.505361080 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:24.505618095 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:24.625519037 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:24.847558975 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:24.847783089 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:24.967863083 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:25.189436913 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:25.195725918 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:25.315629959 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:25.538165092 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:25.538382053 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:25.658263922 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:25.879240036 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:25.879601002 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:25.879690886 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:25.879690886 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:25.879730940 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:25.883809090 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:25.999614000 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:25.999670982 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:25.999680042 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:25.999679089 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:25.999774933 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:25.999813080 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.003760099 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.003812075 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.003823042 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.003870010 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.003871918 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.003882885 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.003926039 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.003969908 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.003993034 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.004014969 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.004033089 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.004090071 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.004101038 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.004138947 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.004168034 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.004173994 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.004215002 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.119585991 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.119640112 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.119695902 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.119743109 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.123848915 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.123904943 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.124068975 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.124126911 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.124223948 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.124278069 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.124320984 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.124366045 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.124372959 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.124423981 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.124459028 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.124511957 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.124541044 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.124596119 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.124650002 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.124686956 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.124717951 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.124741077 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.166848898 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.166923046 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.239660025 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.239701033 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.239752054 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:26.243824959 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.244085073 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.244203091 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.244426966 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.244571924 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.244756937 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.244843006 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245048046 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245181084 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245320082 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245326996 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245461941 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245470047 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245543003 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245549917 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245657921 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245668888 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245759010 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245774031 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245887041 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245902061 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.245987892 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.246004105 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.246083021 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.286880970 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.287095070 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.360392094 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.360446930 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.360507011 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.360925913 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.360970020 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.712662935 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:26.762588978 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:41.626054049 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:41.746117115 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:41.967288017 CET	587	49924	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:41.967771053 CET	49924	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:41.969132900 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:42.089054108 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:42.089128971 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:43.234761953 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:43.238769054 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:43.358628988 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:43.570441008 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:43.571835041 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:43.691874981 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:43.904347897 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:43.915045023 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:44.035039902 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:44.259255886 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:44.259279013 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:44.259290934 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:44.259339094 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:44.261243105 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:44.381207943 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:44.592938900 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:44.640100002 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:44.759941101 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:44.973928928 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:44.977859974 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:45.097783089 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:45.310169935 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:45.311985016 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:45.431886911 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:45.705615997 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:45.707849026 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:45.827743053 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.039484978 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.039640903 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.159756899 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.373016119 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.373301029 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.493309021 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.704834938 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.706363916 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.706399918 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.706425905 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.706468105 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.725465059 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.826216936 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.826272964 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.826328039 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.826342106 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.826344967 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.826385021 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.845551014 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.845560074 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.845612049 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.845624924 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.845633984 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.845673084 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.845700026 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.845706940 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.845781088 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.845798969 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.845815897 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.845837116 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.845865011 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.845875978 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.845921993 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.946131945 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.946202993 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.946290970 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.946340084 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.965698957 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.965781927 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.965802908 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.965857983 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.965874910 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.965918064 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.965986967 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.966033936 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.966057062 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.966101885 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.966120005 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.966176033 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.966195107 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.966243982 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.966259956 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.966310978 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:46.966327906 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:46.966372967 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:47.006989956 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.007046938 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:47.066159964 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.066344023 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.066374063 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:47.066390038 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:26:47.085971117 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.086143017 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.086186886 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.086361885 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.086494923 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.086592913 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.086714029 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.086796045 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.086877108 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.086982012 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087100029 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087107897 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087115049 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087151051 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087208033 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087266922 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087323904 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087377071 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087431908 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087480068 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087529898 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087621927 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087640047 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.087723017 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.126964092 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.127027035 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.186357975 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.186378002 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.186439037 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.186481953 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.186532021 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.508466005 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:26:47.709789038 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:01.799556017 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:01.919394970 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:02.131129026 CET	587	49970	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:02.131438971 CET	49970	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:02.132402897 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:02.252300024 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:02.252374887 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:03.440236092 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:03.440457106 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:03.560487032 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:03.781992912 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:03.782138109 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:03.902308941 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:04.123934984 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:04.124387026 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:04.244271040 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:04.473398924 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:04.473453045 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:04.473463058 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:04.473495007 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:04.473520041 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:04.473560095 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:04.475279093 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:04.595139027 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:04.816140890 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:04.818069935 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:04.937987089 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:05.159126997 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:05.159874916 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:05.279761076 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:05.501305103 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:05.501794100 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:05.621717930 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:05.844100952 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:05.844402075 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:05.964272976 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.185580015 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.185862064 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.305757046 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.529016018 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.529203892 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.649233103 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.870022058 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.870450974 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.870492935 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.870512962 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.870604038 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.872441053 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.990499020 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.990540981 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.990550995 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.990566969 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.990569115 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.990633965 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.992326975 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.992377996 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.992429018 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.992480040 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.992516994 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.992564917 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.992657900 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.992702961 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.992710114 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.992754936 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.992825031 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.992871046 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:06.992902994 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:06.992949009 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:07.110447884 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.110457897 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.110599041 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:07.110713959 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.110771894 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.110806942 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:07.112335920 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.112445116 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.112452030 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:07.112535000 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.112651110 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:07.112780094 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.112934113 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.112967968 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:07.113071918 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.113181114 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.115712881 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:07.159109116 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.167692900 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:07.230753899 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.230763912 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.230801105 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.232534885 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.232650995 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.232747078 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.232816935 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:07.232832909 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:07.232832909 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:07.232846022 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.232914925 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.233011961 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.233114958 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.233216047 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.235764027 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.235815048 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.235912085 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.235922098 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.236047983 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.236054897 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.236100912 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.236143112 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.236186981 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.287664890 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.287708998 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.352870941 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.352881908 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.352979898 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.352993965 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.353091955 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.353120089 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.353194952 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.353224039 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.353288889 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.353312016 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.353415966 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.353472948 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.353610039 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.353662968 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.353671074 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.706598043 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:07.763684988 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:41.347668886 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:41.467885017 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:41.689034939 CET	587	50014	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:41.691034079 CET	50014	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:41.692111015 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:41.812274933 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:41.812396049 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:43.049810886 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:43.049927950 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:43.169838905 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:43.400804043 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:43.403836012 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:43.523703098 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:43.754832029 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:43.755358934 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:43.875232935 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:44.118315935 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:44.118329048 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:44.118339062 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:44.118391991 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:44.120426893 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:44.240477085 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:44.471647978 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:44.473890066 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:44.593838930 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:44.824419022 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:44.824641943 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:44.944511890 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:45.175307989 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:45.175884008 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:45.295804024 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:45.630331039 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:45.635853052 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:45.755762100 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:45.986283064 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:45.987822056 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.107718945 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.340976000 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.341156960 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.461061954 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.691358089 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.691637993 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.691688061 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.691720009 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.691767931 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.694746971 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.811655045 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.811670065 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.811681032 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.811692953 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.811707973 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.811732054 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.814709902 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.814755917 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.814786911 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.814831972 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.814857006 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.814867020 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.814899921 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.814938068 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.814949036 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.814960003 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.815006018 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.931682110 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.931690931 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.931700945 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.931709051 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.931742907 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.931785107 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.934751987 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.934803009 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.934974909 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.935029030 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.935077906 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.935112953 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.935125113 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.935159922 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.935164928 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.935200930 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.935244083 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.935286999 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.935306072 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.935350895 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:46.979458094 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:46.979509115 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:47.051821947 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.051897049 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:47.051927090 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.051979065 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:47.052016020 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.052076101 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:47.052105904 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.052151918 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:47.054774046 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.054980040 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055089951 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055154085 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055202961 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055325031 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055372953 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055454969 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055541039 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055562019 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055596113 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055682898 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055722952 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055820942 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055830002 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.055879116 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.099473953 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.099533081 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172302961 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172311068 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172414064 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172472000 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172610044 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172619104 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172677040 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172729015 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172812939 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172821999 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172873020 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172913074 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.172964096 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.558706999 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:47.653225899 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:55.532763958 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:55.653657913 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:55.883145094 CET	587	50016	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:55.884027958 CET	50016	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:55.887666941 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:56.007601023 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:56.007781982 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:57.244540930 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:57.251667023 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:57.371634007 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:57.593097925 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:57.593249083 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:57.713092089 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:57.934984922 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:57.935672045 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:58.055531025 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:58.283632994 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:58.283696890 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:58.283713102 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:58.283741951 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:58.285737038 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:58.408333063 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:58.626948118 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:58.629061937 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:58.751091003 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:58.970141888 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:58.970359087 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:59.090363026 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:59.311886072 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:59.312237024 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:59.432187080 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:59.654639006 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:59.654827118 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:27:59.775535107 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:27:59.996515989 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.000102043 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.120246887 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.343655109 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.343882084 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.463804007 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.684606075 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.684900999 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.684941053 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.684967995 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.685007095 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.690179110 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.806102037 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.806113005 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.806117058 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.806119919 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.806186914 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.810269117 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.810314894 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.810336113 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.810395002 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.810399055 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.810463905 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.810482025 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.810525894 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.810528994 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.810528994 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.810550928 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.810569048 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.926067114 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.926074982 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.926153898 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.926156998 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.926254988 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.930406094 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.930469036 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.930505037 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.930563927 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.930608034 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.930660963 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.930699110 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.930749893 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.930859089 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.930906057 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.930963039 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.931020021 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.931026936 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.931081057 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:00.975389004 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:00.975446939 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:01.046315908 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.046377897 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:01.046471119 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.046536922 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:01.046554089 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.046602964 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:01.050370932 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.050512075 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.050587893 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.050630093 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.050828934 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.050903082 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.050947905 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.050956964 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.051045895 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.051163912 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.051211119 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.051249981 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.051268101 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.051331997 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.051348925 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.051384926 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.051429987 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.096313953 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.096323013 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166574001 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166582108 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166585922 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166593075 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166600943 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166608095 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166615963 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166625023 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166719913 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166727066 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166822910 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166838884 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.166927099 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.554838896 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:01.606383085 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:03.200803995 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:03.320862055 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:03.518035889 CET	50018	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:03.541601896 CET	587	50017	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:03.541950941 CET	50017	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:03.543653965 CET	50019	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:03.637948990 CET	587	50018	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:03.638058901 CET	50018	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:03.663674116 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:03.663742065 CET	50019	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:04.825149059 CET	50018	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:04.852696896 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:04.852802038 CET	50019	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:04.873845100 CET	587	50018	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:04.873920918 CET	50018	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:04.878747940 CET	50020	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:04.946403980 CET	587	50018	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:04.946459055 CET	50018	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:04.972673893 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:04.999655962 CET	587	50020	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:04.999723911 CET	50020	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:05.195961952 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:05.241419077 CET	50019	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:05.970936060 CET	50019	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:05.971653938 CET	50020	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:06.029670000 CET	50021	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:06.090871096 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:06.091912985 CET	587	50020	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:06.091984987 CET	50020	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:06.149842024 CET	587	50021	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:06.149918079 CET	50021	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:06.313380957 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:06.313750982 CET	50019	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:06.433680058 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:06.665221930 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:06.665236950 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:06.665247917 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:06.665263891 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:06.665297031 CET	50019	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:06.665328026 CET	50019	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:06.666589022 CET	50019	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:06.786447048 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:07.007755995 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:07.008493900 CET	50019	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:07.128623962 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:07.291323900 CET	587	50021	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:07.340702057 CET	50021	587	192.168.2.4	108.179.234.136
Dec 3, 2024 01:28:07.349570990 CET	587	50019	108.179.234.136	192.168.2.4
Dec 3, 2024 01:28:07.394292116 CET	50019	587	192.168.2.4	108.179.234.136

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 01:24:03.891412973 CET	53924	53	192.168.2.4	1.1.1.1
Dec 3, 2024 01:24:04.507953882 CET	53	53924	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 3, 2024 01:24:03.891412973 CET	192.168.2.4	1.1.1.1	0x9db1	Standard query (0)	mail.wapination.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 3, 2024 01:24:04.507953882 CET	1.1.1.1	192.168.2.4	0x9db1	No error (0)	mail.wapination.net		108.179.234.136	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 3, 2024 01:24:05.781774998 CET	587	49734	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:24:05 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:24:05.782655954 CET	49734	587	192.168.2.4	108.179.234.136	EHLO 960781
Dec 3, 2024 01:24:06.123326063 CET	587	49734	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 960781 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2024 01:24:06.130235910 CET	49734	587	192.168.2.4	108.179.234.136	STARTTLS
Dec 3, 2024 01:24:06.463572025 CET	587	49734	108.179.234.136	192.168.2.4	220 TLS go ahead
Dec 3, 2024 01:25:56.673012972 CET	587	49862	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:25:56 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:25:56.673263073 CET	49862	587	192.168.2.4	108.179.234.136	EHLO 960781
Dec 3, 2024 01:25:57.023602962 CET	587	49862	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 960781 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2024 01:25:57.042042017 CET	49862	587	192.168.2.4	108.179.234.136	STARTTLS
Dec 3, 2024 01:25:57.393353939 CET	587	49862	108.179.234.136	192.168.2.4	220 TLS go ahead
Dec 3, 2024 01:26:00.311870098 CET	587	49873	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:26:00 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:26:00.314223051 CET	49873	587	192.168.2.4	108.179.234.136	EHLO 960781
Dec 3, 2024 01:26:00.656080008 CET	587	49873	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 960781 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2024 01:26:00.656223059 CET	49873	587	192.168.2.4	108.179.234.136	STARTTLS
Dec 3, 2024 01:26:00.998073101 CET	587	49873	108.179.234.136	192.168.2.4	220 TLS go ahead
Dec 3, 2024 01:26:07.017122030 CET	587	49889	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:26:06 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:26:07.019864082 CET	49889	587	192.168.2.4	108.179.234.136	EHLO 960781
Dec 3, 2024 01:26:07.383230925 CET	587	49889	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 960781 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2024 01:26:07.383867025 CET	49889	587	192.168.2.4	108.179.234.136	STARTTLS
Dec 3, 2024 01:26:07.735744953 CET	587	49889	108.179.234.136	192.168.2.4	220 TLS go ahead
Dec 3, 2024 01:26:17.357332945 CET	587	49910	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:26:17 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:26:17.358000040 CET	49910	587	192.168.2.4	108.179.234.136	EHLO 960781
Dec 3, 2024 01:26:17.708471060 CET	587	49910	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 960781 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2024 01:26:17.708651066 CET	49910	587	192.168.2.4	108.179.234.136	STARTTLS
Dec 3, 2024 01:26:18.059675932 CET	587	49910	108.179.234.136	192.168.2.4	220 TLS go ahead
Dec 3, 2024 01:26:22.423918962 CET	587	49924	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:26:22 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:26:22.424060106 CET	49924	587	192.168.2.4	108.179.234.136	EHLO 960781
Dec 3, 2024 01:26:22.765377045 CET	587	49924	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 960781 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2024 01:26:22.765589952 CET	49924	587	192.168.2.4	108.179.234.136	STARTTLS
Dec 3, 2024 01:26:23.107292891 CET	587	49924	108.179.234.136	192.168.2.4	220 TLS go ahead
Dec 3, 2024 01:26:43.234761953 CET	587	49970	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:26:42 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:26:43.238769054 CET	49970	587	192.168.2.4	108.179.234.136	EHLO 960781
Dec 3, 2024 01:26:43.570441008 CET	587	49970	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 960781 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2024 01:26:43.571835041 CET	49970	587	192.168.2.4	108.179.234.136	STARTTLS
Dec 3, 2024 01:26:43.904347897 CET	587	49970	108.179.234.136	192.168.2.4	220 TLS go ahead
Dec 3, 2024 01:27:03.440236092 CET	587	50014	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:27:03 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:27:03.440457106 CET	50014	587	192.168.2.4	108.179.234.136	EHLO 960781
Dec 3, 2024 01:27:03.781992912 CET	587	50014	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 960781 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2024 01:27:03.782138109 CET	50014	587	192.168.2.4	108.179.234.136	STARTTLS
Dec 3, 2024 01:27:04.123934984 CET	587	50014	108.179.234.136	192.168.2.4	220 TLS go ahead
Dec 3, 2024 01:27:43.049810886 CET	587	50016	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:27:42 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:27:43.049927950 CET	50016	587	192.168.2.4	108.179.234.136	EHLO 960781
Dec 3, 2024 01:27:43.400804043 CET	587	50016	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 960781 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2024 01:27:43.403836012 CET	50016	587	192.168.2.4	108.179.234.136	STARTTLS
Dec 3, 2024 01:27:43.754832029 CET	587	50016	108.179.234.136	192.168.2.4	220 TLS go ahead
Dec 3, 2024 01:27:57.244540930 CET	587	50017	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:27:56 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:27:57.251667023 CET	50017	587	192.168.2.4	108.179.234.136	EHLO 960781
Dec 3, 2024 01:27:57.593097925 CET	587	50017	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 960781 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2024 01:27:57.593249083 CET	50017	587	192.168.2.4	108.179.234.136	STARTTLS
Dec 3, 2024 01:27:57.934984922 CET	587	50017	108.179.234.136	192.168.2.4	220 TLS go ahead
Dec 3, 2024 01:28:04.852696896 CET	587	50019	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:28:04 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:28:04.852802038 CET	50019	587	192.168.2.4	108.179.234.136	EHLO 960781
Dec 3, 2024 01:28:04.873845100 CET	587	50018	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:28:04 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2024 01:28:05.195961952 CET	587	50019	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 960781 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2024 01:28:05.970936060 CET	50019	587	192.168.2.4	108.179.234.136	STARTTLS
Dec 3, 2024 01:28:06.313380957 CET	587	50019	108.179.234.136	192.168.2.4	220 TLS go ahead
Dec 3, 2024 01:28:07.291323900 CET	587	50021	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 02 Dec 2024 18:28:06 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.

Target ID:	0
Start time:	19:23:57
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\Po-AD841.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Po-AD841.exe"
Imagebase:	0x360000
File size:	590'336 bytes
MD5 hash:	3A527332EB27810C3E18462D2D8CC232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1652794160.0000000003799000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1652794160.0000000003799000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:23:58
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\Po-AD841.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Po-AD841.exe"
Imagebase:	0x940000
File size:	590'336 bytes
MD5 hash:	3A527332EB27810C3E18462D2D8CC232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4113973524.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4113973524.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4115540840.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4115540840.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	80
Total number of Limit Nodes:	7

Executed Functions

Function 00DCD349 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00DCD3D6
GetCurrentThread.KERNEL32 ref: 00DCD413
GetCurrentProcess.KERNEL32 ref: 00DCD450
GetCurrentThreadId.KERNEL32 ref: 00DCD4A9

Memory Dump Source

Source File: 00000000.00000002.1651504005.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Po-AD841.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 13e5b422ccc00cbe35d3fb1bffe4d92dab4761f6c34c973d396a4f251bbd647b
Instruction ID: 89558c591099725b3f0cf2e1df532a43fb440b2db55c014a3f999d7826a07424
Opcode Fuzzy Hash: 13e5b422ccc00cbe35d3fb1bffe4d92dab4761f6c34c973d396a4f251bbd647b
Instruction Fuzzy Hash: A65147B0900249CFDB14DFAAD948B9EBBF2EF88304F24C469E119A7361D774A944CF65

Function 00DCD358 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00DCD3D6
GetCurrentThread.KERNEL32 ref: 00DCD413
GetCurrentProcess.KERNEL32 ref: 00DCD450
GetCurrentThreadId.KERNEL32 ref: 00DCD4A9

Memory Dump Source

Source File: 00000000.00000002.1651504005.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Po-AD841.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 52c6801f431a842ea82375a002e02a4966ecdfa012b6cb1ed44c8831236fd411
Instruction ID: 54302e9258e3ffb988ede3ec44a4a3abf193a0df11b8d8e6006246a925e6ed64
Opcode Fuzzy Hash: 52c6801f431a842ea82375a002e02a4966ecdfa012b6cb1ed44c8831236fd411
Instruction Fuzzy Hash: 9A5137B0900249CFDB14DFAAD548B9EBBF1EF88314F24C469E119A7360D774A944CF65

Function 00DCB0D0 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DCB326

Memory Dump Source

Source File: 00000000.00000002.1651504005.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Po-AD841.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0415a4c1b39b2184fa8bb1a1c29838b786238ee0c2f75ea845541102767d86a1
Instruction ID: 58b0bfb50fd4d80b4de60bf8d1b66ad5f41540e6f87e4c84ffaae922cecb3b02
Opcode Fuzzy Hash: 0415a4c1b39b2184fa8bb1a1c29838b786238ee0c2f75ea845541102767d86a1
Instruction Fuzzy Hash: 57816570A00B068FD724DF2AD455B6ABBF1FF88310F04892ED086D7A50DB74E849CBA1

Function 00DC590D Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00DC59C9

Memory Dump Source

Source File: 00000000.00000002.1651504005.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Po-AD841.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1da209f73b7a487a6ea3ba5165cdebfac126c7de47ec8e9affdcb664761d6552
Instruction ID: 5074366e935733d602a07789189b3596952b60e9c364629afb63f7ef54c95d20
Opcode Fuzzy Hash: 1da209f73b7a487a6ea3ba5165cdebfac126c7de47ec8e9affdcb664761d6552
Instruction Fuzzy Hash: C841F6B0C0071ACEDF14CFA9D884B9EBBF5BF48304F2481AAD408AB255DB756985CF90

Function 00DC4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00DC59C9

Memory Dump Source

Source File: 00000000.00000002.1651504005.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Po-AD841.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cb980d903202436b2c2eb25da2f1d33ebc0f1cbee208ad5f8fd9dbe0b8f8dcc3
Instruction ID: b5b206cd6587683a65e68716abdd119fdb20d7a53bce53164887b0ddffe141c0
Opcode Fuzzy Hash: cb980d903202436b2c2eb25da2f1d33ebc0f1cbee208ad5f8fd9dbe0b8f8dcc3
Instruction Fuzzy Hash: 4141D4B0D00619DBDB24CFA9C844B9EBBB5BF49304F248169D408AB255DB756985CF90

Function 00DCD599 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DCD627

Memory Dump Source

Source File: 00000000.00000002.1651504005.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Po-AD841.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2c56addb6613d59aef85d1303c254edbba9f85a6b2adf1eaf140ce4b92e8d4c9
Instruction ID: 2b3ad069d828c7ed40ecb23d1682473ad2176bb30748b23e89808970dd8c4704
Opcode Fuzzy Hash: 2c56addb6613d59aef85d1303c254edbba9f85a6b2adf1eaf140ce4b92e8d4c9
Instruction Fuzzy Hash: 2A2114B5D00219DFDB10CF9AD884AEEBFF5EB48314F14802AE918A3310C374A944CFA4

Function 00DCD5A0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DCD627

Memory Dump Source

Source File: 00000000.00000002.1651504005.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Po-AD841.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 69b44710fde6f228cc46d34707f42eda280e01eb1fc5e9507dfab6e878a014d9
Instruction ID: 67c40b28e482b55458021262d3d98e568f70d96a9faeb1e705d7227be814e8ba
Opcode Fuzzy Hash: 69b44710fde6f228cc46d34707f42eda280e01eb1fc5e9507dfab6e878a014d9
Instruction Fuzzy Hash: A321E4B59002599FDB10CF9AD984ADEBFF5EB48310F14801AE958A3310C374A944CFA4

Function 00DCB2C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DCB326

Memory Dump Source

Source File: 00000000.00000002.1651504005.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Po-AD841.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c885fb7da0c2240e2a1150b055aaacad8a3a9a1bb6cdb0e887c38a62e4157e4a
Instruction ID: 8543c4dfab062dcb1e2765caeb19e082a17d10b7d05dc71bc4a76459711301c6
Opcode Fuzzy Hash: c885fb7da0c2240e2a1150b055aaacad8a3a9a1bb6cdb0e887c38a62e4157e4a
Instruction Fuzzy Hash: 3411DFB5C003498FCB10DF9AD444BDEFBF4AF88324F14846AD859A7210C375A545CFA5

Function 008ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650281809.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e58b94346c74e01fb01db897d9047f36bed19800cdeeb22c31f49436e860a1a
Instruction ID: 900a59333288efdfe501a2735c2c5f80b1aac0d99d27823064260924e3d7c263
Opcode Fuzzy Hash: 0e58b94346c74e01fb01db897d9047f36bed19800cdeeb22c31f49436e860a1a
Instruction Fuzzy Hash: 53213472504384DFCB05DF15D9C0B2BBF65FB98318F20C569E8098B256C336D85ACBA2

Function 008ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650281809.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a01a37edb90204163989f884950a7be31d2f3d1a6f9a19f2296a9b93be26b4
Instruction ID: 91f59101d64610c2ab96fbc2dd89be288c9f67d89b27eb3bf65dbe2ff8e06f25
Opcode Fuzzy Hash: 52a01a37edb90204163989f884950a7be31d2f3d1a6f9a19f2296a9b93be26b4
Instruction Fuzzy Hash: 54213A71504384DFDB05DF15D9C0B16BFA5FBA5318F20C169E9098F296C336E85AC7A2

Function 008FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650311689.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8fd000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c97e77f110a0c173486c8e44e58f122ff4be602f29d4b8cfe577216ef6c2e75
Instruction ID: 419fff927b7d1e2f2e67b815db0a6f8000a29acfd0dbfd396e1d7343e9dadf39
Opcode Fuzzy Hash: 4c97e77f110a0c173486c8e44e58f122ff4be602f29d4b8cfe577216ef6c2e75
Instruction Fuzzy Hash: 5221F571504708DFDB14DF24D584B26BB66FBC4314F20C569DB098B356CB3AD847CA61

Function 008ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650281809.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 3330c689c45aa7897cbb180579b3747aa3eeee490ab5a841e9b73db756940678
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: A311B176504380CFCB16CF14D9C4B16BF71FB94318F24C6AAD8494B656C336D85ACBA1

Function 008ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650281809.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: d49b323c82fef08a63c33289d743884465759cfbb7c2b71d25de91e8c9da7651
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1311DF76404380CFCB02CF00D5C4B16BF71FBA4328F24C2A9D8094B256C33AE85ACBA1

Function 008FD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650311689.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8fd000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: d2cfdcd8f217cc85eaa34925b9b3920171c4983938793c1bba417af50da9b747
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4A11BE75504784CFCB15CF24D5C4B25FB62FB84314F24C6AADA098B656C33AD80ACB61

Non-executed Functions

Function 00DCDF0C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1651504005.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308c121c688bca5af97a95ee79809076b95b988b016b03758fdad6d5add276d5
Instruction ID: 7136d451306358689948355d7a55980159291e3551fe2b7469bf06c29779bc16
Opcode Fuzzy Hash: 308c121c688bca5af97a95ee79809076b95b988b016b03758fdad6d5add276d5
Instruction Fuzzy Hash: B7A14A32A1020A8FCF05DFA5C840ADEB7B3FF84300B25457EE906AB265DB31D955CB60

Analysis Process: Po-AD841.exePID: 2044, Parent PID: 6568COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	156
Total number of Limit Nodes:	16

Executed Functions

Function 06386020 Relevance: 9.0, Strings: 6, Instructions: 1478COMMON

Download Yara Rule

Strings

$^q, xrefs: 063873F3
$^q, xrefs: 06387434
$^q, xrefs: 0638741C
$^q, xrefs: 06387440
$^q, xrefs: 063873E7
$^q, xrefs: 06387410

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: d7a67c8e91bc740283f02310076b9e5136e12280599720801fd6346370cb7898
Instruction ID: 6a4efd80c4feff8b04b83ea693e48d0d74b5a381dcaefaf064926f410d8a794e
Opcode Fuzzy Hash: d7a67c8e91bc740283f02310076b9e5136e12280599720801fd6346370cb7898
Instruction Fuzzy Hash: 5FD25934E003098FCB64EB68C594AADB7B2FF85314F54C5A9D449AB365DB34EC89CB80

Function 0638BE00 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0638C378
$^q, xrefs: 0638C36C

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 14f46db9ea8ffc35cbc948fd69b5ef487947f4327bed398bf6f904319f34d069
Instruction ID: f2ffb7b829f639bc9c7fd85c45707735a88395b48145588a61afaf14efcdbdb4
Opcode Fuzzy Hash: 14f46db9ea8ffc35cbc948fd69b5ef487947f4327bed398bf6f904319f34d069
Instruction Fuzzy Hash: 0F02AF31B002198FDB54EB78D9906AEB7A2FF84304F148569D406DB394DB35EC8ACBD1

Function 06380498 Relevance: 2.9, Instructions: 2916COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e003f8cea5052b900182fa169fc2aa24d17c6e4dbf9c5d6b42ad00e6cf35f7
Instruction ID: 58151dcccb5108085e79b93236d9c9d52f61611ec34528f75614b849b44a12d2
Opcode Fuzzy Hash: 93e003f8cea5052b900182fa169fc2aa24d17c6e4dbf9c5d6b42ad00e6cf35f7
Instruction Fuzzy Hash: 1363E731D10B1A8EDB51EB68C8805D9F7B1FF99300F15D69AE4587B221EB70AAC5CF81

Function 06383A08 Relevance: 2.2, Instructions: 2230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5df4e74cf268528b3dea80468f0c3f2b6af83c62dd0cefdda2ff666f9240308
Instruction ID: bb33ef494c854e2979d03afdb7716595a502d55142d56eb74d3ccca4af8bb032
Opcode Fuzzy Hash: f5df4e74cf268528b3dea80468f0c3f2b6af83c62dd0cefdda2ff666f9240308
Instruction Fuzzy Hash: 9D330C31D107198EDB51EF68C8906EDF7B1FF99300F15C69AE458A7221EB70AAC5CB81

Function 06389228 Relevance: 1.9, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

$, xrefs: 0638985D

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 0464c72c07e50c1a88e8d7b50e5da8a79c115b3f6352cfaa573eff49a4c58d15
Instruction ID: b0d73056630a4db2ff0e7dde82edf4e976ff2675bffd2b0f03f18ef2802dca18
Opcode Fuzzy Hash: 0464c72c07e50c1a88e8d7b50e5da8a79c115b3f6352cfaa573eff49a4c58d15
Instruction Fuzzy Hash: 0922A031E003199FDB65EBA8C8807EEB7B2EF85310F248469D459AB384DA35DD46CBD1

Function 0638A670 Relevance: .8, Instructions: 813COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654df7dd4a471a316c02717f53d7a3c7a197ceb6e07d12b3a6f876985da5deaa
Instruction ID: 9ddcc9c9820195b7192fe40e3f70c837e1657872113c98e95fff19c1a6ac8864
Opcode Fuzzy Hash: 654df7dd4a471a316c02717f53d7a3c7a197ceb6e07d12b3a6f876985da5deaa
Instruction Fuzzy Hash: 59629135B003098FDB64EB68D594AADB7F2EF84314F14852AD41ADB394DB35EC4ACB90

Function 0638F2A8 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad40d947ea94fca9a3a2b569f488478151a2ae06ac9f06ede968b943e727228
Instruction ID: 1f0f00d07803b0c5637b5fbf4c3da304147888fb8ff207a512dc46964f324d32
Opcode Fuzzy Hash: 0ad40d947ea94fca9a3a2b569f488478151a2ae06ac9f06ede968b943e727228
Instruction Fuzzy Hash: 3A226130E103098FDF64EA69D5807EDB7B2FB85350F20892AE449DB395DA35DC89CB91

Function 0638ED50 Relevance: 10.4, Strings: 8, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0638EEC4
$^q, xrefs: 0638EE71
$^q, xrefs: 0638EE7D
$^q, xrefs: 0638EF1C
$^q, xrefs: 0638EED0
$^q, xrefs: 0638EF28
$^q, xrefs: 0638EEF3
$^q, xrefs: 0638EEFF

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 235c0d193c27db27ab5665b2cb16875c32ff2770b3e0486337c4ac2a0c543449
Instruction ID: f7b45a24b5c049531dc09818ef497afdf9e3f52aa6f54d1061d931ce5944c128
Opcode Fuzzy Hash: 235c0d193c27db27ab5665b2cb16875c32ff2770b3e0486337c4ac2a0c543449
Instruction Fuzzy Hash: BCE15C30E1030A8FDF65EF69D4946AEB7B2EF94304F208929D4099B354DB35EC4ACB91

Function 0638F6D8 Relevance: 8.0, Strings: 6, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0638FC71
$^q, xrefs: 0638FC65
$^q, xrefs: 0638FC99
$^q, xrefs: 0638FC3D
$^q, xrefs: 0638FCA5
$^q, xrefs: 0638FC31

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: b8bc61897d0aa73c447bda6489eea08aece21f60b6050c26ce3cd284b96a4423
Instruction ID: ced7b7f4a329cb8a718d39a6554bc706615c00f74eee4de5893492c3f8e9d77d
Opcode Fuzzy Hash: b8bc61897d0aa73c447bda6489eea08aece21f60b6050c26ce3cd284b96a4423
Instruction Fuzzy Hash: 3F026B30E103098FDB64EB69D580AEDB7B1FB85390F20892AD409DB355DB35ED89CB91

Function 01499B90 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0149AD86
GetCurrentThread.KERNEL32 ref: 0149ADC3
GetCurrentProcess.KERNEL32 ref: 0149AE00
GetCurrentThreadId.KERNEL32 ref: 0149AE59

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d0b3d629267bc63442a617bf8467ed72b5c6c0eeace17c95653223369b05a5b8
Instruction ID: f661f6c46c6277226e5fca5da9a46f1e11dbf4f5cf277a5ae76d773906c299ba
Opcode Fuzzy Hash: d0b3d629267bc63442a617bf8467ed72b5c6c0eeace17c95653223369b05a5b8
Instruction Fuzzy Hash: A35133B49112498FDB14DFA9D588BAEFFF1EB88314F20845AE019A7260DB349984CF65

Function 0149AD06 Relevance: 6.1, APIs: 4, Instructions: 127
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0149AD86
GetCurrentThread.KERNEL32 ref: 0149ADC3
GetCurrentProcess.KERNEL32 ref: 0149AE00
GetCurrentThreadId.KERNEL32 ref: 0149AE59

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8251e21d67aea5cfbd28ab628c0767121be278942a7cece8f171c854fcc816ea
Instruction ID: 76b4077a691e677b2ef8b9b1e6dcbd4fc178b7ac0c1b227c0615523bdbbce7d6
Opcode Fuzzy Hash: 8251e21d67aea5cfbd28ab628c0767121be278942a7cece8f171c854fcc816ea
Instruction Fuzzy Hash: A55122B4D10249CFDB14DFA9D548BAEBFF1EB88314F20845AE059AB360DB349984CF65

Function 01499C8C Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 01499E27

Strings

Hbq, xrefs: 0149A088
Hbq, xrefs: 0149A043

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: ActiveWindow
String ID: Hbq$Hbq
API String ID: 2558294473-4258043069
Opcode ID: 8d305fb6e21b55135483d8477f58cf46e8d0a079e469761e5da4403fa3d7dcda
Instruction ID: fcfeae03ab9d9505cc68fa112d7ba39cd33c3c33d4771e2b0060ea9ce5719e9c
Opcode Fuzzy Hash: 8d305fb6e21b55135483d8477f58cf46e8d0a079e469761e5da4403fa3d7dcda
Instruction Fuzzy Hash: 8BC18A70F002599FDF18AFB9C4547AE7BE6BB88340F148429E50AAB390DF349C46CB65

Function 0638D1D0 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0638D240
$^q, xrefs: 0638D287
$^q, xrefs: 0638D24C
$^q, xrefs: 0638D27B

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: b0c467328156de0c5ac949f1a416f5cb14778d2def34c900657a5c1b295a3ac8
Instruction ID: 1e7d1cd277e7b8495b433879bc2f32272477c5914ea6492c5ea03fd5d0344602
Opcode Fuzzy Hash: b0c467328156de0c5ac949f1a416f5cb14778d2def34c900657a5c1b295a3ac8
Instruction Fuzzy Hash: 11915230B0021A9FDB54EB65D9907AEB3F6AFD4204F108569C809EB388EF70DD46CB95

Function 063887F0 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 0638881B
\Ocq, xrefs: 063889CB
XPcq, xrefs: 06388941

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 5ce280cbf247e918767da2b9d5d544ef3c56f528fe7d74886efccbe05c9882e5
Instruction ID: ca136cbc2c5bdefaea8882ee22b85cc3d81583fea07e97aeec7f861a0e2e0cf3
Opcode Fuzzy Hash: 5ce280cbf247e918767da2b9d5d544ef3c56f528fe7d74886efccbe05c9882e5
Instruction Fuzzy Hash: 5B615E30E002099FEB54EFB9C8547AEBAF6FB88300F208429D106AB395DB758D45CB91

Function 0638D1C0 Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0638D240
$^q, xrefs: 0638D27B

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: a64cb3bd0908b82e71359f618ee6a2bedd8ddc94b3009f121f07e73f96520cea
Instruction ID: 1ea11ca9e86d636367b182ab526618558b4c4ef2c947556ae4949dd88ce01848
Opcode Fuzzy Hash: a64cb3bd0908b82e71359f618ee6a2bedd8ddc94b3009f121f07e73f96520cea
Instruction Fuzzy Hash: A0512030B102069FDB54EB75D9A0BAE73F6AF98244F108469C809DB388EF30DC56CB95

Function 063887E2 Relevance: 2.6, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

fcq, xrefs: 0638881B
XPcq, xrefs: 06388941

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 9f0bb3c2986432fc875031ab0a5b29bb432fe968954a33df78857dbe839cc197
Instruction ID: b2b664fa667745e954ca24c11efe362fdf697aa3c16867c002a6043b00b9e7c6
Opcode Fuzzy Hash: 9f0bb3c2986432fc875031ab0a5b29bb432fe968954a33df78857dbe839cc197
Instruction Fuzzy Hash: 97517F30F102189FDB55EFB9C8547AEBAF7BF88700F20852AD145AB395DA758C05CB91

Function 063C4B80 Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 063C4CCF

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 1c76217d8f776e9738519f1592e7294da73cb213dd47d92c49cda8ef790a8e08
Instruction ID: 3c42b2f8852492e211111f7388c1fd82a5dde9becf46babf7c1055090553e578
Opcode Fuzzy Hash: 1c76217d8f776e9738519f1592e7294da73cb213dd47d92c49cda8ef790a8e08
Instruction Fuzzy Hash: EF41F131D043959FCB14DFB9D8506AEBFF1AF8A220F1589AEE484E7252DB349844CBD1

Function 063C7D64 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 063C7E82

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2c4a14ab0cd5f0458ea6f5ecfba941668be6a6ce47ee58792f2f2bcefab50927
Instruction ID: a24940c67ddc8f1c6e899456008db90b7d1f977aa6ecd8c0e722b300053a4bcd
Opcode Fuzzy Hash: 2c4a14ab0cd5f0458ea6f5ecfba941668be6a6ce47ee58792f2f2bcefab50927
Instruction Fuzzy Hash: FE51DDB1D103599FDB14CFA9C884ADEBBB5BF48310F24812EE819AB210D770A985CF91

Function 063C7D70 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 063C7E82

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a80ac2e50c61c954b9cb52ddf25002ecae109dda8081ebe8e33923cf60d1247e
Instruction ID: 5f076d3f3e2b209a32dc028d87db640696798399a4a30dd19a0eb5c2f61d9228
Opcode Fuzzy Hash: a80ac2e50c61c954b9cb52ddf25002ecae109dda8081ebe8e33923cf60d1247e
Instruction Fuzzy Hash: 6841BEB1D10359DFDB14CFA9C884ADEBBB5BF48310F24812EE819AB250D7719985CF91

Function 063C75CC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 063C8F49

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a7d00e2e84869b61b896b04a3a30d94c458d6a7a7007ab0ef20e28d9d4aeb737
Instruction ID: 5aad8d317cdd00fc5f9c5b7d326e53d045065c5a06db12f4222c7b99c08c0cf9
Opcode Fuzzy Hash: a7d00e2e84869b61b896b04a3a30d94c458d6a7a7007ab0ef20e28d9d4aeb737
Instruction Fuzzy Hash: AC4129B59003058FDB54CF59C488AAABFF5FB88324F24885DE519A7321C774A941CFA0

Function 063C9ADC Relevance: 1.6, APIs: 1, Instructions: 82comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 063C9B70

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 0aca26df475d125283fb255e78e8a2fafbf5d8850e1d67a17075eac2857ab97f
Instruction ID: 79fbdc0fc8ff1dcbaa02dd3c54474cdc6f423c8a2476584898ba59cf00c34f11
Opcode Fuzzy Hash: 0aca26df475d125283fb255e78e8a2fafbf5d8850e1d67a17075eac2857ab97f
Instruction Fuzzy Hash: 0B3132B0D01248EFDB14CFA9C984BDEBBF5EF49314F20805AE405BB2A1D7B45949CBA5

Function 063C9AE8 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 063C9B70

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 35058c06e0666b2b42c1951678e06df383152ecec6f3fe1ec6d2f761caf605ed
Instruction ID: df6d346fa17c61a3fe1c542922222c58450ae11012eeb2cbce4821f3516e9972
Opcode Fuzzy Hash: 35058c06e0666b2b42c1951678e06df383152ecec6f3fe1ec6d2f761caf605ed
Instruction Fuzzy Hash: 5B31F1B0D01248EFDB14CF99C984BCEBBF5EF48314F248059E404BB294D7B46945CBA5

Function 0149CB30 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0149CBC2

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 29e7f793753d624fa63dd481abc1c2788de03ab29c7aad7ac5bdd9332e31c001
Instruction ID: df6d4baaf3824ac2d66a212b267e4a696cdd477af65f9715a141fd572e19573c
Opcode Fuzzy Hash: 29e7f793753d624fa63dd481abc1c2788de03ab29c7aad7ac5bdd9332e31c001
Instruction Fuzzy Hash: 1D3132B590024A8FCB10DFA9D884B9EFFF4FB59314F14856AD419AB321C374A948CFA5

Function 0149AF4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149AFD7

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bfee0f71e30d43f47b933cb9d01703e68e625deba177fe720059065fe0aa39c0
Instruction ID: 0d97e86794ab32ea6c105b8ed408bf5fa1eb5e76b8068e07bf93bebfb2ca4fdc
Opcode Fuzzy Hash: bfee0f71e30d43f47b933cb9d01703e68e625deba177fe720059065fe0aa39c0
Instruction Fuzzy Hash: 4521E4B59002589FDB10CF9AD984ADEBFF4EB48320F24801AE918A3350C374A940CFA5

Function 0149AF50 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149AFD7

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de2d9c5aaa918b76daa805a3fe49a9609940af80fee46862960915998c8203cd
Instruction ID: 0d268719be6fa1baccbdd7ca4df96362dfd19c61b78ccf343e425c7e7e1b4a54
Opcode Fuzzy Hash: de2d9c5aaa918b76daa805a3fe49a9609940af80fee46862960915998c8203cd
Instruction Fuzzy Hash: 0B21C4B59002589FDB10CF9AD584ADEBFF4EB48310F24841AE954A7350D374A944DFA5

Function 063CB628 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 063CB6AB

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: daa8041bdec57d480b17108a9a9cab63bc3cfc1d651a76e475fc57553bc24e63
Instruction ID: b67b511d7230e7492955386bc906ce717b6bde41ca2affeb9d74d8f47e5df9a5
Opcode Fuzzy Hash: daa8041bdec57d480b17108a9a9cab63bc3cfc1d651a76e475fc57553bc24e63
Instruction Fuzzy Hash: 982137B19002499FCB14DF99C845BEEFBF4EF89320F10842EE459A7250C775A994CFA5

Function 0149CC28 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0149CCA1

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 1a79e50963dd1bf9364c93af8e59c93facc9be6be33d9b33dcfa33811f7e33d5
Instruction ID: dc0c1b949d82028e01d02cb28591c0c7d25459b482ed08a30090c5639bdb89ce
Opcode Fuzzy Hash: 1a79e50963dd1bf9364c93af8e59c93facc9be6be33d9b33dcfa33811f7e33d5
Instruction Fuzzy Hash: 362138B1D002598FDB14CF9AC885BEEFBF4EB98320F14842AD458A7350D778A945CFA5

Function 0149CC30 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0149CCA1

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 1b8d1265b9f2eff5ed2498296632bee37482c4180ef2b255e31614c9f760df4a
Instruction ID: 957b000dc86eb7c67ce351a6f2e92346a97494955e3d790b298e71c6ac55af0d
Opcode Fuzzy Hash: 1b8d1265b9f2eff5ed2498296632bee37482c4180ef2b255e31614c9f760df4a
Instruction Fuzzy Hash: 642108B1D002598FDB14CF9AC845BEEFBF5EB88320F14842AD458A7350D774A945CFA5

Function 0149CFB9 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 0149D03D

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 7961f33149fc50c163929693dc270384d5c51a7baf515e5c5daf6ce25f3135c9
Instruction ID: 7d68f85c6bf2ab954c17f01996652c6a6610e464a75eeaacca5848083eb2161f
Opcode Fuzzy Hash: 7961f33149fc50c163929693dc270384d5c51a7baf515e5c5daf6ce25f3135c9
Instruction Fuzzy Hash: 8121FEB6C003499FDB14CF9AD884ADEFBB4FB88354F10842AE918A7210C375A945CFA4

Function 0149CFC0 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 0149D03D

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 9364d700a7e059d98993de1f77d3715de8d6e79e98ffe87e949e323d6d232bcb
Instruction ID: f1c1701ee3b56e875d2127be283c071690b95f4097d23fc9e3f7a0fa82147a2d
Opcode Fuzzy Hash: 9364d700a7e059d98993de1f77d3715de8d6e79e98ffe87e949e323d6d232bcb
Instruction Fuzzy Hash: 3221FBB6C003499FDB14CF9AD884ADEFBB4BB88354F10842AE918A7210C375A945CBA4

Function 063CB630 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 063CB6AB

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 3209fadb5b9ca417c603866bbeaf6eaa5f2e76fc9717235b4480a2ad8e74ed98
Instruction ID: 655921e616b233f6e67975442880fc1bdd0cc2ba016bf9f5e3582389f14dbfdb
Opcode Fuzzy Hash: 3209fadb5b9ca417c603866bbeaf6eaa5f2e76fc9717235b4480a2ad8e74ed98
Instruction Fuzzy Hash: 8E2122B1D002198FCB14CF9AC845BEEFBF5EB88320F10842AE459A7250C774A944CFA5

Function 063C4C68 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 063C4CCF

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e5c592ea872827c119e744431f646e3d16f2265ebee175d083622b648527692a
Instruction ID: 30c57d422d24ae6f349e2e4107804773a4cfd0e5db787d517da4e21c7ea1ed97
Opcode Fuzzy Hash: e5c592ea872827c119e744431f646e3d16f2265ebee175d083622b648527692a
Instruction Fuzzy Hash: E411EFB1C006699BCB10DF9AC545BDEFBF4AB48320F14816AE818A7251D778A944CFA5

Function 063C7239 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 063C72A6

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3feb2a5fa0be5d39461787e5b6a489b5693976780edbbfee4318c5529b94c8d6
Instruction ID: efc6a3cb47f21a081d662a8788d373189d91ddc5414111f15880941928338b83
Opcode Fuzzy Hash: 3feb2a5fa0be5d39461787e5b6a489b5693976780edbbfee4318c5529b94c8d6
Instruction Fuzzy Hash: A211F3B6D002498FCB10CF9AC444ADEFBF4EB89224F14852EE859A7210C375A945CFA5

Function 0149AF48 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149AFD7

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e3b0c7d26d34bef9f4becf9abf6bda3c4a69639eecf85490be3f648db3ea1032
Instruction ID: 14b43420afc1fff49b9300c8007401d3f17db89c92c8fbe526c0a196cdf49a60
Opcode Fuzzy Hash: e3b0c7d26d34bef9f4becf9abf6bda3c4a69639eecf85490be3f648db3ea1032
Instruction Fuzzy Hash: 1B1157B5904208DFDF01CFA9D844AEEBFF4EF49310F24805AE959A7261C338A954DF61

Function 063C7240 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 063C72A6

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 208c884790426d376da0139c700bcbf918df5c52ba4eadc4a31c534a0089df4c
Instruction ID: e5b72c0b8921b718e9472a1a1e4434db5c952139730ca8c368a4d64712c01c18
Opcode Fuzzy Hash: 208c884790426d376da0139c700bcbf918df5c52ba4eadc4a31c534a0089df4c
Instruction Fuzzy Hash: 2611E0B6C002498FDB14DF9AC844ADEFBF4EB89324F10852EE859B7210D375A945CFA5

Function 0149B7F0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0149BDD5

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 60853ef3bb3c502de50d9c8648916a2e6a7dfbb1be75022e35cfb9896dec9788
Instruction ID: c88588d18e48bca963aee31524604728d23716c51a362bf21a074ac710c93ffc
Opcode Fuzzy Hash: 60853ef3bb3c502de50d9c8648916a2e6a7dfbb1be75022e35cfb9896dec9788
Instruction Fuzzy Hash: 2B1103B19002488FDB20DF9AD449BDEBFF4EB48324F20855AD558A7210C374A945CFA5

Function 063C7624 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,063C919D), ref: 063C9227

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 0d1b249ddf35e8effc62c41a85ba993d03b35f983a90015b7ac2ced797f33892
Instruction ID: ee5c7aaec6d39219b95e8ab836413b22822fba434a15d94c1f5b22fdb36656f4
Opcode Fuzzy Hash: 0d1b249ddf35e8effc62c41a85ba993d03b35f983a90015b7ac2ced797f33892
Instruction Fuzzy Hash: 391103B5800249CFCB60DF9AD449BDEBFF8EB48324F20845AE559A7250C374A944CFA5

Function 063C91C0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,063C919D), ref: 063C9227

Memory Dump Source

Source File: 00000001.00000002.4120298723.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_63c0000_Po-AD841.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b108ee08b8612a659db5b16bb54b2943ca268b6e8a3191675b0297cfd47e7751
Instruction ID: 5edc316a5889a4e9b234db1aa19e33743ebf0dd865328827887f71ed64ea71a6
Opcode Fuzzy Hash: b108ee08b8612a659db5b16bb54b2943ca268b6e8a3191675b0297cfd47e7751
Instruction Fuzzy Hash: CC11F2B58002498FCB20DF9AD445BDEBBF8EB49324F20845AE598A7251C375A944CFA5

Function 0149BD78 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0149BDD5

Memory Dump Source

Source File: 00000001.00000002.4115218390.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1490000_Po-AD841.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8e7f5352e3caad3f6a9bbb502b797eb752e93688ec2d978da4e52040baa10baa
Instruction ID: 76924a3f5764b67de7af95a29a60108e9e46e5c2d56f2051c85a05c2dec07ef0
Opcode Fuzzy Hash: 8e7f5352e3caad3f6a9bbb502b797eb752e93688ec2d978da4e52040baa10baa
Instruction Fuzzy Hash: C01115B58002488FDB20DF9AD445BDEBFF4EB48324F20845AD558A7710C374A944CFA5

Function 06385E85 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06385FD3

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 05f379bb2b22cab6be1c1b1612e989976f742e21fe001da022633f1cf1a323aa
Instruction ID: 100d541a6979626ee4b7c9f4251452cc0a7ec326c1fddd4c6192d50d877d5c6a
Opcode Fuzzy Hash: 05f379bb2b22cab6be1c1b1612e989976f742e21fe001da022633f1cf1a323aa
Instruction Fuzzy Hash: 6B41F331B003018FDB96AB74D4546AF7BE6AF95220F108469E402DB384EF35DC4ACBE2

Function 06385E98 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06385FD3

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 1b44e254b047cbc4e4e72f4b65c7431634fc6acb078d7b1f4f9d3d08fb727dc4
Instruction ID: 593e289eb65d525293c23aea89133a15c382bdf3a868187db0bd7ccc37b8c991
Opcode Fuzzy Hash: 1b44e254b047cbc4e4e72f4b65c7431634fc6acb078d7b1f4f9d3d08fb727dc4
Instruction Fuzzy Hash: DC31D030B003058FDB99AB74D5546AF7AE6AF94210F208429E406DB384EF35DC4ACBD1

Function 0638C347 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

$^q, xrefs: 0638C36C

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 21c3dc21d9349c907a54139c1f99cf71eb4f6be63c31e690ed43731f3a0e53eb
Instruction ID: 0b9cb3dec4d2aeb00b8ce650be44d919383c8a24160c91ddb2824efdafaf0adc
Opcode Fuzzy Hash: 21c3dc21d9349c907a54139c1f99cf71eb4f6be63c31e690ed43731f3a0e53eb
Instruction Fuzzy Hash: 54F03A35A00318DFDF64AB50ED506ECB778FB80215F589562D801E7650C3799E9BCBE0

Function 063886D9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 063886E5

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 7f7fa49f3893b13f7cf747bfcf1b50fbb31d78350a8d2a79cd7aaf011aff9af2
Instruction ID: ad54819e2842b29d5654597f1eb121b5c890510584fda2eb678a7e60ec0a6e93
Opcode Fuzzy Hash: 7f7fa49f3893b13f7cf747bfcf1b50fbb31d78350a8d2a79cd7aaf011aff9af2
Instruction Fuzzy Hash: CAF0DA30A60219DFDB14DF94E9597AEBBB2BF84700F604519E102A7294CB741D05CFC0

Function 06389E68 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5453509c5a0e5c798d39af83ad585e891a0a1f34d8a71dd5fb92ed5da8dc0c58
Instruction ID: de773ed9b2d00458d0d7d09c1880013366c8b9e2887e7d1ec17390509e8a7c43
Opcode Fuzzy Hash: 5453509c5a0e5c798d39af83ad585e891a0a1f34d8a71dd5fb92ed5da8dc0c58
Instruction Fuzzy Hash: 2A61B171F001114FCF54AA7DC8846AFBAD7AFD4610B25443AD80EDB364DE65ED0287D6

Function 06387B20 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d68d4064dc18ce9a1bf562af976c669c131532a087b114c08addbe1659e8aa5
Instruction ID: 7d014e0b65d2070dcbf3185e763ca267af57efd514d5c432c26ddb83f96dda89
Opcode Fuzzy Hash: 6d68d4064dc18ce9a1bf562af976c669c131532a087b114c08addbe1659e8aa5
Instruction Fuzzy Hash: 88814D31B102099FDF55EBA8D4506AEB7B3AF99304F208425D40ADB395EA34EC86CB91

Function 06387E40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58c0aafcad60998dc7ea1e1faf369fbd19887adcf7f36e157cdbc5f4b114206
Instruction ID: e96899e665c65279f532e8e4072e066ea473edab6df7dd3c02cf2a573096da78
Opcode Fuzzy Hash: f58c0aafcad60998dc7ea1e1faf369fbd19887adcf7f36e157cdbc5f4b114206
Instruction Fuzzy Hash: D1912C30E1021A8FDF60DF68C890BDDBBB1FF85314F208599D449AB255DB70AE85CB91

Function 063801F8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06241b127121fc7b54acd6a56ea48e67178e407af09d2c8f3fc79a630e586d49
Instruction ID: bcbfc47d9316318053162eef77d84443fc14fe834504b000ac6809212b8e363a
Opcode Fuzzy Hash: 06241b127121fc7b54acd6a56ea48e67178e407af09d2c8f3fc79a630e586d49
Instruction Fuzzy Hash: 80817E71A002058FDB54DF69D884BDDBBF6FF88310F14C169E909AB395DB719948CB90

Function 06387E58 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652dd31bc9ef066b9a5153a0f33cb17ccb563fcb1adcab78897a2b117efc8325
Instruction ID: 2edef23b7111c6bea184c93dd0cb178866da42c744fed90883c6f80b8fc031a7
Opcode Fuzzy Hash: 652dd31bc9ef066b9a5153a0f33cb17ccb563fcb1adcab78897a2b117efc8325
Instruction Fuzzy Hash: D0913C30E1021A8FDF60DF68C880BDDB7B2FF89304F208599D549AB255DB70AE85CB91

Function 06380040 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fff3355917de140273b5e599298d0d98191b54d4fcb5861b58896bdefb82c0
Instruction ID: 489775173f2e87a6a882540681564e3eb216918d261191cc1e4416f5bb3532b8
Opcode Fuzzy Hash: 27fff3355917de140273b5e599298d0d98191b54d4fcb5861b58896bdefb82c0
Instruction Fuzzy Hash: 1641A275F103068FDF68AAA8D8907AFB765EB85224F204826D419D7380D735DC8ECBD2

Function 0638001F Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17ad6840d7e132e864a7f2b589ee9f6ff14ca6251725177377ebf2fe0010fb0
Instruction ID: d540b5605b237c27b6478bdd67d9e306368af89c02e7c4488a7da536755e6965
Opcode Fuzzy Hash: a17ad6840d7e132e864a7f2b589ee9f6ff14ca6251725177377ebf2fe0010fb0
Instruction Fuzzy Hash: C441D474E103058FDB69AB68C8907AFBB76EB86214F10482AC459D7381C735DC4EC7C2

Function 063890A8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1c766965efae14ec7467d096b8ecf2e0d7762d38d3dedc4de5afd5d9ca430c
Instruction ID: 6f2ab5f22e654562a66362a8c179fa08db044e6a2978f9188e1fd303ed9a2d13
Opcode Fuzzy Hash: ef1c766965efae14ec7467d096b8ecf2e0d7762d38d3dedc4de5afd5d9ca430c
Instruction Fuzzy Hash: F9411671E007098FDB60DEADD884BBFFBB6EB84310F10492AD216D6694D631A949CBD0

Function 06385D49 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b8bba928bbf3628aa396786d9bc5ddc5534722add9c26fb6f1be8a177cda66
Instruction ID: e2f2c2bb4e03a0988a6806296bad29a2adc8c1bfe3cacb18c7997c44ca9cd4ac
Opcode Fuzzy Hash: 82b8bba928bbf3628aa396786d9bc5ddc5534722add9c26fb6f1be8a177cda66
Instruction Fuzzy Hash: 4D315D35E1030A9FCB99DF64D8546DEB7B6EF89310F108529E816E7750DB70AC4ACB90

Function 06385D58 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5ef29a04906aca206baee30249f0577b65aff41b4cfb856d43e65b85760051
Instruction ID: d2c4ca0b29972f543e2fa7304d260133730444c1bdb7018d9325cc53dc603aab
Opcode Fuzzy Hash: 9f5ef29a04906aca206baee30249f0577b65aff41b4cfb856d43e65b85760051
Instruction Fuzzy Hash: 02314D34E1070A9FCB59DF65D85469EB7B2EF89310F108529E816E7750DB70AC4ACB90

Function 0638772A Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ffd5954332356a95bacf81cc37a2ddf4c01efec3721c87e7da4a1599212895
Instruction ID: b489ef9867b516466f65ab6be41f7d841a9a9efadf6568024080d1d013c47874
Opcode Fuzzy Hash: a0ffd5954332356a95bacf81cc37a2ddf4c01efec3721c87e7da4a1599212895
Instruction Fuzzy Hash: 42218D79E002059FDB50DFB8E981AEEBBF6EB58210F148025E904E7344E730D941CBD1

Function 06387738 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5a4ce94a04cdd7d62f861457ecef72d552e0fe6dca344c2ec34db8d934e680
Instruction ID: f0a5b1eeda78dbda95054b88f77c7fd9868940649e9552edec096d5c9fd7636f
Opcode Fuzzy Hash: dc5a4ce94a04cdd7d62f861457ecef72d552e0fe6dca344c2ec34db8d934e680
Instruction Fuzzy Hash: 5B217C75E102159FEB50EF79D980AEEBBF6FB58610F248025E915E7384E730D901CB91

Function 012AD2CC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4114987328.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ca2a1f03571c1544c22144054d0d482f49ca0011b5b69b858592fd9c093824
Instruction ID: 073eff8aeab724f2c87d2de330eb1dba2ac99ccc021d5c4f2e711f1dde8335d5
Opcode Fuzzy Hash: 49ca2a1f03571c1544c22144054d0d482f49ca0011b5b69b858592fd9c093824
Instruction Fuzzy Hash: 0A2187B1114208DFCB01DF58D9C4B2AFFA5FB88324F60C96DE9090BA42C37AD406CEA1

Function 012AD104 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4114987328.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968f098096293b230eafd5c431b585d70f0b728d10a364d4647df20f209061b6
Instruction ID: 0b25e7463cb4c6f7fb361bb2bf27554197f91d3105afa258995dd0709c30aa37
Opcode Fuzzy Hash: 968f098096293b230eafd5c431b585d70f0b728d10a364d4647df20f209061b6
Instruction Fuzzy Hash: B0217970214308DFDB05DF58C9C0B26BBA1FB84314F60C5ADE9494B752C37AE446CB61

Function 012AD47C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4114987328.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe56e46088824389a555efe99d3e0de84e9bf49d2b78cc0918e88de515af2ca
Instruction ID: 829f4c7c70fdf29e7614ab7eb646f5a8e846e931ded20b898ceec3b32481492d
Opcode Fuzzy Hash: dfe56e46088824389a555efe99d3e0de84e9bf49d2b78cc0918e88de515af2ca
Instruction Fuzzy Hash: 86219870110208DFDB01DF58E5C0B26BFA1FB88318F60C5ADE9494B756C376D846CB61

Function 0638AD98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aba73d1d3c3eb9ef46cef77a273325009b377bb048bff84121f3f42d7a8cac4
Instruction ID: 03649e86f5eb472829e83c2e8aa55f86f1c604d54ec94ecf63547f970463edcf
Opcode Fuzzy Hash: 6aba73d1d3c3eb9ef46cef77a273325009b377bb048bff84121f3f42d7a8cac4
Instruction Fuzzy Hash: AF21AF31B102199FDF94EA69E9506DEF7B6EF84314F148426D809EB384DB31AC46CBC5

Function 06386CE8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94982c2af92c352a58a846979d3483aa535c388caf865cf23e9414fa741f555f
Instruction ID: ef3a684b7ad5951cff9769526c8b91205e73f0746ecda165a47d331f9e35a54c
Opcode Fuzzy Hash: 94982c2af92c352a58a846979d3483aa535c388caf865cf23e9414fa741f555f
Instruction Fuzzy Hash: 5111B171E002189FCF54EB68D8415DEBBB5EFC9310F208969D009E7214DA31DD49CBD1

Function 0638909A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f617edb9cd690e5607f0b3bffd592801d64ca00fc801d96e319dfd65e7e9746c
Instruction ID: 076361d3c7d72a75d93ca8f20ead1c5663ef895d2b786319f985e07db4a8ef1b
Opcode Fuzzy Hash: f617edb9cd690e5607f0b3bffd592801d64ca00fc801d96e319dfd65e7e9746c
Instruction Fuzzy Hash: B5118171A047099FCB21DFA9DC809AFFFB6BB85210B104929D15597651C731A949CBD0

Function 06387A80 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb1cf790695f24462cda808065cbd3d19befc36a2f58aa98c50d3137780c96d
Instruction ID: 7a24617ea74b29cc5b6c63c9238f86d0b1576d41fc591067a240898ee3b72a4a
Opcode Fuzzy Hash: 3cb1cf790695f24462cda808065cbd3d19befc36a2f58aa98c50d3137780c96d
Instruction Fuzzy Hash: 92019231B102111FDB62A57C9851BAFA7EBCBC9710F24883AF00ACB741D969CD0683A1

Function 06387848 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f2846e6ef8c696878e32d6d68677fa79b63c46e343feea2a69d24d25051b82
Instruction ID: 89f7661344d0a6319aa597a65671b7de9938e9aa64145a94e6f3b583da350b93
Opcode Fuzzy Hash: 01f2846e6ef8c696878e32d6d68677fa79b63c46e343feea2a69d24d25051b82
Instruction Fuzzy Hash: D0117C32F102285FDB64A668C8146AE73BBABC8710F20807AD40AE7354DE249C02CBD1

Function 06387837 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6e42250e55b9e0d1bbacda5022bee7731cf63cc5881585937cb793075a8071
Instruction ID: 6f5a010763dea41bf1cadb0e959ebd6e63cde92271a9a0ae5f3fbcd531fd08ef
Opcode Fuzzy Hash: 8e6e42250e55b9e0d1bbacda5022bee7731cf63cc5881585937cb793075a8071
Instruction Fuzzy Hash: ED01B136F142256FDBA4A5689C156EF67BF9BC8200F248136D009E7744DE608846C7E2

Function 06387502 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ef3d1b21fdeaa9cae6b7c87c1db3fd8c45bd609ea597d0d0c6a127c2e754c4
Instruction ID: 985806f21eacc2a6d76161eb7aea5c141d90ba24e1d16f8a6f421b0742a2efdc
Opcode Fuzzy Hash: 48ef3d1b21fdeaa9cae6b7c87c1db3fd8c45bd609ea597d0d0c6a127c2e754c4
Instruction Fuzzy Hash: 9121E3B5D01259AFCB10DF9AD884ADEFFB4FB49310F20812AE558A7200C374AA54CFE5

Function 0638E380 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6efeb40e58ad21427a92e87710b658d14267104586563abdd3756162c3c059
Instruction ID: e34f494d9d2fb5a64d00cc092cc5674d78d0931d313d770fca38c1b0dcd9cba5
Opcode Fuzzy Hash: fe6efeb40e58ad21427a92e87710b658d14267104586563abdd3756162c3c059
Instruction Fuzzy Hash: 6501D835B101104FCBA2A67CE8657AB77E5DB8A324F108839E40DC7364DA34DC49C3D1

Function 012AD2C7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4114987328.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: 740d574e8e8da271da533cf9dea3ec439efee8382ac31ae99f457459848db8e8
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: 30119076504284CFDB12CF14D5C4B1ABF61FB84324F24C6AAD9494BA56C33AD40ACF51

Function 012AD0FF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4114987328.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 8bf92278ca0501aedd4139dbecee67de19739fee93fe4f4a5884081d4cdc709c
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 7811D075504244CFDB06CF58C9C4B15BF61FB84314F24C6A9DD494B652C33AE44ACB61

Function 012AD477 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4114987328.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: fd9038c6fba5d8a39f3da8d71faac91450c3d0296fc6cba0cc12a4a5efc181fe
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: E211BB75504284CFDB02CF58E5C4B15BFB2FB84318F24C6AAD9494B656C33AD44ACF62

Function 06387508 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e115934236f43b52c0474d4466d744f7ead9f18f466d1420d5be23bd8d80fb
Instruction ID: 1d5976d53bcd32172fae0a2797583cc0d21e71e2007af09485ae1694bfef05dd
Opcode Fuzzy Hash: 98e115934236f43b52c0474d4466d744f7ead9f18f466d1420d5be23bd8d80fb
Instruction Fuzzy Hash: 9311D3B5D012599FCB00DF9AD884ACEFBB4FB48310F10812AE518A7200C374A944CFE5

Function 06387A90 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21d92e6c24eae79cc9d5a4e1f7d1da06e12df0f8f4cdad0ebf345efce242814
Instruction ID: d26cba10ec4cab4d4a05ae6d8830af175e1a632455b8e0b7a3a415452e42df6c
Opcode Fuzzy Hash: d21d92e6c24eae79cc9d5a4e1f7d1da06e12df0f8f4cdad0ebf345efce242814
Instruction Fuzzy Hash: 0801A931B101141FDB65A66DA450B6FA3EBCBC9710F208839E00ECB340DE69DC0683A5

Function 0638A480 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1585c09e3d20db1e98c2f766f069f042f7a342d4ecc8ba3e68c3efad74261142
Instruction ID: 317ad22e7a5f37f70e5f14c33b05c96082845c05ed6ee2aabf0c43507756afbb
Opcode Fuzzy Hash: 1585c09e3d20db1e98c2f766f069f042f7a342d4ecc8ba3e68c3efad74261142
Instruction Fuzzy Hash: 74016D5240E3D41EDB436A389C751E63F74DE53114B1A44DBD4D5CF1A3E108CA8EE3A6

Function 0638E390 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ecaca2916e43b70cc33744d16d69a7c89586919ca6e744da62518f8b06f748
Instruction ID: 4fa5a85c0401b86c6ed0e0082642eebc507a58e371382893252486a0329d2ce7
Opcode Fuzzy Hash: a0ecaca2916e43b70cc33744d16d69a7c89586919ca6e744da62518f8b06f748
Instruction Fuzzy Hash: 99016D30B102145FDB61A67DE855B6AB3D9EB8A724F108839E40EC7354DA71DC4683C5

Function 0638EFA0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e5a1db234f8e80e321ba2ef1df4da5b82e92b32f49136bfe322854e67d1fe8
Instruction ID: dac653fd220f655a602d154efab31d8bd2bf1945e13960ac94c6cdf8d1e195b1
Opcode Fuzzy Hash: 20e5a1db234f8e80e321ba2ef1df4da5b82e92b32f49136bfe322854e67d1fe8
Instruction Fuzzy Hash: 12F0A732E103688FEF709569E4447CABBE9E745320F11483AE90AD7240D6309809C7C1

Function 0638A4F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195e45b8636c3f4bacc314e1e15b6fec82fa6c7e2ae67eeb25206a7346fd5584
Instruction ID: c50d666d22f17d58779c6ec4258989dbcb36e4203a5cfdab881c2b8f54959a1d
Opcode Fuzzy Hash: 195e45b8636c3f4bacc314e1e15b6fec82fa6c7e2ae67eeb25206a7346fd5584
Instruction Fuzzy Hash: 62F09B319063496FDF60EE709D416EA7FBCDB02614F2144D7E484CB142E535CA89D7E1

Function 0638A500 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217bf573ed346612cb0fc09a2c64cd65f2234e331003aad94ccc0474bf275227
Instruction ID: 0878233d228d1f95cb1fd9e9f37715082ccfb62050e0427ee214cdf580731e94
Opcode Fuzzy Hash: 217bf573ed346612cb0fc09a2c64cd65f2234e331003aad94ccc0474bf275227
Instruction Fuzzy Hash: 81E01271E1030DAFDF50EEB4C94579E77ADD701214F2088A6D449D7201E576DA45DBC0

Non-executed Functions

Function 0638B720 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 0638B841
$^q, xrefs: 0638BC78
$^q, xrefs: 0638B81C
$^q, xrefs: 0638BBCD
$^q, xrefs: 0638BC6C
$^q, xrefs: 0638BBD9
$^q, xrefs: 0638BC82
$^q, xrefs: 0638BC8E
$^q, xrefs: 0638B84D
$^q, xrefs: 0638B810

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 9d206e67c93217d941ebfe3fcd58723b4f6393c3f601d37b8eca04f41a6eed1a
Instruction ID: c464c3d7b2a055112b353b85fcac8dbf70274b4b293526dd2307f382dad893c7
Opcode Fuzzy Hash: 9d206e67c93217d941ebfe3fcd58723b4f6393c3f601d37b8eca04f41a6eed1a
Instruction Fuzzy Hash: 2212FC30E0031A8FDB64EF65D954A9DB7B6BF84304F208569D40AAB365DB319D85CF81

Function 0638E9B8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 0638EABA
$^q, xrefs: 0638EB34
$^q, xrefs: 0638EAAE
$^q, xrefs: 0638EB76
$^q, xrefs: 0638EB15
$^q, xrefs: 0638EB09
$^q, xrefs: 0638EB6A
$^q, xrefs: 0638EB40

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 4e4cf8bc625208e2553f4b857ca50eab851efe9f86fffe66f2af2684eab02c7a
Instruction ID: 262a8ec9e4c035ad5bd97e7f27b231f98cf56ff79b9b1f3572795c7a66700985
Opcode Fuzzy Hash: 4e4cf8bc625208e2553f4b857ca50eab851efe9f86fffe66f2af2684eab02c7a
Instruction Fuzzy Hash: 2B916D30E103099FEB69EB69D554BAEBBB6BF84300F108429E4029B394DB759C49CBD0

Function 0638B120 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 0638B402
$^q, xrefs: 0638B45C
$^q, xrefs: 0638B5BC
$^q, xrefs: 0638B468
$^q, xrefs: 0638B628
.5vq, xrefs: 0638B17B
$^q, xrefs: 0638B634

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 52fb834a49ecef7ad7c4632be4244e2cf03a4dd5c94ccd51e9c7ccd2e68104ad
Instruction ID: 97757db34d1b12d779dad0ffca1ee6598aa2317318e5d1f2d73fc2ec218c37fd
Opcode Fuzzy Hash: 52fb834a49ecef7ad7c4632be4244e2cf03a4dd5c94ccd51e9c7ccd2e68104ad
Instruction Fuzzy Hash: F9F14030B01309CFDB54EF65D594AAEBBB6BF94300F248569D4169B368CB35DC86CB90

Function 0638C458 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 0638C723
$^q, xrefs: 0638C717
$^q, xrefs: 0638C6BE
$^q, xrefs: 0638C6B2

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 12fc3c39aa9d67e4f21ea8fd4c4fb45893368a4c9e8cd5b2934497d1bcefb35e
Instruction ID: 48d5e9c630a9e0a519a04e3ca42f8bd63a9b4ea41236de219154be9c49c2b8fb
Opcode Fuzzy Hash: 12fc3c39aa9d67e4f21ea8fd4c4fb45893368a4c9e8cd5b2934497d1bcefb35e
Instruction Fuzzy Hash: 0FB13930E102098FDB64EB79D5946AEB7B6BF94300F249829D40ADB364DB75DC86CB90

Function 0638C870 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0638C963
$^q, xrefs: 0638C8EF
LR^q, xrefs: 0638C9B2
$^q, xrefs: 0638C8FB

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 778b91fd5d95a25df3087a1ee3119da88c02ec3c02be7ef36f40cc0de61f60d5
Instruction ID: 11a626e34750a34b2d4b02bd1b638b18cae6b7f71db8c947620bb7c90592064a
Opcode Fuzzy Hash: 778b91fd5d95a25df3087a1ee3119da88c02ec3c02be7ef36f40cc0de61f60d5
Instruction Fuzzy Hash: B851C231B002058FDB58EB38D990AAAB7E6FF88304F1485A9E405DB365DB31EC44CBE0

Function 0638ED40 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

$^q, xrefs: 0638EEC4
$^q, xrefs: 0638EE71
$^q, xrefs: 0638EF1C
$^q, xrefs: 0638EEF3

Memory Dump Source

Source File: 00000001.00000002.4120215073.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6380000_Po-AD841.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 6f5a65f90543642421444f4a5682eb4439651158d1ebbd0733198d32e8bde59d
Instruction ID: c478c6fccc68e3be0f106c02cfc7f73e1767bb9156c2805b6fd8b99e1d51b193
Opcode Fuzzy Hash: 6f5a65f90543642421444f4a5682eb4439651158d1ebbd0733198d32e8bde59d
Instruction Fuzzy Hash: 60514A30E102059FDF65EB69E990AAEB7B6EF94300F14852AE805DB354DB31EC49CBC1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Po-AD841.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Windows Analysis Report
Po-AD841.exe

Function 00DCD349 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 00DCD358 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 00DCB0D0 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 00DC590D Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00DC4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00DCD599 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00DCD5A0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 00DCB2C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 0638BE00 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Function 0638ED50 Relevance: 10.4, Strings: 8, Instructions: 394
COMMON

Function 0638F6D8 Relevance: 8.0, Strings: 6, Instructions: 475
COMMON

Function 01499B90 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Function 0149AD06 Relevance: 6.1, APIs: 4, Instructions: 127
threadCOMMON

Function 01499C8C Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 329
COMMON

Function 0638D1D0 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Function 063887F0 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Function 0638D1C0 Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre